Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14-11-2024 14:29
Static task
static1
Behavioral task
behavioral1
Sample
2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe
-
Size
662KB
-
MD5
bc9d09d4d72e0773a49d2d853f366047
-
SHA1
cc141b172d18ac7f671bb6046924a38673aa499e
-
SHA256
0280fd3dee9b09cba29de1539dc6d16be55c15b49e7c3f672508f4b4ed8ff6e5
-
SHA512
ea22c987ee458b418848766780648b5f7f1444f56a44e1d0dd1a776c2de3b9f22b239b84b91341805c54efff33b349328706d316c6f669e9516046ed8fc0f8f6
-
SSDEEP
12288:TlUQ9xuv6Z64BvAT4iNvxvahUY3uyOzWd7qVSS/gNLEK4g74DFBE3yEe:59xuvy64BITPbaZuyZdGgNwU7uW3/e
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 58 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Renames multiple (82) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
TyAggkgg.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation TyAggkgg.exe -
Executes dropped EXE 2 IoCs
Processes:
TyAggkgg.exeROEMUsck.exepid Process 3048 TyAggkgg.exe 3524 ROEMUsck.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exeTyAggkgg.exeROEMUsck.exe2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ROEMUsck.exe = "C:\\ProgramData\\jokkEcko\\ROEMUsck.exe" 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TyAggkgg.exe = "C:\\Users\\Admin\\WYUgMAkg\\TyAggkgg.exe" TyAggkgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ROEMUsck.exe = "C:\\ProgramData\\jokkEcko\\ROEMUsck.exe" ROEMUsck.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lIowYkQg.exe = "C:\\Users\\Admin\\mqMgcAEg\\lIowYkQg.exe" 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\YicMUgIM.exe = "C:\\ProgramData\\ViUYUEwU\\YicMUgIM.exe" 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TyAggkgg.exe = "C:\\Users\\Admin\\WYUgMAkg\\TyAggkgg.exe" 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe -
Drops file in System32 directory 2 IoCs
Processes:
TyAggkgg.exedescription ioc Process File created C:\Windows\SysWOW64\shell32.dll.exe TyAggkgg.exe File opened for modification C:\Windows\SysWOW64\shell32.dll.exe TyAggkgg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target Process procid_target 1048 4084 WerFault.exe 504 1092 1632 WerFault.exe 505 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cmd.exe2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exereg.exe2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exereg.exereg.exereg.execscript.exereg.exe2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exereg.exereg.execscript.exereg.exereg.exereg.exe2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exereg.exereg.execscript.execmd.execmd.execmd.exe2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exereg.exereg.exereg.exereg.exe2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.execmd.exereg.exereg.execscript.exe2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.execscript.execmd.exereg.exe2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exereg.execmd.execscript.execmd.execmd.exereg.execmd.exereg.execmd.exereg.execmd.execscript.exereg.execmd.execmd.exereg.exe2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exereg.execmd.execmd.exereg.execmd.execmd.execscript.exereg.exereg.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 64 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exepid Process 3040 reg.exe 2916 reg.exe 2040 reg.exe 1524 reg.exe 3636 reg.exe 2320 reg.exe 1284 reg.exe 2984 reg.exe 1932 reg.exe 4940 reg.exe 4812 reg.exe 2472 reg.exe 3908 reg.exe 2488 reg.exe 1312 reg.exe 3508 reg.exe 2052 reg.exe 8 reg.exe 3648 reg.exe 4692 reg.exe 2188 reg.exe 2460 reg.exe 4128 reg.exe 888 reg.exe 4264 reg.exe 2812 reg.exe 1664 reg.exe 1184 reg.exe 4940 reg.exe 4952 reg.exe 4208 reg.exe 1696 reg.exe 5112 reg.exe 1900 reg.exe 2064 reg.exe 2004 reg.exe 3308 reg.exe 4520 reg.exe 4176 reg.exe 1492 reg.exe 4552 reg.exe 4464 reg.exe 4740 reg.exe 852 reg.exe 3296 reg.exe 3396 reg.exe 1288 reg.exe 4836 reg.exe 1708 reg.exe 3688 reg.exe 4804 reg.exe 4036 reg.exe 4756 reg.exe 4304 reg.exe 4548 reg.exe 1720 reg.exe 3896 reg.exe 2104 reg.exe 1544 reg.exe 2380 reg.exe 4212 reg.exe 2632 reg.exe 4648 reg.exe 3676 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exepid Process 2740 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 2740 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 2740 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 2740 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 4740 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 4740 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 4740 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 4740 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 932 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 932 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 932 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 932 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 4184 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 4184 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 4184 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 4184 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 1228 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 1228 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 1228 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 1228 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 2632 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 2632 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 2632 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 2632 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 1664 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 1664 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 1664 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 1664 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 2144 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 2144 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 2144 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 2144 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 4184 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 4184 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 4184 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 4184 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 4472 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 4472 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 4472 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 4472 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 4616 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 4616 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 4616 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 4616 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 2924 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 2924 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 2924 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 2924 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 2864 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 2864 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 2864 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 2864 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 2732 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 2732 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 2732 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 2732 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 4176 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 4176 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 4176 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 4176 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 4468 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 4468 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 4468 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 4468 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
TyAggkgg.exepid Process 3048 TyAggkgg.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
TyAggkgg.exepid Process 3048 TyAggkgg.exe 3048 TyAggkgg.exe 3048 TyAggkgg.exe 3048 TyAggkgg.exe 3048 TyAggkgg.exe 3048 TyAggkgg.exe 3048 TyAggkgg.exe 3048 TyAggkgg.exe 3048 TyAggkgg.exe 3048 TyAggkgg.exe 3048 TyAggkgg.exe 3048 TyAggkgg.exe 3048 TyAggkgg.exe 3048 TyAggkgg.exe 3048 TyAggkgg.exe 3048 TyAggkgg.exe 3048 TyAggkgg.exe 3048 TyAggkgg.exe 3048 TyAggkgg.exe 3048 TyAggkgg.exe 3048 TyAggkgg.exe 3048 TyAggkgg.exe 3048 TyAggkgg.exe 3048 TyAggkgg.exe 3048 TyAggkgg.exe 3048 TyAggkgg.exe 3048 TyAggkgg.exe 3048 TyAggkgg.exe 3048 TyAggkgg.exe 3048 TyAggkgg.exe 3048 TyAggkgg.exe 3048 TyAggkgg.exe 3048 TyAggkgg.exe 3048 TyAggkgg.exe 3048 TyAggkgg.exe 3048 TyAggkgg.exe 3048 TyAggkgg.exe 3048 TyAggkgg.exe 3048 TyAggkgg.exe 3048 TyAggkgg.exe 3048 TyAggkgg.exe 3048 TyAggkgg.exe 3048 TyAggkgg.exe 3048 TyAggkgg.exe 3048 TyAggkgg.exe 3048 TyAggkgg.exe 3048 TyAggkgg.exe 3048 TyAggkgg.exe 3048 TyAggkgg.exe 3048 TyAggkgg.exe 3048 TyAggkgg.exe 3048 TyAggkgg.exe 3048 TyAggkgg.exe 3048 TyAggkgg.exe 3048 TyAggkgg.exe 3048 TyAggkgg.exe 3048 TyAggkgg.exe 3048 TyAggkgg.exe 3048 TyAggkgg.exe 3048 TyAggkgg.exe 3048 TyAggkgg.exe 3048 TyAggkgg.exe 3048 TyAggkgg.exe 3048 TyAggkgg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.execmd.execmd.exe2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.execmd.execmd.exe2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.execmd.exedescription pid Process procid_target PID 2740 wrote to memory of 3048 2740 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 85 PID 2740 wrote to memory of 3048 2740 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 85 PID 2740 wrote to memory of 3048 2740 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 85 PID 2740 wrote to memory of 3524 2740 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 86 PID 2740 wrote to memory of 3524 2740 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 86 PID 2740 wrote to memory of 3524 2740 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 86 PID 2740 wrote to memory of 4844 2740 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 87 PID 2740 wrote to memory of 4844 2740 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 87 PID 2740 wrote to memory of 4844 2740 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 87 PID 2740 wrote to memory of 4264 2740 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 89 PID 2740 wrote to memory of 4264 2740 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 89 PID 2740 wrote to memory of 4264 2740 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 89 PID 2740 wrote to memory of 3604 2740 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 90 PID 2740 wrote to memory of 3604 2740 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 90 PID 2740 wrote to memory of 3604 2740 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 90 PID 2740 wrote to memory of 452 2740 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 91 PID 2740 wrote to memory of 452 2740 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 91 PID 2740 wrote to memory of 452 2740 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 91 PID 2740 wrote to memory of 2332 2740 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 92 PID 2740 wrote to memory of 2332 2740 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 92 PID 2740 wrote to memory of 2332 2740 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 92 PID 4844 wrote to memory of 4740 4844 cmd.exe 97 PID 4844 wrote to memory of 4740 4844 cmd.exe 97 PID 4844 wrote to memory of 4740 4844 cmd.exe 97 PID 2332 wrote to memory of 1472 2332 cmd.exe 98 PID 2332 wrote to memory of 1472 2332 cmd.exe 98 PID 2332 wrote to memory of 1472 2332 cmd.exe 98 PID 4740 wrote to memory of 3520 4740 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 100 PID 4740 wrote to memory of 3520 4740 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 100 PID 4740 wrote to memory of 3520 4740 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 100 PID 4740 wrote to memory of 4868 4740 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 102 PID 4740 wrote to memory of 4868 4740 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 102 PID 4740 wrote to memory of 4868 4740 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 102 PID 4740 wrote to memory of 3636 4740 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 103 PID 4740 wrote to memory of 3636 4740 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 103 PID 4740 wrote to memory of 3636 4740 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 103 PID 4740 wrote to memory of 3308 4740 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 104 PID 4740 wrote to memory of 3308 4740 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 104 PID 4740 wrote to memory of 3308 4740 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 104 PID 4740 wrote to memory of 4940 4740 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 105 PID 4740 wrote to memory of 4940 4740 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 105 PID 4740 wrote to memory of 4940 4740 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 105 PID 3520 wrote to memory of 932 3520 cmd.exe 110 PID 3520 wrote to memory of 932 3520 cmd.exe 110 PID 3520 wrote to memory of 932 3520 cmd.exe 110 PID 4940 wrote to memory of 5044 4940 cmd.exe 171 PID 4940 wrote to memory of 5044 4940 cmd.exe 171 PID 4940 wrote to memory of 5044 4940 cmd.exe 171 PID 932 wrote to memory of 4720 932 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 112 PID 932 wrote to memory of 4720 932 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 112 PID 932 wrote to memory of 4720 932 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 112 PID 4720 wrote to memory of 4184 4720 cmd.exe 183 PID 4720 wrote to memory of 4184 4720 cmd.exe 183 PID 4720 wrote to memory of 4184 4720 cmd.exe 183 PID 932 wrote to memory of 4432 932 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 174 PID 932 wrote to memory of 4432 932 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 174 PID 932 wrote to memory of 4432 932 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 174 PID 932 wrote to memory of 4044 932 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 116 PID 932 wrote to memory of 4044 932 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 116 PID 932 wrote to memory of 4044 932 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 116 PID 932 wrote to memory of 4700 932 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 117 PID 932 wrote to memory of 4700 932 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 117 PID 932 wrote to memory of 4700 932 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 117 PID 932 wrote to memory of 5080 932 2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe 118
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Users\Admin\WYUgMAkg\TyAggkgg.exe"C:\Users\Admin\WYUgMAkg\TyAggkgg.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:3048
-
-
C:\ProgramData\jokkEcko\ROEMUsck.exe"C:\ProgramData\jokkEcko\ROEMUsck.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3524
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"2⤵
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"4⤵
- Suspicious use of WriteProcessMemory
PID:3520 -
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:932 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock7⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4184 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"8⤵PID:2216
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock9⤵
- Suspicious behavior: EnumeratesProcesses
PID:1228 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"10⤵PID:640
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock11⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2632 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"12⤵PID:4696
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock13⤵
- Suspicious behavior: EnumeratesProcesses
PID:1664 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"14⤵PID:1720
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock15⤵
- Suspicious behavior: EnumeratesProcesses
PID:2144 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"16⤵PID:2684
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV117⤵PID:4432
-
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock17⤵
- Suspicious behavior: EnumeratesProcesses
PID:4184 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"18⤵PID:3892
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock19⤵
- Suspicious behavior: EnumeratesProcesses
PID:4472 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"20⤵
- System Location Discovery: System Language Discovery
PID:3896 -
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock21⤵
- Suspicious behavior: EnumeratesProcesses
PID:4616 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"22⤵PID:756
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock23⤵
- Suspicious behavior: EnumeratesProcesses
PID:2924 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"24⤵PID:4132
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock25⤵
- Suspicious behavior: EnumeratesProcesses
PID:2864 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"26⤵PID:4208
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock27⤵
- Suspicious behavior: EnumeratesProcesses
PID:2732 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"28⤵PID:2872
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock29⤵
- Suspicious behavior: EnumeratesProcesses
PID:4176 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"30⤵
- System Location Discovery: System Language Discovery
PID:4976 -
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock31⤵
- Suspicious behavior: EnumeratesProcesses
PID:4468 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"32⤵PID:1772
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock33⤵PID:4756
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"34⤵PID:4504
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock35⤵PID:2840
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"36⤵PID:5000
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock37⤵PID:428
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"38⤵PID:1228
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock39⤵PID:3624
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"40⤵PID:4740
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock41⤵PID:608
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"42⤵PID:3100
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock43⤵PID:3060
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"44⤵PID:2412
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock45⤵PID:3632
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"46⤵PID:2520
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock47⤵
- System Location Discovery: System Language Discovery
PID:4576 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"48⤵PID:1364
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV149⤵PID:8
-
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock49⤵PID:4952
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"50⤵
- System Location Discovery: System Language Discovery
PID:4112 -
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock51⤵PID:5028
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"52⤵PID:4764
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock53⤵PID:1392
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"54⤵PID:3128
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock55⤵PID:3632
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"56⤵PID:1664
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock57⤵PID:4428
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"58⤵PID:2932
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock59⤵
- System Location Discovery: System Language Discovery
PID:2984 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"60⤵PID:872
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV161⤵PID:3956
-
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock61⤵PID:4516
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"62⤵PID:4264
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock63⤵PID:3036
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"64⤵PID:4152
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock65⤵PID:2380
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"66⤵
- System Location Discovery: System Language Discovery
PID:4832 -
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock67⤵PID:1364
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"68⤵PID:1432
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock69⤵
- Adds Run key to start application
PID:2308 -
C:\Users\Admin\mqMgcAEg\lIowYkQg.exe"C:\Users\Admin\mqMgcAEg\lIowYkQg.exe"70⤵PID:4084
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 22471⤵
- Program crash
PID:1048
-
-
-
C:\ProgramData\ViUYUEwU\YicMUgIM.exe"C:\ProgramData\ViUYUEwU\YicMUgIM.exe"70⤵PID:1632
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 22471⤵
- Program crash
PID:1092
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"70⤵PID:4516
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock71⤵PID:4392
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"72⤵PID:912
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock73⤵PID:3580
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"74⤵PID:3264
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock75⤵PID:1664
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"76⤵PID:4696
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock77⤵
- System Location Discovery: System Language Discovery
PID:1164 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"78⤵PID:2908
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock79⤵PID:4264
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"80⤵PID:1228
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock81⤵
- System Location Discovery: System Language Discovery
PID:3380 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"82⤵PID:1108
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock83⤵PID:912
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"84⤵PID:3376
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock85⤵PID:4836
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"86⤵PID:3984
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock87⤵PID:3664
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"88⤵PID:1288
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock89⤵PID:1404
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"90⤵PID:4748
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock91⤵PID:3580
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"92⤵PID:444
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV193⤵PID:4112
-
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock93⤵
- System Location Discovery: System Language Discovery
PID:3520 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"94⤵PID:2272
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock95⤵
- System Location Discovery: System Language Discovery
PID:3096 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"96⤵PID:2864
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock97⤵PID:1284
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"98⤵PID:3400
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV199⤵PID:1108
-
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock99⤵PID:4872
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"100⤵PID:3300
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock101⤵PID:4120
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"102⤵PID:3832
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1103⤵PID:1840
-
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock103⤵
- System Location Discovery: System Language Discovery
PID:3632 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"104⤵PID:4664
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1105⤵PID:1860
-
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock105⤵PID:1764
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"106⤵PID:5064
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock107⤵PID:4764
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"108⤵
- System Location Discovery: System Language Discovery
PID:2880 -
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock109⤵PID:716
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"110⤵PID:4464
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock111⤵PID:1560
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"112⤵PID:1916
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1113⤵PID:3036
-
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock113⤵PID:4432
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"114⤵PID:4060
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock115⤵PID:888
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock"116⤵
- System Location Discovery: System Language Discovery
PID:3508
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1116⤵
- Modifies visibility of file extensions in Explorer
PID:1576 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1117⤵PID:1432
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2116⤵PID:3892
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1117⤵PID:5064
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f116⤵
- UAC bypass
PID:4660 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1117⤵PID:3664
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cIEggsks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""116⤵PID:1312
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs117⤵PID:4500
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1114⤵
- Modifies visibility of file extensions in Explorer
PID:912 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1115⤵PID:4720
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2114⤵
- System Location Discovery: System Language Discovery
PID:5076
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f114⤵
- UAC bypass
- System Location Discovery: System Language Discovery
PID:2320 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1115⤵PID:4428
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GKwQQgIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""114⤵PID:2728
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1115⤵PID:5112
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs115⤵PID:1060
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1112⤵
- Modifies visibility of file extensions in Explorer
PID:4016
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2112⤵PID:3716
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f112⤵
- UAC bypass
- Modifies registry key
PID:2488 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1113⤵PID:1164
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SccYcwEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""112⤵PID:4248
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs113⤵PID:2936
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1110⤵
- Modifies visibility of file extensions in Explorer
PID:2432
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2110⤵
- Modifies registry key
PID:1720
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f110⤵
- UAC bypass
- Modifies registry key
PID:1492 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1111⤵PID:4836
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YGsIIAsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""110⤵PID:3580
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1111⤵PID:1764
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs111⤵PID:4244
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1108⤵
- Modifies visibility of file extensions in Explorer
PID:3504
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2108⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4176
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f108⤵
- UAC bypass
- Modifies registry key
PID:3908
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xqIIkAEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""108⤵PID:3612
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1109⤵PID:640
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs109⤵PID:4720
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1106⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:8
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2106⤵
- Modifies registry key
PID:1708
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f106⤵
- UAC bypass
PID:1828
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DWMoAkoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""106⤵PID:2400
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs107⤵PID:3844
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1104⤵
- Modifies visibility of file extensions in Explorer
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4548
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2104⤵PID:4624
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f104⤵
- UAC bypass
PID:1772
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VAgMIoQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""104⤵PID:4264
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs105⤵
- System Location Discovery: System Language Discovery
PID:2652
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1102⤵
- Modifies visibility of file extensions in Explorer
PID:452
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2102⤵PID:2472
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1103⤵PID:1800
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f102⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2004
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PYQwAYUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""102⤵
- System Location Discovery: System Language Discovery
PID:4580 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1103⤵PID:2152
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs103⤵PID:1280
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1100⤵
- Modifies visibility of file extensions in Explorer
PID:2880
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2100⤵
- Modifies registry key
PID:2052 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1101⤵PID:540
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f100⤵
- UAC bypass
PID:2756
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wUkUUQYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""100⤵PID:3936
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1101⤵PID:3368
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs101⤵PID:4176
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 198⤵
- Modifies visibility of file extensions in Explorer
PID:4876
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 298⤵PID:4084
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f98⤵
- UAC bypass
- Modifies registry key
PID:2632
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MmQcEwsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""98⤵
- System Location Discovery: System Language Discovery
PID:768 -
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs99⤵PID:1052
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 196⤵
- Modifies visibility of file extensions in Explorer
PID:5032
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 296⤵
- Modifies registry key
PID:2064
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f96⤵
- UAC bypass
- System Location Discovery: System Language Discovery
PID:2804
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UYQgEAAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""96⤵PID:3872
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs97⤵PID:3464
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 194⤵
- Modifies visibility of file extensions in Explorer
PID:2216 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV195⤵PID:2380
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 294⤵
- Modifies registry key
PID:1184
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f94⤵
- UAC bypass
PID:396
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IWgIggcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""94⤵PID:1576
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs95⤵PID:2488
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 192⤵
- Modifies visibility of file extensions in Explorer
PID:3940
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 292⤵
- Modifies registry key
PID:1524
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f92⤵
- UAC bypass
PID:3668
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jCMgEkIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""92⤵
- System Location Discovery: System Language Discovery
PID:448 -
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs93⤵PID:1916
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 190⤵
- Modifies visibility of file extensions in Explorer
PID:3400
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 290⤵PID:756
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f90⤵
- UAC bypass
- System Location Discovery: System Language Discovery
PID:888
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bAsggYgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""90⤵PID:2052
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs91⤵PID:2532
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 188⤵
- Modifies visibility of file extensions in Explorer
PID:2340
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 288⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3396
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f88⤵
- UAC bypass
PID:2936 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV189⤵PID:2908
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vwEIEQQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""88⤵
- System Location Discovery: System Language Discovery
PID:4536 -
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs89⤵PID:3200
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 186⤵
- Modifies visibility of file extensions in Explorer
PID:1544
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 286⤵PID:1712
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f86⤵
- UAC bypass
PID:396
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BGcgAMsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""86⤵PID:4864
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs87⤵
- System Location Discovery: System Language Discovery
PID:3908
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 184⤵
- Modifies visibility of file extensions in Explorer
PID:3932
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 284⤵PID:1496
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV185⤵PID:1392
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f84⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3296
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UMcwYIck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""84⤵
- System Location Discovery: System Language Discovery
PID:5112 -
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs85⤵PID:1924
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 182⤵
- Modifies visibility of file extensions in Explorer
PID:3160
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 282⤵
- Modifies registry key
PID:4692 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV183⤵PID:1364
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f82⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:852
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UIoIgUcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""82⤵PID:4472
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs83⤵PID:4428
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 180⤵
- Modifies visibility of file extensions in Explorer
PID:4536
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 280⤵
- System Location Discovery: System Language Discovery
PID:3892
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f80⤵
- UAC bypass
PID:1900
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iiAMgsEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""80⤵PID:2260
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs81⤵PID:4500
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 178⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2472
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 278⤵PID:1360
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f78⤵
- UAC bypass
PID:4128
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\koMogkUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""78⤵PID:640
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs79⤵PID:3396
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 176⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4304
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 276⤵PID:3020
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV177⤵PID:4812
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f76⤵
- UAC bypass
PID:3852
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DUAYMsMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""76⤵PID:1280
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV177⤵PID:4756
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs77⤵PID:2308
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 174⤵
- Modifies visibility of file extensions in Explorer
PID:1560
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 274⤵
- Modifies registry key
PID:888 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV175⤵PID:2916
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f74⤵
- UAC bypass
PID:1904
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nQoEAYsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""74⤵
- System Location Discovery: System Language Discovery
PID:608 -
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs75⤵PID:3624
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 172⤵
- Modifies visibility of file extensions in Explorer
PID:4076 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV173⤵PID:3128
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 272⤵PID:4052
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f72⤵
- UAC bypass
PID:1800
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jeQMcYAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""72⤵PID:4552
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs73⤵PID:2324
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 170⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4128
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 270⤵PID:3752
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f70⤵
- UAC bypass
PID:4432
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uuoIYMAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""70⤵PID:4036
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs71⤵PID:4364
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 168⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1544 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV169⤵PID:4612
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 268⤵
- Modifies registry key
PID:4812
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f68⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4756
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eMAMcYsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""68⤵PID:4444
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs69⤵PID:5076
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 166⤵
- Modifies visibility of file extensions in Explorer
- System Location Discovery: System Language Discovery
PID:2272
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 266⤵PID:3160
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV167⤵PID:4952
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f66⤵
- UAC bypass
- Modifies registry key
PID:1664 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV167⤵PID:4740
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wMUsswYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""66⤵PID:3672
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs67⤵PID:3100
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 164⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2040
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 264⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1900
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f64⤵
- UAC bypass
- Modifies registry key
PID:2460
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kMkwQkog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""64⤵PID:3892
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs65⤵
- System Location Discovery: System Language Discovery
PID:2228
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 162⤵
- Modifies visibility of file extensions in Explorer
PID:3752
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 262⤵
- Modifies registry key
PID:4036 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV163⤵PID:3612
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f62⤵
- UAC bypass
- Modifies registry key
PID:4212
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XCEsIsEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""62⤵PID:2152
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs63⤵PID:1840
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 160⤵
- Modifies visibility of file extensions in Explorer
PID:3852
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 260⤵PID:4612
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV161⤵PID:4616
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f60⤵
- UAC bypass
PID:4668
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JqQQIgck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""60⤵PID:3776
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV161⤵PID:4836
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs61⤵PID:4704
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 158⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4952
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 258⤵PID:608
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f58⤵
- UAC bypass
- Modifies registry key
PID:4740
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\feEwIgUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""58⤵PID:540
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs59⤵PID:2880
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 156⤵
- Modifies visibility of file extensions in Explorer
PID:4472
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 256⤵
- Modifies registry key
PID:1284
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f56⤵
- UAC bypass
PID:3368
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\esYAMAkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""56⤵PID:4468
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs57⤵PID:2216
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 154⤵
- Modifies visibility of file extensions in Explorer
PID:4872
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 254⤵PID:4660
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f54⤵
- UAC bypass
PID:1860 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV155⤵PID:4432
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QuIAYEoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""54⤵PID:3832
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV155⤵PID:2412
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs55⤵PID:2936
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 152⤵
- Modifies visibility of file extensions in Explorer
PID:3260
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 252⤵PID:2328
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f52⤵
- UAC bypass
PID:756
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CssAoUEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""52⤵PID:3060
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV153⤵PID:1140
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs53⤵PID:4420
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 150⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2916 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV151⤵PID:3688
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 250⤵
- System Location Discovery: System Language Discovery
PID:1032
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f50⤵
- UAC bypass
PID:1904
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uUMEQUYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""50⤵PID:2924
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs51⤵PID:2188
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 148⤵
- Modifies visibility of file extensions in Explorer
- System Location Discovery: System Language Discovery
PID:1288
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 248⤵
- Modifies registry key
PID:3648
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f48⤵
- UAC bypass
PID:4552
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wQMssQAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""48⤵PID:4016
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs49⤵PID:3984
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 146⤵
- Modifies visibility of file extensions in Explorer
PID:3652
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 246⤵
- Modifies registry key
PID:1932
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f46⤵
- UAC bypass
PID:428
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HGoQwwgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""46⤵PID:868
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs47⤵PID:2908
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 144⤵
- Modifies visibility of file extensions in Explorer
PID:4184
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 244⤵
- Modifies registry key
PID:3040 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV145⤵PID:4504
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f44⤵
- UAC bypass
- System Location Discovery: System Language Discovery
PID:1840
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VcUQccwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""44⤵PID:1052
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs45⤵PID:5072
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 142⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4940 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV143⤵PID:3768
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 242⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4804
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f42⤵
- UAC bypass
- Modifies registry key
PID:2188
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dGsEAEoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""42⤵
- System Location Discovery: System Language Discovery
PID:3612 -
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs43⤵PID:4216
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 140⤵
- Modifies visibility of file extensions in Explorer
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4464 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV141⤵PID:2332
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 240⤵PID:2228
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f40⤵
- UAC bypass
PID:4664
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\imgcAgQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""40⤵PID:4616
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs41⤵
- System Location Discovery: System Language Discovery
PID:4976
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 138⤵
- Modifies visibility of file extensions in Explorer
PID:2320
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 238⤵
- System Location Discovery: System Language Discovery
PID:4152
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f38⤵
- UAC bypass
- Modifies registry key
PID:2380
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EyYwUkMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""38⤵PID:4052
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs39⤵
- System Location Discovery: System Language Discovery
PID:8
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 136⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3676
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 236⤵
- System Location Discovery: System Language Discovery
PID:2760
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f36⤵
- UAC bypass
- Modifies registry key
PID:5112
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\icAUEAMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""36⤵PID:2268
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs37⤵PID:3892
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 134⤵
- Modifies visibility of file extensions in Explorer
PID:4460
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 234⤵PID:2780
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f34⤵
- UAC bypass
- Modifies registry key
PID:1696
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MkgUkMsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""34⤵PID:1216
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs35⤵PID:1052
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 132⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3688 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV133⤵PID:2188
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 232⤵PID:396
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f32⤵
- UAC bypass
- Modifies registry key
PID:4940
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PQYMMIMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""32⤵PID:3956
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs33⤵PID:3520
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 130⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4648
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 230⤵PID:3648
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV131⤵PID:2812
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f30⤵
- UAC bypass
PID:1788
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HeIMoMsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""30⤵PID:3768
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs31⤵PID:1432
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 128⤵
- Modifies visibility of file extensions in Explorer
PID:1228
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 228⤵
- Modifies registry key
PID:4552
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f28⤵
- UAC bypass
- Modifies registry key
PID:3508
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NIsYgIII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""28⤵PID:2904
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs29⤵PID:3856
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 126⤵
- Modifies visibility of file extensions in Explorer
PID:1932
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 226⤵PID:1140
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f26⤵
- UAC bypass
- Modifies registry key
PID:2104
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mAQIQEwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""26⤵PID:1376
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs27⤵PID:4432
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 124⤵
- Modifies visibility of file extensions in Explorer
- System Location Discovery: System Language Discovery
PID:1500
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 224⤵PID:5104
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f24⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4836
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aOIoYAgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""24⤵
- System Location Discovery: System Language Discovery
PID:1860 -
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs25⤵PID:1968
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 122⤵
- Modifies visibility of file extensions in Explorer
PID:3464
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 222⤵PID:1284
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f22⤵
- UAC bypass
PID:836
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kyoEAoMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""22⤵
- System Location Discovery: System Language Discovery
PID:3060 -
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs23⤵
- System Location Discovery: System Language Discovery
PID:888
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 120⤵
- Modifies visibility of file extensions in Explorer
PID:3768
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 220⤵
- System Location Discovery: System Language Discovery
PID:4648
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f20⤵
- UAC bypass
PID:2064
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\USgogQgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""20⤵PID:2632
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs21⤵PID:2060
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 118⤵
- Modifies visibility of file extensions in Explorer
PID:3508
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 218⤵PID:4032
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f18⤵
- UAC bypass
PID:4532
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vokIggsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""18⤵PID:4872
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs19⤵PID:4476
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 116⤵
- Modifies visibility of file extensions in Explorer
PID:4448
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 216⤵
- Modifies registry key
PID:1312
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f16⤵
- UAC bypass
- Modifies registry key
PID:4208
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pSkkoMcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""16⤵PID:3940
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs17⤵
- System Location Discovery: System Language Discovery
PID:2380
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 114⤵
- Modifies visibility of file extensions in Explorer
PID:2188
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 214⤵PID:4132
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f14⤵
- UAC bypass
PID:2332
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HsIAogUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""14⤵PID:2344
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV115⤵PID:5044
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs15⤵PID:1860
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 112⤵
- Modifies visibility of file extensions in Explorer
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2984
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 212⤵
- Modifies registry key
PID:1288
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f12⤵
- UAC bypass
PID:4340
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KgAEAgIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""12⤵PID:2148
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs13⤵PID:2792
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 110⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2812
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 210⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4520
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f10⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3896
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eyksEkAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""10⤵
- System Location Discovery: System Language Discovery
PID:2228 -
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs11⤵PID:1924
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 18⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2320
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 28⤵PID:1368
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f8⤵
- UAC bypass
PID:2580
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\msgUgwEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""8⤵PID:2908
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs9⤵PID:1620
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 16⤵
- Modifies visibility of file extensions in Explorer
- System Location Discovery: System Language Discovery
PID:4432
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 26⤵PID:4044
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f6⤵
- UAC bypass
PID:4700
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OCgAAsQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""6⤵PID:5080
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs7⤵
- System Location Discovery: System Language Discovery
PID:4036
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 14⤵
- Modifies visibility of file extensions in Explorer
PID:4868
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 24⤵
- Modifies registry key
PID:3636
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f4⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3308
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jEowMgok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""4⤵
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs5⤵PID:5044
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4264
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:3604
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- UAC bypass
PID:452
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tYsoIYMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-14_bc9d09d4d72e0773a49d2d853f366047_virlock.exe""2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵PID:1472
-
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵PID:2188
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1632 -ip 16322⤵PID:4380
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4084 -ip 40842⤵PID:3664
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵PID:4036
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:868
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵PID:4552
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
4Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe
Filesize240KB
MD559992a67074d25f1d37cb1ddfe3cd95c
SHA13d58c058561cbbfb8e4f706ac17b5825ceb08a85
SHA256114ed41f2a754b9a0c890f9b0dfc7db7fb5fa445f4a7bd7782f3b984a261e939
SHA512bbe9c3ddeeee92b19f7bf51f691de53e4f5975d389cbb68a83b9ed29f8fe35a642866ad37252e3ebf4e27a37009a9834300fc51267ee17e274c716fdf109f6b4
-
Filesize
158KB
MD5020ee36c7fdd8067aa806078047b4c4d
SHA119aaab0876906e53ba759684bcc6f95807185b17
SHA25659d6bf8d75d62384858fddb70451865d3c541f26152fdeaca9b5ff7bc109dc14
SHA5129b35941d48e45ac81fb9531fb2e6df2d630bd6e971e5d0839982c7eaaade5820ebf6c70464d37cc9ac41a457eb64f1ec277935cc43460b497ef62e0536a554a7
-
Filesize
141KB
MD5fc0a1acfff440c8814c4c800f3c048a8
SHA15035f7b9a84703e6b872fc6d61f035ad738359dd
SHA256b095cc37ab999da0afb26f588d507d12ad253e9d9b5d92f79a0d2b7d6c54e8e2
SHA51219e0b7547274d5fd0f4afd65b80a8e6205cf1b22d12b09f8e94ea36b010e901aee08c752b8326e047e0f3c3198c22ec01caaef3e5fa4a66cb6e645684158f1a8
-
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe
Filesize152KB
MD580f926c2e78655f299eb680396e2bd59
SHA181ae292967369b3ef9d1dc1ff007071cd1172918
SHA256e863363d157a531fc3110bffefb9208827e33cb9ec3a3c1033b51966dcd6fa9b
SHA51295627cb1d1fc1c71a640fa41b1a6338cac851e2117f9b4c8f798bee7b36b745ad3ced90b229cbff6354ce64ada40b204e7030a21af5610df3122f992a2c6cd47
-
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe
Filesize240KB
MD5145098d23bac2c746b17ccc11ea78b01
SHA1159a67247c7e0ee809a58949a2a73162aba7da0c
SHA2567c2675b50cc14773beb56710c878a98676cda2237e13a430d7b34cbb7ae9e639
SHA5122dabd2ca29d5238710fcbd2300a829a12b7077b2239716c43c48acacfe505d44d40a58fe98689b10b6609e199cf716452c75903ab9a09e0fbb47f041f290cdab
-
Filesize
698KB
MD5d7a494127605d6530e3596ff7c1eef6a
SHA11cca25f991951e51b111694ba91ce27f67a639b8
SHA25666da558a52f06d1dceafd42931509335cfe3514e23129f7cb6ec38dcffc38214
SHA5128b2ccff7fd56aa11369aceeec73cac6b51cbd350b7953e13cf7b6b1466189d016b5e284f8297fd6eb4313b1b37e98c090c9f4e17cd28132cc882035a30bc85ac
-
Filesize
110KB
MD5fc8e880fe808a7e54a8b768a0042de99
SHA18f39a38db9a7042ddbe982bb27d3b3cf1979928c
SHA256f2802e56bc99d30c77d4d550c5c2863edcd8903ccdd6dacc64cbed92cd51c29d
SHA51207aeb3296ea028aedbca9104e81d4d5cf46070cdaecdc16d714689e0d7b1b0bb48f38d8114841aae49cdde7b4dca2270899a5cf4e88ddbe4903afca021898fd2
-
Filesize
119KB
MD5affb493d4224be051ec87d5440764cf9
SHA1298017e8aebbccd8b76bd01049450f06ebd02f04
SHA2566031ecc413e06b110358b01a488b7142bcb5cfc5ca37fa45f7bb4ffae3f0d515
SHA512739709fc4ffbb36adf48c67fe6533c984e6e8c0d88faf3fe44fd342c5ad443ed976bce0d3210b8eb7fef4f10e540363eb2c674aa64cfae621051807fc6d786b7
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-150.png.exe
Filesize111KB
MD51a07d130fd5f8ef30ddcc130b04a8696
SHA18dc48b53ee6002e6b2f994e0222baf85bcf501ae
SHA256686712ed079cdb49cd86f742a7f9e2c6e417bda74024b259baa17376414324c6
SHA512efade4375cc4f5f36096a9eff86b57eb001fe9d1bbea1e7fcdab99ee4f05560dd4f581366eb52300a43e30d8990ba5ac9669404270e90a5145e8f349ec65dc5c
-
Filesize
111KB
MD5f310ae8b1e5fd0658bd7d67f38389b2c
SHA10176d201567d781c27a86b37c82a30c6c9ed651c
SHA25686eb8d45083ee11a5db0c3efe63e0cb3e3db776d229cd5619c089e9d5638ffe2
SHA51236314a4cdf97cf512a2142f0ab884497d3b44b5c8df1cb1439d3122c64e6d3c929dc034c3c265b578ad1d6548e3db1b68e66d0b8787400698c0cd73f72093491
-
Filesize
111KB
MD567a0e79d8b91412191bdb0804e7d81f4
SHA15ac38caf0cd61148a81f922b3a52ec586cbeb4c1
SHA2569178d1685b850fb5c99ac1d8bcdc491e4bdb0db757ca2955e1b469059157bf83
SHA512037eef889e8c74ffa075d5d07d490c4d9d4f6b41e3ad05f9f6bfa1c4b5e16c90362620353360095ccf4d4792e78112ede5ca34dd4619d1c9986e9a1c7779b5b2
-
Filesize
115KB
MD58d2fea5cdd8910f11175bec6a098ece6
SHA1c6967f92036ee87f854532d35a948c6537ef74f3
SHA2565f7dbfdd4fab296157867d106346b90f20ee20827d53a57bbe6d3ed5c4d7f9c9
SHA5121caf169300fbdd8e137d5e85db36ccc3a0eb7d9b05f375558a9e1786747cf8beeeef3721b6a44cd6ff6e001d04f890bba7fb6a93166ca19dad88c47b6e116273
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-100.png.exe
Filesize110KB
MD575315beb5d9679e954ec537ba7816c76
SHA1aaf2a2874b6e01a7c756a31805f6078c16fe0d47
SHA25675fcaf6f0973b46d71675be03ca6057d1c387ad471c0fbbda75cfb1312163d9e
SHA512f5b5bbe5badb3beb734fa660030626df180f4ee3004bfebca7bc294adb928ba0b013c12f996cec420d5bddef1badffb385d28aab302f392dbcd8a7b844ee3877
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png.exe
Filesize111KB
MD55b031ce485c6ef69d755e5fb57b689dc
SHA1dbd0de43deb40d4a4e29529825315cc15d4506f7
SHA256b4d7e69b4511ac709a5f995e342786ef3adc59ede053b9371302488f7639c586
SHA5126e1a63aaf1e01f30f747324d300f73c564bf706e62fb6750e8b3693c6f9851dc88db6b6c22ff678dfb57b6754fa01abc64aa92bd0b96bc7d39c1645915de391b
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-125.png.exe
Filesize110KB
MD528b5640a24b20bd955ff09d1b2f20c05
SHA1515f5ad53a80de20c2d72ff1ff3924c5958653ea
SHA25663f213c62514fcd30a4b17239b8b9210153aff59c4151622b3816a0d810988da
SHA51264c5734e79e6d35d0f07175ea1dacb08b13f7cecdd95f78497f41b1574fb4a2f9538ae6e436c0d3548da4cc8a62e7bf0c03e76b341fc802214ece444eda285f7
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-150.png.exe
Filesize112KB
MD5f63158ed5d62c81072019fce6a3dd624
SHA1c47d19cc08dfe605ff24ddb4815081c41acf217e
SHA256ecd32024c1439f6006052e5338c14b281f12d062e115e7a1cccf80e92bb38e1f
SHA512357e36ffa10103ab17e75195b13223fecdac5f33e2b60d3aff376f91504922a98cf97c71fdbfadb225b9b19fe1368653235cec086862b2ee62e5bf2dc2e992f1
-
Filesize
111KB
MD5f1184a87ee04a70155fcd27008c21a38
SHA163c7c406fa2dad68584b8743ec3e5eafe4c19e3d
SHA2565512d173ccd06efd94f90376a3d017272e3724d0cc7ee0456c494440dfd7d56d
SHA5123f538edc7e34a4ef2e95e8e3e39c4e52dcfffb09b2b5567c7dc159c8b1239390351882e55e16a22267f65154d58a2be4675ea6bc74084ab2fa51d74e4d852111
-
Filesize
1.7MB
MD53c6357b3da7dc24e933ff5ae39ff0934
SHA1dd6a4f2709a8b029f8bde69de3865d1e9004f09a
SHA256510edc4452dcb9a9d2c28d6d545733623b7cb82021f8d54ec3cfbde6456a66d4
SHA512d8098adc3a8fc8bc9914ef71e95dc378818f253174a7cbe1edfb72e399706c582001f7ec26ef6e009e9fbccc1c5b7d3e66a8470661b9b51dc3d4e9c120d81236
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\tinytile.png.exe
Filesize111KB
MD5026a9a04b153c7e365c28b44ffbb727e
SHA11ea9a0df70dbe50bac095507799c87fb188a0ac8
SHA256e6db5f6a24a20100a2b71540895744c4a0d034f5be78bb1f1a8c78d1d56f6564
SHA51284b18dff9aceacb04ff72aa0fbe61c68fceaba609d45a37aa00925aed00106ce28c712ddebbd1c39dcd5eccf0ac265f69f3fd989bd6c875a5aea1cebd6b1d34b
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\7603651830\squaretile.png.exe
Filesize111KB
MD5a8b435b6e3d6c7db68b440f9721b88f1
SHA10885a16243c9da9eb1ac826eef69d696f813d689
SHA25697217e694be59fb779cf6c002795ce7ec74167ac44adef33518ca07d45b20df3
SHA512998cbe56dac28fe3cee2d2e779fb10b46c5fec757c867e0ffd398fb010191d13575f9481be3a966d46781c914ee617c984a1d878e9f3cd5722b82fd4e0e22350
-
Filesize
548KB
MD58969288f4245120e7c3870287cce0ff3
SHA11b4605b0e20ceccf91aa278d10e81fad64e24e27
SHA256ff86372ce43519d675b8d8d29c98e9ccbe905d400ba057c8544fa001fa4d8e73
SHA5129bdd0c215a9be94f6f677f8ad952fcb5abe876b59a1a2f537c7d9f7668abf4ee47c85acd9e4873c0b474eb98d7b211c08fd8f86b9f695d88d62c9695d88de90a
-
Filesize
115KB
MD5a9ec2817addeebf6075e89ec5e71de7d
SHA1f59a39d50b38616f41624da74c7fd3f507aa1700
SHA256427b92131eaf103bd388f0fb6191f3380b96258eddd4a0f5e3a6ef6bd3390507
SHA512f03a142540d48926685324bfa8894ba9294ef4390c37937f4904603a287d7f71b4e9037b0a9d67a9e1e85dbe05483416b937f56c6da0bf1f419d68e4954cde21
-
Filesize
116KB
MD5640ac432b7948b500ac5bca5c119b163
SHA1821189fa8804f2663f05132e34e5e7e8ba55b6d3
SHA25690a3488a6c6d21118365d629815f7f9106d23adf0d91343e2898c4e9ce8811d1
SHA51256afd4f3d8d5663c24c4451fb872bad6793682f2665891d821af7eb6508c1d85d78f385173ea619b8e44700729e2341e1440cd4d3d1ccd8fafd7786053f73f39
-
Filesize
117KB
MD5060ce866b110b90f897851cc3cabd49a
SHA1af53444fd2ec63d57f0657ebe91c7e6ba4864aad
SHA2568edb64531465a8c8cf18497d11954e43b43c206dde081cf9387842772cb75ba1
SHA5122742194de4d9bb2963863cee97531c1fddcf9758b221e8b49fe6e27ac4f7fb5fb2ab16786f4f2a6755e7e678e8a6e9c0b0f15487d4c1b2eaff4127f958e47678
-
Filesize
115KB
MD5fa92c5b4b0634b75d45d792181fdeb3a
SHA1db12922df83e9f95905cd925ce71500b90ce9915
SHA25625319978a5c99f769dd02c4f0f98467a69c566c7c41405faafe3759be014d924
SHA5128bb03acc78a39b8df142c83762e6e8c1b7e05e3d3b54abe18738555d109468735539612d1e1e9218d90f8882d50e13002dc47a7defbcedad41fa298fdcc19692
-
Filesize
111KB
MD5a726f0532f43f1bb3b2e7ec7bdad8507
SHA16c95e481dc1d82ba765633cd91073835ac038007
SHA256f4e711c8bd15f8f50bd27a1de9cb8d39b681804b48cc1c825ff3498e999f932d
SHA512709e1de5f89760a8e15fbfaa82930215cdf08fd55cd9834a697566a364a2a6f06c98556a0141978dec0585dc93901bb5f9b46f59da4398bda8adc129239ff73f
-
Filesize
484KB
MD5e0b02b007d4b14200401a4a2667bbe0a
SHA14c501296ebd51d984f5ab81fe3c2f8cc004c1cc0
SHA256441f1eb7465f965ed144cbd1962c6e1c87551cd70e8f85f090b2679f4f31fdf5
SHA5122a06c4d7f18734720cdcf1b9758b5c56dfaf15826ddd80e10b33997096890d36010d0615550daf94e27e84715eea667e39caecbb358dd369aab8f8520eb80665
-
Filesize
149KB
MD50ee2546c554bb836c2c12a5316226592
SHA1b2deae607103f95f54860ef4538b510347323ccd
SHA2569c217eb7577ac38bae17febd9326da4c422143b037befa578b6e98fa6f26316f
SHA512f30b110c95d6c81e10e901dcd7907633bd3d8d8aa7c39f7547ec9ac996841e8f18990eb5433ccc9685fb7bf25e098e33eba613cd23b076c554dcf731bf469e0d
-
Filesize
114KB
MD527f6bc74aab566d7c2cb2132d62ea1be
SHA1d5b3381078c581fa0ea7f03638c7c028ed016ff8
SHA256a381737365ed60d15cb1c8be9cc8c578551c4b67117c837c96f51db96a6ea76c
SHA5125920917ed288735c46aea9a01543f88463cbb336e5e5e3e4feb6da4bcd7aade0ab1c5850d94e6103fb4c01e95a2eec54ed37d969417eb322428cfea8669ccb2e
-
Filesize
116KB
MD5ee88e777f383194e7b5f6adc5eced1ff
SHA17df9370e46125e0afb8407ccbd4ddc4939df710b
SHA256778021f2a24dbfda56505fcecfaa816a11ed8f9380f75a991a1b814b4c26e9a8
SHA5129d985c4b18ffc784da63628cb75bb33c36232dab91b0341de1bdf84a3ff33bc40bf48703388861fa067e392c8bf42ed075c922aa67d3a394161f8389711bb460
-
Filesize
113KB
MD5668b2b701c08c960dc1f00ed7f9428af
SHA1849f7ad895f9990e31fe62a0c267703a83eb9642
SHA2567a40880d0d6efbaec92cb9e06270bf6f774dcfb3daf1a5a15fcf03a692a2ae18
SHA51242262341a72a18e520ee6541a712c2f37b5875590daecbc1378576353b2f1ff6a998062eba60135b1d26f1aa36c00fe830f846446e464012541ec8fc7f9c54d8
-
Filesize
115KB
MD51478a7d852fdfd88c3736feab93ae438
SHA1adf3f42d8ba2ab3e8c91e89260191b35a95f8ffc
SHA256bacc59537b8ab67dd0a043a75c32bab2d263496903321d091577ad16652f544c
SHA512d88eef989699c0194bda1f98bfdade0932c016d99e68441df41217bf44df1b8bea5459df0eb31cca298a64c747ef7501b0a303b1180210e0c255a65d2061b55a
-
Filesize
658KB
MD57b8367d71235b46478ceb1049bdc15bb
SHA1ad99816bae295171af72a6926e238293b5bf4cc7
SHA256ddacca7c8fd00e327ae41e48a65cf4abf07dfb316ade00dbd71cf54208c3fbfd
SHA51292dfe41280fac942229648423a22c91bc1e0086fbe79dfa3fb5c640148c675687045572f3003f8c15348ed375f7a5641378787cf4be328d338b33500cb94b5bc
-
Filesize
1.9MB
MD5ac800096f254a3b828f149a7445e212b
SHA1193e33408593f750343b3505f25c791ed1b7d2cd
SHA25603e7948a5b66fd5bbbd9b2b811f845361359bcfb6f6ae62bcffaa64a55b17bbe
SHA5122f9debeccdbe3511481b7d7324bfb83d168ddd423b9896f8a59a508d2ee3287832552bfdb300e9e05df4d11e0d5c78c281abcbf8c4b105e33f3af34381a2b306
-
Filesize
116KB
MD5b2808b343df6357368cb213082ba0232
SHA13d387176d481bebd3394c4cb40ce321655109ddd
SHA256153a7a5d5735047a373c4a148ed4e9560eef592b4e37b4c42a63ad775e5fe21c
SHA512d736087d7ec21d7240fca7e001be298fe418bee37b066a5f1922937fac23dc83d96e8ce2e500e48aca4c281b27cff4402ea99af8d76025d6a1c1e0519cdcf6e2
-
Filesize
115KB
MD582751a6e328f150411f3640d9dd9c1f2
SHA1e64dc9c8edfc8a381b0aa30a043a753199c057c6
SHA25602afe897cd2add499a4b4ef5ed2965351c3500adb69b8e4d2f9d13ab281e21df
SHA51273491ea48c163f5800b256ffcf1c8fedfbabe2ef3e1996d605a8e669d53cd82bdea1f8d161c9a6c98c8e479140a581fbc9c3db57f4a031257cb921264a9951c2
-
Filesize
112KB
MD518018edc91d6358db49b3fcbce3a3833
SHA1c8678cd3ad6cd4516a30e0db301e1507b4cbe001
SHA25673394c2beca735aed1a2a7e219e7a5d1fb9db671b586b324e887206057296240
SHA51252536af6fb1c51a4e3d54870707a3f45540a3992d79c3ef219ebdf5a64554eda5accbc1178f8ee8990e1c5ed939955a255b7625ff81f8bc15eae9e0cb002ccb1
-
Filesize
118KB
MD57f4ecd9adbf0e1d32502133febdb0d70
SHA1c06a85a41cd92a39880f4e2b1c108d358ff981c3
SHA2569b7b0d9e5f9c7b81ddc024ec58833d230911c2d864067fe1b6d6b5bf95f1ddbf
SHA512dff4ffe7f01326744b43b55904601892b479f3beda705e9a1d8b5d46cd93fd8978201f1279afcb5a8d5a6ed4e6e4d80dc1603ce94ec03df00f6fd46935de7f61
-
Filesize
110KB
MD559221d71dcd37a156f7ae841adbf967b
SHA1c6691d0340b79579c9560523014dc9d70d940a44
SHA25607f041a18cb337870470bfd9881826819a03c70a00d97599693382a7795eefe5
SHA5123bd1a0bd06241875e62a2661fadfc554f9ad05e6a9964563e433de6ce92ea8277fe9bb08d1db2f3f7a6fe7137a744ab4427b81b7a475ce5169b06dd9e2411afa
-
Filesize
237KB
MD5c15f4fa742528df97bd4a76ee869500a
SHA1b713e6b996cca6ed3430304006d167fabf57450c
SHA256e6b84e3fe49d7877224c59f3355d95ef5a30efe6b9d7f4861b950522c38a7408
SHA51225c9be5674c1ad9f411fd40509c29e36c5ab328c43f2c7a2b9191b6642f18397b802983ba3ee3d29d539b5ab166bb2bc07a07aff053e319c93dcf0a13d552ed0
-
Filesize
112KB
MD553c5a7b65d258337602503f072ca8801
SHA159ce7d428a5268e08220d5c9c07dbdaa9278d09e
SHA256b8391890cc7c5911f82cd0f13322ecccc6a07e82174b8a6f08107a4e16197659
SHA51231bc748b988f3c3e1b6d2ee81ca5a6efd3b4e08446b894af15e08161c3d87f6e20ddc54a987876dbd7789f5a6a311b3e9e73e90221083ab248ce396c73dac465
-
Filesize
115KB
MD5ff9a0640fce1a018484f738e5bd9376a
SHA1970c0c4d861d5f77deb28179f76ac91ebbf39eae
SHA256bd9fc56892d6677f96c8f1043e822daa6005e716b38a2efb0d0eb53fc3d578d9
SHA512bc4d130bf663f4d1be08b2a1f8eb4585688985a1adb4fc269c88de701eefc0e613458dc59b61888fa0f8997a75b48c9d24cfd4dd0e9823fb6d75be8c516a002f
-
Filesize
116KB
MD58a6608007a81e3e47b065a3d21a73019
SHA146e04d52854566e2aee1c56fe4bbc31c5931e6b6
SHA256532250337b5eb75423400a5e824758eee4d465d8495fbc89b79a68b91becb3ea
SHA512723195998265700c6c8c25aa40d80cf38947cb18226372e48dbedcfe232edfc7db6b0c8231bd2bdcd1a03d52c9fc3d0606fd32fb7238c3e74b444ba860910629
-
Filesize
115KB
MD56c736238274eae08e0efed61a1b1e76d
SHA1f7730562ee09d7bf1869b6cf9204b389f9c98adb
SHA25621d50b4a7efa05562a9f19dcf44eb6a1b59aa7644ed3dff484371ea35a3ff295
SHA5121fed4d25d13eba6171810e3a83fa4e7bd4bbcd5447d50df7d7ad9148a57941c3f98f48f19651d84db151f513a92152fbd88267adc2004b375a0351998a1320ae
-
Filesize
116KB
MD536bec80ce16087131254fb9e1a96c934
SHA187df6d62dfd1e96c64f42a5eedfe18a3b515c4c4
SHA256012e7977e8b4d431000b6cfcdc91f6a487798bf9cb15f1b3f918ce47e41321ef
SHA51204b5a47c1b4265257eba0e2cde4d38c942fc20fc56a4f2cd0a889cc48f8d62a7d7f549de113dbc3403404153c08031fcf80e7b6867eaf35a158317ca5597347d
-
Filesize
112KB
MD566b3084c7cd6e1a999fbd1cb98bb6a1e
SHA13bfc511b949fc05e6ad4d1c4b2d725f49422c023
SHA256010adc783da42410f695582321b817d15d2be52fc8f6bbd355b06dd156fc758e
SHA512ff8ec3235527d451116ebaef62f038e89b219a5ee35b1dadf2a301209ea20110b549c567ff7bde1ef74b7e16a6cd3a7cad3c781e22a6fd64f01bf1bbb040fd31
-
Filesize
5.8MB
MD54bcac7e2cb5657a3d2400b23c49607e4
SHA1faa8557fd201e89ddb676da08bfaf347f36f098b
SHA2561db7c1414ee8bb44f6a17e9b0f1629cba812a5448cb2108a0f1393a1b31baf4a
SHA51245ec63b4b1b29fcf05c742c3ebc4c2bc1c8e49e0a78cb38edcde93a4d2f8c0bd52435bd863d660c9a95bf74205b7c40c4657a1681618a8ad33d4ce31cc5caf84
-
Filesize
2.1MB
MD5ef011f2d76cd987255beb18bcf7e7b74
SHA16f6aed484a3c6202d8467dd8964a82300e6d85d1
SHA2564549d47ded2a39f29b6f96e4f0bc9ddc51eb671d5e6c4dad2d77e65c6ae454c0
SHA5126517edd672a8410edd4758ddaff1f3b032a8acf26d95efc3ed39b422c62ef5b19ea13a38b1f43f3df2692beebfe587b064eaf990d3d2c528d5637b39a53bd28a
-
Filesize
720KB
MD5f9de03fcfe7b188db692a27a8ce6d1cd
SHA1c22e530e81fcd3c23933b892797b5bf548761126
SHA256f7950eb8201f195b3709885ee346951634d454c3e0956540d1dc89bd618d922a
SHA512d92145db10ee7c986fbe07e0a3a631c0d478330582b3b36760da52760c984ac985b6cad0ef6e86b7320b3fcecbb060f8f9e43b23c6e3b034e477684cad79005a
-
Filesize
1.0MB
MD5b3b14250ed6e21da573768bc9313dfb0
SHA1eeadbb38eaeae5a2bf65499ede213733f691b57b
SHA25625228751488b35a70f5b56c3fbe598c7b6cfe2e8d07268be09add4db0080858d
SHA512f8780a66c339e8d877f27673bcf056b969028c370611531d66c58a1f4c0f86895c5d00f4df9da400af67ed0b08c156c9a8f8ab4ddd819e8d0536cfcdc79399f9
-
Filesize
720KB
MD529e36c191210b789752983e02b87e7fa
SHA143fbe2cfdac76cc247b55364870fbc4fc777cbb4
SHA256d0dcb0e311cded4b6d335712fa6cb549e6cf2805cc37429f102d1c8a68007c18
SHA512f7f934e3e646be1c29c6b8a8b0ec22d46e8ae80ccd642fbf3fe0b43e37f1742de8ae2f494d9d489ca7eeaec66c6ea552d196a105160fd708f208f21b64763066
-
Filesize
115KB
MD58324a86ed4099c6ad8ea8af5210fdaac
SHA13a5c31534e4ec1b97d383bb17d2df11fbf82f57c
SHA2565a9a0da6f5d1bf573adbf239893018b26dd4807fbfe0a4190e482c079e7fb581
SHA512b616b1b896d10053d408b1b6dfa861184ef8f20a6f489d1adda7fa34520e33b351481f4b8102bb597786b843e93b0bd9a2ef593f50e5041c6f43674435a7eb51
-
Filesize
115KB
MD55a60e132162c379cfe4d657b454fbbe2
SHA1792731cb5ca825f1547f7d7dc1d07b0a21e43b84
SHA256eec6ea0c345d616aef0576821b0162e3fe74704f7e90e96adf8ddbd31c82dcfc
SHA512ad4430fc75b28e211adc9918e549a0e16c11c15044729038a94edd94951a8b791c912ac06ea852a845beab3394009b710775908456582b4fa9290fabd6114142
-
Filesize
114KB
MD540917b3fa82c8e9456f61f986c581726
SHA184baad9ad75588dfadf0203fa3b5bf44be6d4ac1
SHA256ff581e16ba91dc990d058fc37285fc12b589ba1c8b5dddfefb6c9f909bb3e126
SHA512d74c483cc77ff744b4c1844c5538fd00025b1dcdb8bdf4ca8704d9efd33785e6d86781e26e7f6919e4c8d13be7335500348163df92e763ac91d892d0a2a27012
-
Filesize
116KB
MD5077beafa9ebbf98ce73d4dee33b24688
SHA11acb95466030a7f91ccfddbd247a0f25c6dc09eb
SHA2562731dc5820a7c9ad866bdb76511f8dfb48ac7884ae02a8bda0f0a918aea6d8be
SHA51278c0e9f1fddaa5a5de3a2445d5de80651afaed704f6a7107b0d738a80e3cb6c3793663cb69a184b72faa0b0bd2400fe7dc4fdc6cf0a297311160659e54743249
-
Filesize
116KB
MD56598d39144870dcc088da21051ccc0fb
SHA1b8aba4621658bfe0dfa2b1b1faf5dc68fac39f18
SHA256ec3e0db47ba7bb8891cb35c7cee32a29b6315d0fe59c55e935e1874df1ac89b9
SHA5125f417e838a19716b22ee9d637c251768e2cfc108efe789ce00e8bcf35d247284c1e7e49c70780b892b995f1ca40b6a35db136c03be9b3993581de9aa274fe6ed
-
Filesize
556KB
MD55821ed939c8530f303550d2f19941529
SHA1ca738951b17e087fe735095c0427baa4ad8b3c3c
SHA256cb78bdacccc63b8fa3450203f629b2897a2a5f7671ebec5f2cf504b40b992897
SHA512c620d28de38f5fadc5173753a3f9f2e1b0842e52ca42d1a1f111ff3cfed04373e45a1f0993063905692570ba378f7eb34f4aa873f5aa7ebeb2ddff8f90704b82
-
Filesize
491KB
MD575333e0222a63d025b880588712a7996
SHA1f3dc0877778dd7d1aba5d631c6c579fcfd5469cf
SHA256f43518608dc657bd658a82abeddf31797504cbe8209e65cfa6baa8fce0db2a81
SHA51229e42396f6e45318b80a940acedbd338813fa02498222977738c621ced7f5c79645e085e78f43f62e680f781ceb3b479d957163308f366d7dc48384852313dd6
-
Filesize
123KB
MD5f60b8af931c693e50fb2a6bbf8ccb7e9
SHA14a5feaf1e3265a4ceae8f577d3254ac154fe9264
SHA256c9b72ddb33fddd4636652b04fff923101d6e172f492c546b04f48a4f31f6f29b
SHA5126076ef25c5525aff5c4201db661adc83c4a01a52b23bbacea67bdf62373232cb345b1ba8c35af78a52b543c24fd9a35933da9e7a00ec5a7a6918570187bcf16c
-
Filesize
4KB
MD5d07076334c046eb9c4fdf5ec067b2f99
SHA15d411403fed6aec47f892c4eaa1bafcde56c4ea9
SHA256a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86
SHA5122315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd
-
Filesize
120KB
MD5e49146c112869250e2c7aee9e783fec3
SHA18cd428fc60cf168945f98aab3e38e8149c525f81
SHA2567c30797e8905d7f84513454c1465bb04badf1661883e034a0cc48b89333138d1
SHA512ebc9ebd398f7b44ba1d49cc1c11e61b8c5dcccef73b3f0b38099f7cf2bca6c1ea256d843e371322e7e0b1f377db6df5eb504a7e17b59a15f2ed86b6f3a754711
-
Filesize
114KB
MD5cb7950b42ed1f922cdf00b7f3e32ce67
SHA136e42c3b7949af727be75c37ede7e883ff4fda05
SHA2569d15ec3a9c07db90f8d349cfebad726f30ebee5bb6180b676a9ccda390426c9c
SHA512083e058528c751cdc0f7f499b52b29751e0238ccf1e05e0a3d9e3f3d1a5a4acca7e577535810c622c09cfa952882fafc99db1f168d6ac3efe3a80819da7fbdab
-
Filesize
745KB
MD591a1aa1f477a33c85ef9f4884aa4d923
SHA11199e5747b289f92868f1fed9736953d78f8dbb0
SHA256f928aac51c64e8ec4838414a8220250b1e51f50e57d67e9fa927e6999563fad0
SHA512fdba352e5af041751ef830a5681a6e78f7f9f6be527cf6f4c9eef5320aff51672274e3bd82ace45f5b3a5b59c567aa57d6093145c0bc788e23ec9320a9973a19
-
Filesize
1.5MB
MD58494e2826023132f2783518e22ab0e6a
SHA164cea02925bf85965be921b299367a2f6114992f
SHA25639dc66ecfc17818dba9ce5abce1f3bed9efe0cecf4c23776e506a4b77e93bcf4
SHA5121c0ab544e8309658f9c3941aee4b40c3baddeaae81f026215d5abd3c7ad8a22f3af7088978693b8d3f6ea3e863c1646e530c84556887f82b04bc068560b30374
-
Filesize
1.6MB
MD578c3ca20f5956667687f9a0d193d7297
SHA171d8fb97efa6482379302fd5e785b989c8fb8303
SHA256398574569350d956a2bb80f1e57188805627ad4503087394676163c80ab8be6a
SHA51289791c8c0b807299ff1b074f1717b2ef7c6873a5a5974e99165564a181c20ee03ed6e501aa74f68f6459978edcdbd8b445533b624b98e5f6505261c6f636e375
-
Filesize
237KB
MD506039ea324913efb0f46876390f04554
SHA1302ff8dd19a24a668bc1587e6ec1b62ce64f6c2e
SHA256c375c75f5059a420781b5e2360adaed536ecbdf1414cc1c6f2bcb1c13805213b
SHA512227c8ec1127a0cb13177ea71d727bd8d42a09efb41492ff05fca2816c68fb72e70212255b32ffaa6474483d9fa38f919fb4461511368be94babda762e0d2f37c
-
Filesize
119KB
MD559cbc7c4e4fc1b2d790d8357e3922e98
SHA17d0b3a713232b6eee30dcb05dfcf39d97885059c
SHA256c22b8560dd0736f78253d610f23d5775752a70bd7522c6e8386c2faecb082c86
SHA5124b89804db5d981acf3f0ce3af247f05eecf2ce324fe288496d4f38b67a5b2520fc6d3d0b2f9180819eaad9d4eab5169bee0add94f0e4dc65a35223c50e0c138f
-
Filesize
138KB
MD5778e903ceb260f80cc13fc1e34daf76d
SHA1371227e8aa3e67d65c29a94dfbffc8c54664cf15
SHA256ab4ce68371674fff13a5fdd15509630cdc865ecacd653cc508e5f0523970c728
SHA51251b9150de03f47dfcdee8e8e28f399f8c804da38409242c3202336382ca5579bf3884086dc1e82c15e776d06b40125d23c5afb54c8979e010bb664bcc3537bc5
-
Filesize
4KB
MD5ac4b56cc5c5e71c3bb226181418fd891
SHA1e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998
-
Filesize
114KB
MD581910edbf5c6f98c54bc6a7613d12ac0
SHA1bc27b5be9dc53f4b2cbb785119445cc3d4a18dd5
SHA2567fa647215f126dcc4d0e70094e36146ad9a10525b1bbbd9857b75158e6dcced4
SHA512620e31d72a714163171acbc2dc40a50b5d2a0264bf5bba09f6f3933391e31e4ef06c6fdfac1dbe58901da6c321300fcf3742b9d10dd477f96761382364976b1a
-
Filesize
120KB
MD53908ccdd798cfc3124da2a77e19f931a
SHA1763c223fd7318380f43009f20a13686c209ddd1a
SHA256f8c75cdc7501c7c9bfac3433aff183670f363a0703ce74ab861ef1faecce20d3
SHA51254fb7066e1060d68a073a52139aa5d823aecd35f553dfa15fae0dfa5ef98bb6aa917cb50625ccee369c6e65c52ecd23a258adc8659fef3fe2d525f441f81f224
-
Filesize
1.7MB
MD56eef8310227c935194885e9b0ad4b610
SHA11dbffe4693491f0d6963feb71766c19f7dac158c
SHA2568d3ea9826a58a68cc2316c91a8621a25cea5221694348d165b152de6b6186486
SHA512cc8ae4065f26fd46f250429893fc4fc7825975a4ec328ef199065616e866fe99aea288fa539d56cf65a6bb5495bdc23c020af59ce55f6b172540f3940c35363d
-
Filesize
123KB
MD51ff29ff3eb4ebc69ad7a705008f24fb1
SHA1a88b87b47fe40e95bf5c2528b81b12505804f38e
SHA2569d16f2b18305370eaf9726e1b1f4bc72fd19b2faa295df700e0e016459b12204
SHA512b56887e53dad484438b479868da41e8049a8ddbfc64c6347c1d6b86b361de5362d5a5af938a82aedbae40368ef3d3e89c7255ec17766ff339cf7541b3928f937
-
Filesize
122KB
MD50de42fda6d86dccf24b1fa080a5513cc
SHA1472170c3e5d96565c307f844bbced8c1983abb73
SHA25644feafdf55fd9d788619c129c0bc8bd81776b49bd71d042c5c39037b4bdc2c58
SHA512277483bc2f6e8ce1d0d716af830d55675cf238240bdc0ee25aea2feb7405608df10cae771ac2b1cc865ec2057c61378a2f41b8904e1be5c23223c26b307da7f2
-
Filesize
117KB
MD5807475649b79fc9da0a384b6b86646ca
SHA16b835c1b49c94380dd5fc3b4da03951415c1198e
SHA256475366b3399b6b802e84ac17752cf064573540e1277caa97e815bf4add00d3dd
SHA512315ef0b8cadd70aa95ac026177fd382afa0f73df10cd1e8d3f82cb05007288f59b1ff446790fc4ebcdf1d012c43b331077923dceede7b8b2488062d8a3fca77f
-
Filesize
117KB
MD591ec0a59d3a0c0fec6ecb382dcbb5888
SHA131ebd97f52cc4c7b8d1643b65fa28ccb32470434
SHA2566bc135a555c52ee3ea32308d8d9cd2297c0f22f591ed7def4b45f4a46f9d76d5
SHA512ca341df3d99041338f3abd033ecf7a532e07f74350debdad24d131da6f3a9bc0b91ff7208649354045b696362ed0b31c06873e1214f89ae4ed78268b6333c14b
-
Filesize
19B
MD54afb5c4527091738faf9cd4addf9d34e
SHA1170ba9d866894c1b109b62649b1893eb90350459
SHA25659d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA51216d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5
-
Filesize
139KB
MD54d77c6f1b1f2e1c8998b016e5bfb2fb2
SHA1b76d525968b5e5876ec1927235c1cddfc682da37
SHA25676c9a141868454ac9dff74666654f110798bdd25dca48478d16d5bb454a9e838
SHA512cafaf4cacc43c700fa3abcb5792b676370e5e31b18213b8a3d56440732bb7157227a5cfd0d99524a78a74f197591dc8e5c5841a629fd07719c7baa96de0347af
-
Filesize
123KB
MD50ebac7cd0af21f8677370b8433257811
SHA1da65be7522f3f3da10ba39f5a53431a4d01f5511
SHA256c2306680b7182e90b3579e85217696accc5d9f3a71f655dcf75abc9613dcb189
SHA5128851939ce6ef753da89e446ef6f04dae6b731b583a903cbf9c3408ca81b628d8c38148cf1c55b1fa76fd90686d6d6fece683b45c20334c6ab73f90ba9545d879
-
Filesize
129KB
MD55123ff7fc4efe563f7a156120513d414
SHA1fd0139c8c8c8e3b99401f10bb19303274916f1da
SHA256a0e352624f15a2a33f8a0b0e97941b9fa223ae6f4308933e85b15f5fa969a60a
SHA512a309a11d067a3d22afcdce35a087cb6c6dc0997e6e75dd38b63ddf51bd4802d9d1eec7cd0b4e4345fc0135d9fa9a91b5f369527004cff354f95934154d5e4985
-
Filesize
143KB
MD57a1e4c25616aa830b302fddf84bc31ab
SHA1bd6805d28244f7fec46c165b6ca10b0468c01350
SHA2568198a234b383b8ac8a82f5f51396e90abd7fb78f9bec2822942b6d0fbc35b393
SHA512013c91fa67634eb0468d64badd12c9e5faa08acb1e5831d89528fc0333df3861c8e6852c72b1865686c18b64601947fc941c6c78d6e7b595ce9cfd2d5901ea9a
-
Filesize
502KB
MD5004890b00a3c57bfd79656bb1d68b44f
SHA1cebbb611c53c35928f2df56365a8ce0535a391d0
SHA256d4dd56a63cade6a881015ccef7233d200296b06e459377b8f9c2df8d36ab4a02
SHA5125d8523bd67177553c7ce3bb7cfe725c33dc6e6a7a04e5ffbae5da646796f597f0b85239a4fb45100200b6017c461a2e3a158260767bad7d8762f3c3bb089c0af
-
Filesize
566KB
MD509719b7148bbcb095250afa3578e2880
SHA15c99f43f0a00ef72e85c657f96ab1c7124b7d61d
SHA256702c611bdc1205dd4e93243acc041b3e05b22471e70971044d348029d9631b5c
SHA5126a3a3746f1d8ff21787189d111827b78099187b370138e6707a8d31f365b292a268d298802388e4c2455f311606d4878d25f98dd7aaaebdf735184e60a00658d
-
Filesize
111KB
MD5212d34abd6571f8456471b473b4f646e
SHA19520d4fefc6c6ff11b959b37ffe794df79901e8a
SHA256d5f7a3ed313d91c48835af1e8f43155353320bf328a08a92d08d4a8822ab9bde
SHA512e22f048fcbdf3fde5e5b91ca524509dca4346f67a37a0e105c1a25092ed6451660fe8024de3fc8982b6573cbb12e4b78392542fedb6cbc69c073cfc7cfa47f86
-
Filesize
114KB
MD55d526437d2de91210c2b7b5d7a6e5814
SHA1ebb87cfdda2c4dd0e10e11611ffd20f4e9220cec
SHA2565f964e81e7b8273f07ea4e45ab8a75004f489ab70dd7cba7f172e885f4e02dfe
SHA5127141a3ad99948a241c0dc893485638f79bf73e90622faa3167dbd28e63a05c987ef9fe8aa95275420601dcefbf3db44e6ef3b9658fa7a988d6b5e0e4d782affb
-
Filesize
566KB
MD5e744ccb5d89708955314a82115732ba9
SHA17d8cc0254b57f33f4542d056cbad6bd004ec42dc
SHA2566433fecb0c91d17a5131b3b9e8020c59b018755acfab7db14ee423502d05a7bc
SHA512167cc5e9d9020efe3d65e377ef3e22922b0fab216742d864cec34f49158516d6ebb2f37c6ebb41505435e62e2fb732ecfcf9d853595f807487da92f2253f0eb1
-
Filesize
116KB
MD5abf63fb03ed6f785dc83e07678a33624
SHA1251b967518ee451f889cb95a2b59806b32254d41
SHA2564c784e3fbba26d607f63284ff15d3d4349a0b36b6e9efaa1971d825ce7e806c6
SHA512aaa91ec4315309d503ac778e510082a7ce569ca7919020dc9da87d2882cf51335e1a0187008ff024eab3b5dd8bc06fac9a9a74fcc777695868f09f5a669a3179
-
Filesize
137KB
MD56b22509e243ef8790570046652fe8d7c
SHA1aec4c71dcd86efb67b7b9231968e4fdd5c0fbd82
SHA256f2c9ce446e7e065373fb8192d5904783e8af025d7f18419a42a3bc36f15d403d
SHA512fddfbfa80f5eae07488956ca04b10336a07a141318deeb0e45ed64c7bb6e00f45b95a00be754733c6921421b18439d19fb846f842e3a3c175278d5a822a99c34
-
Filesize
115KB
MD570301272395644bcb8bc6c7dfd19aa2b
SHA118d7e57b6b73065f49eb70c7c1d12ffee90163a9
SHA256a54593fe5e79d4b88baf0aefa8a5b7057a11968467af6091dcd23b44205a5ad3
SHA51280855b89c02dbdd43ff998d171839d8ffa09680ac559a6e9acfaaf3c113159a52bf273b612448485857d967e8cc71cdfa6b5e3568a7cb7810e6fa84312ef452e
-
Filesize
153KB
MD556f0accce0a7479c302f995281ab58d9
SHA11276de3c3c31e0dacfb307f995141be32b6b3b1b
SHA256a7609552276e02a76960e3791128a2dcffe87dfb66fc8cd2ea9c97f7d812b5b3
SHA512f6444b3b01c0a8d6c2ba9e6419ecf75ca85e3d9ec5074b1ad5d86706552c43276a6d4e28b352e47ca84c59f7de1cefda617147c39b14e3d4895784495414d275
-
Filesize
4KB
MD56edd371bd7a23ec01c6a00d53f8723d1
SHA17b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA2560b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA51265ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8
-
Filesize
566KB
MD5369268d2c48a8b6633ba76ed8822dc42
SHA1d16c2f366a32035f3fdb13be1149f70d8270bbe8
SHA25663bc49afbbc6c76848cc09eeeb90ec6708e97b3e76f67bdb66f8474d5c92ddb1
SHA5128f5c1688f77ebca3d693cfbfc821f7e75a6a8120372bac2a705833f7056361bbe8cb849ed1f99df1ef7b494b8ff64de0f1f6a7cf71ab9f515e3adc9eccff05a5
-
Filesize
111KB
MD50d3ea61c4bda86a8490b85872d5bacdf
SHA113bcfdab05838f3a812206bc42faac577da0a580
SHA256e3fc4765080d423d7e91261b467f6762360d174bfaa8c41a257cb2e366a701a1
SHA512c78d3e8d6e726d14a904f53fdf36eddb64af7c966b2261ad3cfeaad35dba6a34fd17aca3b61364cd9b7ec03026e80dc9de7668a789041e4edc344f9f51633df8
-
Filesize
348KB
MD540cbe00f542e7c00d0cd2a33bd61876b
SHA14c8e7e3d257708a70d33edc145b585c6d7e1d79b
SHA256b20d66f78480b4517c45aeea83a7a826a89bb9425acd3ea9b6120f1ff5e3d06c
SHA5129f9c78cdb676ca2035946b81dc8c674080b8abff2e0da9ab5bc39172392e8d77264ee3fc1ff3989fb84acf10236050386997c6b501afb191e38cc8601ca151a3
-
Filesize
745KB
MD57ef6211ed02bf83c3252d500c6352a6d
SHA17a28f118f4360115b5b39e6100885b7f06d55618
SHA256c39f5862370d8df57dcdaa2938c27c2440d319ddf03e2aa33ecd06b51f799c60
SHA512cea823778247143a257f869d1fe8d6b828c3e9781758e6d3a30353694fb0fde1477bfc06f4fd8482f5391f9e39d8755fa6be769910a05bb311c5485c6a753415
-
Filesize
4KB
MD5ee421bd295eb1a0d8c54f8586ccb18fa
SHA1bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA25657e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897
-
Filesize
4KB
MD5f31b7f660ecbc5e170657187cedd7942
SHA142f5efe966968c2b1f92fadd7c85863956014fb4
SHA256684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA51262787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462
-
Filesize
1.8MB
MD5b366f9d2989fbfed138fd72f4a1972ff
SHA1b4a4dbf53968803bd7fdcbedbd627765d5670262
SHA25608bf3ed78db202aac2763ea2019db41b0eb716284748c04ba9f8549f97e8cdd1
SHA51265018d603c3579b2520df9ebcf159581b45c240ca25d298526a45468a88d042dcd4e999d0e59c8dda0e46cdbd3d8a5fe33b84f15d093d0e826cb2a2b0e03decf
-
Filesize
114KB
MD59c0d8be291c19b27f5d20055c57b47e6
SHA14d82d9786f7b5b69d1cf75b727c20ef77f0e98ed
SHA256c1b7efae1610154355dd1f0d51cc1bb246298efc9939ed207d45797b6595bb4f
SHA51203910b69484e1f1bcb0066873c9559ccc2fc9f4f48c11a70bedc05b7e44f88fb4586076a8dfa835fa0ebd1bed83511f679a3318347d6767cee3c6496d4bdd357
-
Filesize
721KB
MD5164aacef4a2d9be84b255deda7c15fb7
SHA1a45f6aea1bf7797e7ba76a727700a166e68ceb58
SHA256f7ef2400d182e1900905ecf94735e460a88dabc24227926576fbd877c68de59f
SHA512e4a29d39e292ed247180f9357855624274f7d7c6a8e2a43e3b2b7df28c76b9c6139567e9f1956f1529e5f308cca0ea310ca5c304b2cf90a073cfdeb501d6fe9f
-
Filesize
112KB
MD5dc373557f20ea655d8fa0de35c946c37
SHA18f4f91e7ce171b31e8f54183d442ee10bb8fb04e
SHA2563b74b9008ccfe0279a8aa342f24c0498041cba4632aed103972deb1782614632
SHA5129861758b0e787856501fd65705010db520c1c6765462ccb4e3b25ee14e14ba8f58351a87532c25cfa652672c927c8d3083e36883a3357a6228e4c41b2c34b4a7
-
Filesize
112B
MD5bae1095f340720d965898063fede1273
SHA1455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA5124e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024
-
Filesize
2.7MB
MD54def0ca4fc3e66d5867223abe4146157
SHA188bb503424c1cfcf5ce72d240dae4b3b5125a583
SHA256c4fb1b93a99b963f7d5df084df5f7f32bb0b2fcc00213c26c29205b73115a348
SHA51247553c57c8ff3837b0d1e61a228e8856463c8d58b40d53208f81d407dfb1ce7163ae4748d4ff3e469e50592d9cf54830cddd99b80a911a6f7583d8614ca2ffbb
-
Filesize
115KB
MD5890c1e9295e4489687e5da06a1c00d50
SHA178f22e551e4d34e36505bb66cf79dd89b2e7984b
SHA25633638644706aaa27de870c71e6a9cb999648c38572fcac468a788f6051c84076
SHA512de756c9957d0877a6169584755edbf6577f4e510acb53b305d7c4ed38b90079c85aaeb7da2ab8a70fe2f87ad2b3f618db9d3959d5ea3b8bc1d20a02fba9c68f8
-
Filesize
115KB
MD5fbeed85ba4d9fe3aecae688ff02a0367
SHA1ca4562fa6eb974c0362a677f31768dbf41072572
SHA2564b4f4ade103b2e89fd46e5953ba6ab2547720bdfb296a35dbd42328f5129cc8f
SHA512b690145218cbb367ebcf16d174561ba1aaefa69d725d4d9f7fffdd7a4b2f46d20e31ce6c30ff9b081eafffcd66f8bdb126dc335ee93f730d2b33087f5134d7d8
-
Filesize
111KB
MD591b08c31018a085fed4979adbd665ab9
SHA13f24e06308c28bc5ca1a91f5cf3fa587d35a0065
SHA256c03110c91544855b6ac9994dd4d93690195d2d2c106c9935d586f4fc4a67f6ab
SHA512e27e7bbb197ec9803960fa808ac03478a4388b53feefb515283b16b45061df06b5de24430e1233ab933a1cc6f4a63fedc686d139945959e90a1b517fd5d501ca
-
Filesize
116KB
MD517507416e0abcfa270bbc0545025b3b7
SHA11008a36123a77d08f053d2e1b4f0027b0fdee86b
SHA25661697eef0bae3a26424d98de4a50c7dd5fef5427264cfeb86a8c1447bbe3314e
SHA512fefc481305c8e05129c1014cba8c0e141c4beee46df70dddcfbd547c882302d147f785d3b28d184d4a4380d93ff202c771fa4cb19b6b45d5a5e8362cd4b7632f
-
Filesize
115KB
MD5db589d0cca72d464eb384fdb07a0f295
SHA16aa0c7fd25d8619b99d198fb6d5ab70cd1d9d059
SHA256cff8daccd2163fa6fb9492812cf265bead0422194fc8f4833752a5f6071397b2
SHA5125e2ee69ec0638000c9ebaa00e71d338a993b3698c7afc580ba57322fea80fd0dc2f50944755a4eeb5aa971e1be931ff8a975d73fd851b2e078e851fe5378af8a
-
Filesize
119KB
MD56ee7683fb27160ec69eb2fe85db4f9c2
SHA1d46172e943d60a402266e815b21788b871ac3005
SHA256461992507c093b7f2f27f1fa836b8150a077c17c90de3abf59c17200050f887a
SHA5121f6cf5822f85eea0e5d898950a4290e5801c57965bc197e29fe6cc1d49e59784b14f840ee1cdbd85b7303bc87a4e36589b686195cc595e16bbbd14bbfeef26b5
-
Filesize
115KB
MD538eb80e92e8f50b2003f3d934c22cde3
SHA16802800b28863efc41fd3bee86aab50819b1efcb
SHA256a4fd84dfb52b1f51f30cca070e81fd70835817e42be847a9c3cff095b539f7c4
SHA512e74519f1ce5cafa742df38964bf4f413a309aea0fba1c7e243fbcadf81a4d8cd250be14cef924462ab130468c13851f55bfd64fd1c8eda807793967f3cf7126c
-
Filesize
697KB
MD5f6a7c68d50d529f07af8e5d04e36b943
SHA1de1665ff8b5c8ccfffdd0e31987aaa4811d8fe26
SHA25631e5f1d0e21deb41e9f558d8fb03d9df197452360f94ac3759fabd7b3c24c008
SHA512ebd4d40edf183bb025e9f2990c6d5e76653cf684cc6130db5953a7dbeceab575b2f250f5b6942d5f861947f77f7324ef62b36bf33fc9a03f8ec1037f69bd9283
-
Filesize
556KB
MD5c1c57003ac1e8b845c94443374dc16fe
SHA1f10b00d339bdf49bd793a390c93de7c984b7d715
SHA2568df88b617dfaba6033f1181cdf6fa63f2bd77072717d5fa6b8c23cc0c882ea60
SHA5128535f7c7769ddf4cb81aef5981dbea3de0f90e5a263bb850f2a47c1fd2b358c706ac09d83ecc1c28a8a4f38d8a3b107b3e20cab5065fc136b54ea3c1551672cf
-
Filesize
673KB
MD5bb9a976ed5b1c52055e681ce70f275d5
SHA1071618c826cd9fd52a4b5b26b4a0d84aef9dbe25
SHA2564c2150c734e923131f1e6bd000c9c4cc9529fba467d40969529fe4513a73029e
SHA512cf26316e0e4b373390dc5225b3d9e0b08457b3a49a149049701c8bf4409325be43762a6e128985240c304d1a227a535ba723d2d4b280581ab955e57d9b6a5a17
-
Filesize
1.6MB
MD58e7d7b113e2a5d5886f09c6ef22bc906
SHA136b05ee329405aa4d9825f86fd345bf2c0b98702
SHA256594647cbed5ae405fcc56456c6cbe40df4c7147ca524a4b002d6c55f8c6e5447
SHA51203501e564f30300c669def101ab998dce09dc529be42a1f93a0e43cd9aba125c0b6bb46c3dfdd829e36f1d944d59e9bc701f4bfd856251daf3d5ebe6b87dfdb1
-
Filesize
3.0MB
MD5281e2fbbb997726c612a25d31507c7b9
SHA169469ba30e38206e8d26fc7f412368a92171a5e4
SHA256966beb8dc501008389a1f436e55b42ca0c2915d736215bb9d26f3f074e171aaf
SHA512927f8eabb24098bb65951d88232ef987832fc07c646f0cd8706ec6dc41d97baf3bad7c59599d0c73d8c391191e030a320a193ed627bb8d60d7616361b33ed7d2
-
Filesize
111KB
MD5020b7e28aaa5603f884499647d89b275
SHA187d2df60ca64507ea212a1a0728722dbb4170538
SHA2562241e36607243927742bffb7e6f75c9b48fbce0f637cc355989ec59c67e63779
SHA512a4d9e7fffc8769c00da78b01a7b488b325d2d01e7b82868a5af5e4d17a479d36c0284615b52686569a9f2851266bbd19cb6f5715172b2633bef8f1de9248f922
-
Filesize
5.8MB
MD5802c283b2782fa9ef940b8f2431e659e
SHA1440c4d9b34f58ea8b4fceac43de47cfff070eb50
SHA25629163912014d5ea41dbecc19971c2b3d8cfe34ef67c289d8a954aea51859cab3
SHA512a27c32086444485f0667b1d5a41e7634b13a30631cb95b3044a0fbfab19a3ed4ddeb9d8d28d673818c34557eb5d8c2e37919c08263d333992cf8721cd2b5e765
-
Filesize
5.8MB
MD5eb960e1c34c190832a725a4342ca6471
SHA15d49603da173bcb6daaca8fd81520b5bfaf59473
SHA2569d9b0c37c5a05cef99f947f811a4fc004099f3d7a8cd8be6adc0c0b801be75a3
SHA512b920d9ffd4d6d6778605d77f34f1d92296e50cc9d404ee46326d41dc9123c0719a448a4c8ee6f5638528793781885ea3ece8d385d84e36d4fcfe5826685bc869