kinsing | 91c0b5030b319793a7ec551dcdd9859ddb32e399b042db90ff11fc71d108a48e

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 17:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
Size

213KB
MD5

ce621c0a61fa467b80d3942f722fecab
SHA1

6ce0db0be9eae2b928220c7d54d6c4b1a998380c
SHA256

91c0b5030b319793a7ec551dcdd9859ddb32e399b042db90ff11fc71d108a48e
SHA512

c22f97d586164ed5e47cbdc6bacbbc74b80a0d3500194550ff8e56493c89ca0fd2782c030a508b9037de8d639c4420c67a2e6bd13cd4f35290cc21ed2b43d4d2
SSDEEP

6144:0/a2LZw/RPf6t8DFBoHx9kpqTEWp4hhF5jQ0ig1N7XG7B9OjZN:3xPfC8yg1N72FAjP

Score

10^/10

kinsing evasion loader persistence ransomware spyware stealer trojan

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found

Renames multiple (80) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	dIAoEIcE.exe

Executes dropped EXE 2 IoCs

pid	Process
2408	dIAoEIcE.exe
1636	MkAEMMUk.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dIAoEIcE.exe = "C:\\Users\\Admin\\GSAcYQEg\\dIAoEIcE.exe"	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MkAEMMUk.exe = "C:\\ProgramData\\YUEIYYoU\\MkAEMMUk.exe"	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MkAEMMUk.exe = "C:\\ProgramData\\YUEIYYoU\\MkAEMMUk.exe"	MkAEMMUk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dIAoEIcE.exe = "C:\\Users\\Admin\\GSAcYQEg\\dIAoEIcE.exe"	dIAoEIcE.exe

Checks whether UAC is enabled 1 TTPs 28 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell32.dll.exe	dIAoEIcE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
4576	reg.exe
3028	reg.exe
3592	reg.exe
3492	reg.exe
1664	Process not Found
5088	Process not Found
2692	reg.exe
4196	reg.exe
3168	reg.exe
4968	reg.exe
4412	reg.exe
1720	reg.exe
4568	reg.exe
1840	reg.exe
2648	reg.exe
1140	reg.exe
3728	reg.exe
4564	reg.exe
1136	Process not Found
428	reg.exe
1720	reg.exe
3564	reg.exe
1252	reg.exe
220	reg.exe
2624	reg.exe
2728	reg.exe
1112	reg.exe
3124	reg.exe
5080	reg.exe
384	Process not Found
1572	reg.exe
1988	reg.exe
3936	reg.exe
4704	reg.exe
4384	reg.exe
4032	reg.exe
2044	reg.exe
4048	reg.exe
1136	reg.exe
964	reg.exe
4600	reg.exe
3128	reg.exe
4920	reg.exe
5080	reg.exe
4588	reg.exe
848	reg.exe
548	reg.exe
3956	reg.exe
2608	reg.exe
3456	reg.exe
2308	reg.exe
3188	reg.exe
4076	reg.exe
3456	reg.exe
2516	reg.exe
640	reg.exe
5092	reg.exe
3576	reg.exe
4576	reg.exe
548	reg.exe
1916	reg.exe
4828	reg.exe
1136	reg.exe
2720	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3988	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
3988	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
3988	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
3988	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
3640	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
3640	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
3640	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
3640	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
2172	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
2172	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
2172	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
2172	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
4076	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
4076	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
4076	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
4076	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
1088	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
1088	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
1088	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
1088	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
864	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
864	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
864	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
864	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
2528	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
2528	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
2528	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
2528	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
3016	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
3016	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
3016	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
3016	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
2208	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
2208	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
2208	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
2208	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
2324	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
2324	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
2324	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
2324	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
4516	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
4516	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
4516	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
4516	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
2368	reg.exe
2368	reg.exe
2368	reg.exe
2368	reg.exe
1888	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
1888	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
1888	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
1888	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
2516	Conhost.exe
2516	Conhost.exe
2516	Conhost.exe
2516	Conhost.exe
384	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
384	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
384	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
384	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
4536	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
4536	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
4536	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
4536	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2408	dIAoEIcE.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2408	dIAoEIcE.exe
2408	dIAoEIcE.exe
2408	dIAoEIcE.exe
2408	dIAoEIcE.exe
2408	dIAoEIcE.exe
2408	dIAoEIcE.exe
2408	dIAoEIcE.exe
2408	dIAoEIcE.exe
2408	dIAoEIcE.exe
2408	dIAoEIcE.exe
2408	dIAoEIcE.exe
2408	dIAoEIcE.exe
2408	dIAoEIcE.exe
2408	dIAoEIcE.exe
2408	dIAoEIcE.exe
2408	dIAoEIcE.exe
2408	dIAoEIcE.exe
2408	dIAoEIcE.exe
2408	dIAoEIcE.exe
2408	dIAoEIcE.exe
2408	dIAoEIcE.exe
2408	dIAoEIcE.exe
2408	dIAoEIcE.exe
2408	dIAoEIcE.exe
2408	dIAoEIcE.exe
2408	dIAoEIcE.exe
2408	dIAoEIcE.exe
2408	dIAoEIcE.exe
2408	dIAoEIcE.exe
2408	dIAoEIcE.exe
2408	dIAoEIcE.exe
2408	dIAoEIcE.exe
2408	dIAoEIcE.exe
2408	dIAoEIcE.exe
2408	dIAoEIcE.exe
2408	dIAoEIcE.exe
2408	dIAoEIcE.exe
2408	dIAoEIcE.exe
2408	dIAoEIcE.exe
2408	dIAoEIcE.exe
2408	dIAoEIcE.exe
2408	dIAoEIcE.exe
2408	dIAoEIcE.exe
2408	dIAoEIcE.exe
2408	dIAoEIcE.exe
2408	dIAoEIcE.exe
2408	dIAoEIcE.exe
2408	dIAoEIcE.exe
2408	dIAoEIcE.exe
2408	dIAoEIcE.exe
2408	dIAoEIcE.exe
2408	dIAoEIcE.exe
2408	dIAoEIcE.exe
2408	dIAoEIcE.exe
2408	dIAoEIcE.exe
2408	dIAoEIcE.exe
2408	dIAoEIcE.exe
2408	dIAoEIcE.exe
2408	dIAoEIcE.exe
2408	dIAoEIcE.exe
2408	dIAoEIcE.exe
2408	dIAoEIcE.exe
2408	dIAoEIcE.exe
2408	dIAoEIcE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3988 wrote to memory of 2408	3988	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	86
PID 3988 wrote to memory of 2408	3988	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	86
PID 3988 wrote to memory of 2408	3988	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	86
PID 3988 wrote to memory of 1636	3988	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	87
PID 3988 wrote to memory of 1636	3988	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	87
PID 3988 wrote to memory of 1636	3988	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	87
PID 3988 wrote to memory of 4844	3988	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	89
PID 3988 wrote to memory of 4844	3988	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	89
PID 3988 wrote to memory of 4844	3988	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	89
PID 3988 wrote to memory of 5072	3988	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	91
PID 3988 wrote to memory of 5072	3988	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	91
PID 3988 wrote to memory of 5072	3988	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	91
PID 3988 wrote to memory of 964	3988	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	98
PID 3988 wrote to memory of 964	3988	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	98
PID 3988 wrote to memory of 964	3988	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	98
PID 3988 wrote to memory of 4612	3988	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	93
PID 3988 wrote to memory of 4612	3988	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	93
PID 3988 wrote to memory of 4612	3988	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	93
PID 3988 wrote to memory of 2192	3988	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	92
PID 3988 wrote to memory of 2192	3988	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	92
PID 3988 wrote to memory of 2192	3988	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	92
PID 4844 wrote to memory of 3640	4844	cmd.exe	99
PID 4844 wrote to memory of 3640	4844	cmd.exe	99
PID 4844 wrote to memory of 3640	4844	cmd.exe	99
PID 2192 wrote to memory of 4700	2192	cmd.exe	100
PID 2192 wrote to memory of 4700	2192	cmd.exe	100
PID 2192 wrote to memory of 4700	2192	cmd.exe	100
PID 3640 wrote to memory of 1924	3640	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	102
PID 3640 wrote to memory of 1924	3640	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	102
PID 3640 wrote to memory of 1924	3640	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	102
PID 1924 wrote to memory of 2172	1924	cmd.exe	104
PID 1924 wrote to memory of 2172	1924	cmd.exe	104
PID 1924 wrote to memory of 2172	1924	cmd.exe	104
PID 3640 wrote to memory of 3400	3640	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	105
PID 3640 wrote to memory of 3400	3640	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	105
PID 3640 wrote to memory of 3400	3640	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	105
PID 3640 wrote to memory of 1572	3640	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	106
PID 3640 wrote to memory of 1572	3640	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	106
PID 3640 wrote to memory of 1572	3640	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	106
PID 3640 wrote to memory of 3204	3640	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	107
PID 3640 wrote to memory of 3204	3640	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	107
PID 3640 wrote to memory of 3204	3640	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	107
PID 3640 wrote to memory of 3092	3640	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	108
PID 3640 wrote to memory of 3092	3640	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	108
PID 3640 wrote to memory of 3092	3640	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	108
PID 3092 wrote to memory of 5016	3092	cmd.exe	113
PID 3092 wrote to memory of 5016	3092	cmd.exe	113
PID 3092 wrote to memory of 5016	3092	cmd.exe	113
PID 2172 wrote to memory of 3028	2172	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	114
PID 2172 wrote to memory of 3028	2172	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	114
PID 2172 wrote to memory of 3028	2172	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	114
PID 3028 wrote to memory of 4076	3028	cmd.exe	116
PID 3028 wrote to memory of 4076	3028	cmd.exe	116
PID 3028 wrote to memory of 4076	3028	cmd.exe	116
PID 2172 wrote to memory of 2044	2172	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	117
PID 2172 wrote to memory of 2044	2172	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	117
PID 2172 wrote to memory of 2044	2172	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	117
PID 2172 wrote to memory of 4472	2172	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	123
PID 2172 wrote to memory of 4472	2172	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	123
PID 2172 wrote to memory of 4472	2172	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	123
PID 2172 wrote to memory of 1832	2172	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	122
PID 2172 wrote to memory of 1832	2172	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	122
PID 2172 wrote to memory of 1832	2172	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	122
PID 2172 wrote to memory of 4620	2172	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe	118

System policy modification 1 TTPs 28 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3988
- C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe
  "C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2408
- C:\ProgramData\YUEIYYoU\MkAEMMUk.exe
  "C:\ProgramData\YUEIYYoU\MkAEMMUk.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1636
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4844
- - C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3640
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1924
    - - C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2172
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        8⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        10⤵
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        12⤵
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        14⤵
        
        PID:1252
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        16⤵
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        18⤵
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        20⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        22⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        23⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        24⤵
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        26⤵
        
        PID:116
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        27⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        28⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        30⤵
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        32⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        33⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        34⤵
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        35⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        36⤵
        
        PID:3096
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        37⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        38⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        39⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        40⤵
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        41⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        42⤵
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        43⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        44⤵
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        45⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        46⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        47⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        48⤵
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        49⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        50⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        51⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        52⤵
        
        PID:4364
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        53⤵
        
        PID:372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        54⤵
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        55⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        56⤵
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        57⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        58⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        59⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        60⤵
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        61⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        62⤵
        
        PID:1016
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        63⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        64⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        65⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        66⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        67⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        68⤵
        
        PID:1348
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        69⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        70⤵
        
        PID:4656
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        71⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        72⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        73⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        74⤵
        
        PID:428
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        75⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        76⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        77⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        78⤵
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        79⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        80⤵
        
        PID:848
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        81⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        82⤵
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        83⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        84⤵
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        85⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        86⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        87⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        88⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        89⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        90⤵
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        91⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        92⤵
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        93⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        94⤵
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        95⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        96⤵
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        97⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        98⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        99⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        100⤵
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        101⤵
        
        PID:532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        102⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        103⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        104⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        105⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        106⤵
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        107⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        108⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        109⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        110⤵
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        111⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        112⤵
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        113⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        114⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        115⤵
        
        PID:364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        116⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        117⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        118⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        119⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        120⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        121⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        122⤵
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        123⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        124⤵
        
        PID:3876
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        125⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        126⤵
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        127⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        128⤵
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        129⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        130⤵
        
        PID:1180
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        131⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        132⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        133⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        134⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        135⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        136⤵
        
        PID:264
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        137⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        138⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        139⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        140⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        141⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        142⤵
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        143⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        144⤵
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        145⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        146⤵
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        147⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        148⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        149⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        150⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        151⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        152⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        153⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        154⤵
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        155⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        156⤵
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        157⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        158⤵
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        159⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        160⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        161⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        162⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        163⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        164⤵
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        165⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        166⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        167⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        168⤵
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        169⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        170⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        171⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        172⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        173⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        174⤵
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        175⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        176⤵
        
        PID:3500
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        177⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        178⤵
        
        PID:464
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        179⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        180⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        181⤵
        
        PID:816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        182⤵
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        183⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        184⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        185⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        186⤵
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        187⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        188⤵
        
        PID:3104
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        189⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        190⤵
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        191⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        192⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        193⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        194⤵
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        195⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        196⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        197⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        198⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        199⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        200⤵
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        201⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        202⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        203⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        204⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        205⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        206⤵
        
        PID:1108
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        207⤵
        
        PID:376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        208⤵
        
        PID:4204
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        209⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        210⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        211⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        212⤵
        
        PID:4196
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        213⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        214⤵
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        215⤵
        
        PID:264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        216⤵
        
        PID:3104
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        217⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        218⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:3200
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        219⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        220⤵
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        221⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        222⤵
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        223⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        224⤵
        
        PID:2632
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        225⤵
        
        PID:3732
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        225⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        226⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        227⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        228⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        229⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        230⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        231⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        232⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        233⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        234⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        235⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        236⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        237⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        238⤵
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        239⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        240⤵
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        241⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        242⤵
        
        PID:744
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        243⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CYsUoAAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        242⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        Modifies registry key
        
        PID:1840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mCMUQcko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        240⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        241⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dssYsMEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        238⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        239⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jiIMYQMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        236⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        237⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        Modifies registry key
        
        PID:4600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nkQskUYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        234⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        UAC bypass
        
        PID:392
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        235⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        Modifies registry key
        
        PID:848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TgQIAIso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        232⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        
        PID:968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oGQUIswQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        230⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        Modifies registry key
        
        PID:1140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        
        PID:812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kEUsAsgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        228⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        Modifies registry key
        
        PID:4588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        UAC bypass
        Modifies registry key
        
        PID:640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:4700
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        227⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4716
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        227⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ucQgcQAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        226⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XmAIAQws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        224⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        UAC bypass
        Modifies registry key
        
        PID:2516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NkMYQEwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        222⤵
        
        PID:2608
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        223⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        222⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\juIgkUUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        220⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        Modifies registry key
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        Modifies visibility of file extensions in Explorer
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\beUUwwsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        218⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        UAC bypass
        
        PID:1512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qIcsAQEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        216⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        Modifies registry key
        
        PID:4576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        UAC bypass
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QysIgEQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        214⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GsAUQMgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        212⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        
        PID:744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XwIEAIEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        210⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        UAC bypass
        
        PID:4740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hqsUockU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        208⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HAcscAow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        206⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        UAC bypass
        
        PID:1580
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NoocUQkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        204⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OeogwckI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        202⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        
        PID:264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WCoAQUsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        200⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uEwgwMYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        198⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rkwIIcYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        196⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:1980
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        198⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pIYsoAMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        194⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rAYQccMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        192⤵
        
        PID:812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        
        PID:816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TCQscgoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        190⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        Modifies visibility of file extensions in Explorer
        
        PID:464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        UAC bypass
        
        PID:4596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SOYoYAck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        188⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        190⤵
        
        PID:1596
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        190⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\keIgUsUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        186⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        Modifies registry key
        
        PID:3492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nwsQwUsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        184⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        UAC bypass
        
        PID:1868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        Modifies registry key
        
        PID:3456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        UAC bypass
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bAcMIkQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        182⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PSgMwMMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        180⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bQMYoooU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        178⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        UAC bypass
        
        PID:1888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        Modifies registry key
        
        PID:4076
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UQIYMoEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        176⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gioooUkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        174⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        UAC bypass
        
        PID:4952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ksQswEIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        172⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IGkAAQEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        170⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fSAoAIgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        168⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        UAC bypass
        
        PID:4960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        UAC bypass
        Modifies registry key
        
        PID:220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZiYMUkAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        166⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZgcwEAAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        164⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VUoUYkoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        162⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        UAC bypass
        
        PID:2564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        Modifies registry key
        
        PID:3576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        Modifies registry key
        
        PID:4384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        Modifies registry key
        
        PID:1252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YmccEUYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        160⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        Modifies registry key
        
        PID:964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AmYkQYQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        158⤵
        
        PID:464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CmoIAAck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        156⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        UAC bypass
        
        PID:4536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AQYsQcoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        154⤵
        
        PID:868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        UAC bypass
        
        PID:3168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nQAocUgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        152⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        UAC bypass
        
        PID:4180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        Modifies registry key
        
        PID:4968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        
        PID:116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rOQIAwQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        150⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LcIskscQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        148⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        UAC bypass
        
        PID:4836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kaIQIsIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        146⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        Modifies visibility of file extensions in Explorer
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mQgwIYcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        144⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        UAC bypass
        Modifies registry key
        
        PID:3188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        Modifies registry key
        
        PID:3956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        UAC bypass
        
        PID:1764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AUAsQEoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        142⤵
        
        PID:464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        Modifies registry key
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TQQcMMwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        140⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        UAC bypass
        
        PID:816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BwIQMAcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        138⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        UAC bypass
        
        PID:5092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PeEMEkMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        136⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nwMEgMAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        134⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        UAC bypass
        
        PID:3228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        Modifies registry key
        
        PID:1136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AeEoYMgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        132⤵
        
        PID:640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        UAC bypass
        
        PID:1868
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        UAC bypass
        
        PID:2724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MUMEYgYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        130⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KQQAMAkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        128⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kecMksMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        126⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        Modifies registry key
        
        PID:4704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HoMgAIcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        124⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DIcAYUEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        122⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vucsEYco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        120⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dAgoUEow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        118⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CoAAcIcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        116⤵
        
        PID:548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YAEgAIUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        114⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iOgAswgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        112⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JIMIMMgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        110⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        
        PID:4384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DAYoccso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        108⤵
        
        PID:464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RqsUcQcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        106⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        Modifies registry key
        
        PID:2308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        Modifies registry key
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XiwAUEsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        104⤵
        
        PID:448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        
        PID:868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        Modifies registry key
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AeggsgEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        102⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mSQgAUwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        100⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        
        PID:964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KuQwEQQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        98⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        
        PID:4624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ymskEQsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        96⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies registry key
        
        PID:3592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TqAEYQgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        94⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        95⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        96⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        97⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        98⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        99⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        100⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        101⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        102⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        103⤵
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        104⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        105⤵
        
        PID:3808
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        106⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        107⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        108⤵
        Modifies visibility of file extensions in Explorer
        
        PID:848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        109⤵
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        110⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        111⤵
        
        PID:4660
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        112⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        112⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        113⤵
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        114⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        115⤵
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        116⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        117⤵
        
        PID:4920
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        118⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        119⤵
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        120⤵
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        121⤵
        
        PID:264
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        122⤵
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        122⤵
        
        PID:964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        123⤵
        
        PID:3200
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        124⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        125⤵
        
        PID:3904
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        126⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        127⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        128⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        129⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        130⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
        131⤵
        
        PID:744
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock
        132⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:3456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        131⤵
        
        PID:892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hyMIQEIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        131⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        132⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:5008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        131⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        131⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        129⤵
        
        PID:4912
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        130⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        129⤵
        
        PID:400
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        130⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        129⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VmUkIEkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        129⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        130⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DesIkMgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        127⤵
        
        PID:1624
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        128⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        128⤵
        Modifies visibility of file extensions in Explorer
        Checks whether UAC is enabled
        System policy modification
        
        PID:3488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        127⤵
        Modifies registry key
        
        PID:548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        127⤵
        
        PID:3284
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        128⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        127⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WEoksMcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        125⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        126⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        125⤵
        
        PID:448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        125⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        125⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        123⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        123⤵
        
        PID:892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        123⤵
        Modifies registry key
        
        PID:4564
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        124⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wiwkocIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        123⤵
        
        PID:4544
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        124⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        124⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YesgYAMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        121⤵
        
        PID:972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        122⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        121⤵
        
        PID:4536
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        122⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        121⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        121⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gekwMIIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        119⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        120⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        119⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        119⤵
        
        PID:5092
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        120⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        119⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lYEkkkUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        117⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        118⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        117⤵
        UAC bypass
        
        PID:3728
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        118⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        117⤵
        Modifies registry key
        
        PID:4032
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        118⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        117⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        115⤵
        Modifies registry key
        
        PID:2624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        115⤵
        
        PID:5040
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        116⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        115⤵
        Modifies registry key
        
        PID:3456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NWQMMoIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        115⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:3184
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        116⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        116⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        113⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        113⤵
        
        PID:4652
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        114⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        113⤵
        UAC bypass
        Modifies registry key
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VoogoQcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        113⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        114⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nyEswYgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        111⤵
        
        PID:772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        112⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        111⤵
        UAC bypass
        
        PID:3684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        111⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        111⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        109⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        109⤵
        
        PID:3088
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        110⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        109⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ayooMkYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        109⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        110⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iYMgoQMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        107⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        108⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        107⤵
        
        PID:448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        107⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        107⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        105⤵
        
        PID:812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GWggcgIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        105⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        106⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        105⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        105⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        103⤵
        Modifies registry key
        
        PID:3728
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        104⤵
        UAC bypass
        
        PID:4248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        103⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        103⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hKEAkEgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        103⤵
        
        PID:744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        104⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xGAwEscY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        101⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        102⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        101⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        101⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        101⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        99⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DWgcUUgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        99⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        99⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        99⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dkUcQwAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        97⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        97⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        97⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        97⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mWoosEEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        95⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        96⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        95⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        95⤵
        Modifies registry key
        
        PID:4568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        95⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HsAUgEMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        92⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:4544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        
        PID:372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fqAsMYcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        90⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EMUYUQwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        88⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qaAQIIUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        86⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        Modifies registry key
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        
        PID:576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        
        PID:972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YkcoYIkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        84⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        
        PID:744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PcUYccks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        82⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies registry key
        
        PID:3124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:4636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RGgwcAEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        80⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        Modifies registry key
        
        PID:1136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vgMIwkYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        78⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NioMwoAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        76⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Sgwwcogg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        74⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mKkAcEIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        72⤵
        
        PID:868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aiowwQws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        70⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        Modifies registry key
        
        PID:3564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BSoMYMYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        68⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        Modifies registry key
        
        PID:1720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:4024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fasEgMAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        66⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vWgssoAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        64⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        Modifies registry key
        
        PID:548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        
        PID:964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        Modifies registry key
        
        PID:3936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\koggAUQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        62⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:4756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OCAogQIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        60⤵
        
        PID:116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GsgQgckg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        58⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        Modifies registry key
        
        PID:4412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oiMcccIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        56⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IyEYsMQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        54⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        Modifies registry key
        
        PID:4828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HocMMgUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        52⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jsowkAMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4048
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VaQQIwYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        48⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:1388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        Modifies registry key
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aGkcwEAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        46⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        
        PID:364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        Modifies registry key
        
        PID:1988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        
        PID:4432
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eEckcgUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        44⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies registry key
        
        PID:4048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\okAYcAUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        42⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hmgkoUoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        40⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pcUsQIUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        38⤵
        
        PID:532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\feQosckE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        36⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        Modifies registry key
        
        PID:4196
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DCsgAsIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        34⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AasUscks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        32⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ugYcUgUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        30⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies registry key
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        Modifies registry key
        
        PID:1112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wUEkYUoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        28⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies registry key
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wGgQYcco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        26⤵
        
        PID:624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        Modifies registry key
        
        PID:5092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\McwAAQww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        24⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        Modifies registry key
        
        PID:4576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zAkkUAMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        22⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies registry key
        
        PID:428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PgMcwAAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        20⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:4604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zMAkQMEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        18⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vEgAsIkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        16⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OGgUEMUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        14⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CYkMgUIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        12⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        Modifies registry key
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sQswIUUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        10⤵
        
        PID:428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        
        PID:652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EWsMEEkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        8⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:1552
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies registry key
        
        PID:2044
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pgIAwYME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
        6⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:3132
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:1832
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:4472
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:3400
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:1572
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:3204
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jYoQMocQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3092
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:5016
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:5072
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PiQcocUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4700
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:4612
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:964

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3096

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4288

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3208

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kAUAAsso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock.exe""
1⤵
PID:1468

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:4900

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock"
1⤵
PID:4976

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\User Account Pictures\user-192.png.exe

Filesize
192KB

MD5
cbfca4f103a96f261ffa30692f6af656

SHA1
87113d8701e046862d666366773acd5fc8e39cc5

SHA256
a15df3e08fb239b0ccd92acd59f502492759a8a6ed603ce9ada239466c8b92d0

SHA512
57b47c26d746d65c4d7f357773647cc21d381557400b3f43e421a3dad184702fca03bcfbaeeaed1a9fac41cbbc0c5ce0610f45952fe0268e414bdb8e4fc871c8

Download Submit
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

Filesize
650KB

MD5
f4e10578008ff5e0413d67a85ecbb15a

SHA1
26bf1ea4e935cefbaaf5b5325ca9a0e4592716fb

SHA256
032536f14f69b1cf4f9df767c928e518a92c23aefbd30fd67f7027971ea1fef4

SHA512
d9c6ecc9fabdf8970a5eb994e0465952b4bc4527f66e734422a65948e441d62d21da8592f37bcc7a3f522f534b6246adae4ef3db35195f1bb307581f63cd2c7f

Download Submit
C:\ProgramData\YUEIYYoU\MkAEMMUk.exe

Filesize
195KB

MD5
b006bc053155ac8ed460b74111a19f50

SHA1
58e05ae080037ca405e51bf714d2cabd84a5aee9

SHA256
5b6f05f013c12b2ba66426270addcdbaae41d08f1d82974737457a7e97586597

SHA512
24c0ff0acd14997fcf907054917c14e6464cf4619a1e3597c8147740d67fab1090b961201d9b8744d56caf94dbca35db5f2338f4f0f26ca8ddaac139cf7e901b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\256.png.exe

Filesize
228KB

MD5
caaa614e3b66b2d6f7ac76dc7e81411f

SHA1
6d9d16e152834d159613b7141937232cc74153b6

SHA256
169cf7f2cc949ec4c5742c8f0d9b55458a0ba146cc0093094733c1d7f820c2e7

SHA512
22ebcbae8fe6194f6188157889109ccc2e55f8e286ac89e930f9d93df04c31ceebaa5ba532274c2cd4d42e3def197af5ec4e355a4d2b540ba5e47dc2c9e41377

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\192.png.exe

Filesize
185KB

MD5
1039bd96d403e27529b507e6dfebd7b2

SHA1
34c74c1a72dc6f31cc33fb9acab25432b87c3b8b

SHA256
c8ce30277527a1235b63fa011d1cfc2bbb657124dd8578d1a0c36b6650a2150e

SHA512
22828071b5afa2c5afe184d69f2afd17836bc9bcfeff119ae3252cd97ded09d09b0a85de98ffe2e5e9323ee0e4af3147f1609ffd166afcb989c128b1de265d0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ScreenshotOptIn.gif.exe

Filesize
434KB

MD5
071583b30a0db6636b63d108c330b7b7

SHA1
705f28c39919093d20ebf391a55c634bab2e3bbc

SHA256
88c5cdf571feee419c2cde886c2b08d984bf7966b2bdafe58667841986cfada0

SHA512
79301210c7faf4df5458fd3b3d6cf18ec742cde0cda13cb716b227cd35854b2f231918e75be34c99891d86446607d1d60474facdb945090011cf94efda162236

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\INetCache\K4803NMA\th[1].jpg.exe

Filesize
425KB

MD5
8eabcb02ded65086833c78b7b2d02898

SHA1
0eaceec4855bb8a8f4c039c1f1747e3096b1a1bf

SHA256
8e4b50ea7fc7696dd831c492a8be9d084e6b9abc6d7a85edcb0e19c61c68855b

SHA512
bf0b9f31887ece68f1f92bdd57f46734ce4dab81a4a782c4b0525ec75549e8d474669006e445af7696ef168ce82823ae79301471111e7cd7ef911a18a021f1d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-01-25_ce621c0a61fa467b80d3942f722fecab_virlock

Filesize
10KB

MD5
e0a80154e2c7c04bdff156ce10733245

SHA1
1c79f105e609481391cd58ee99339abd10dc8926

SHA256
19a3fe8192c7b0b9062dbd36d0223aa2d4ed15e571e2a16ff5090297b268cc21

SHA512
1fe4c9c18322fe7fa2bae34cee82dde8aa1d99bd798fca8486a2a5c857e6c93f645dc0780478a827574cd46492dc61a1b9044cbf8f101305552107f5f4c07e10

Download Submit
C:\Users\Admin\AppData\Local\Temp\AEUc.exe

Filesize
192KB

MD5
26ab53427872872a62af282536ac4207

SHA1
4012cd37219a9343dde2c29b59ca46721209ce8f

SHA256
c370993a08bfcbd87ab753c913df53c930199b428d5f13e2001131c7179314d1

SHA512
3adfcf9a11d266dbf0d6be7cb42c9e6f451fd2ee2af6ba80574d1c4dcdab126053bc3e0b6fd31509b5d22e850d3ff1e76504cb6cb39f33e29de839cbe4bb2ddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMIY.exe

Filesize
193KB

MD5
84c5fb7461b56866def988703acbfbe8

SHA1
a9fd3ffadfcfc60d1ea16e742eff393cd895c776

SHA256
e2af7ad9b984e348d99990ac10921e2c94cd7774f0950a1f02b9acae45de046d

SHA512
d41af9d94957f88ab68f15f82b3cbbbeb88af903e759111c83190514d8befa00995bea19dcd8ccf80d8ad43711a364c328bab10d0ba3cd949284471844c97768

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMQo.exe

Filesize
229KB

MD5
f45f739e6af88bc2a6785a9ea2ee31e0

SHA1
fdfe15c36cbcb7b3a40f427575d8791c5ee45d9b

SHA256
3633fc99053b8745669fabf4282d517a283b9c1b38ee1bf24ba05d14efd0c022

SHA512
9870a7809c9dd4f509f9db98d1fedc464f50affd8d1403907836411fc50d2d3af7ab65aecff01c4226a3c6cee75eef97b1a6aea8afff2283e12f01e1010ac517

Download Submit
C:\Users\Admin\AppData\Local\Temp\AYAK.exe

Filesize
195KB

MD5
06355739b62fe00ced6929490fbf5c6c

SHA1
617ff32c6edfb8248c81105e04972f1aaa29a491

SHA256
f015c9b76dffc6aa023efa6bdac91a954da9f60c69edcc3f0b272d09a707ca03

SHA512
09f57c69ae682d29e1675fc9530db918f651498c6680e0258bf71f236171d5d61eae532ed2f7301a135b974de1f327a9657412b13985f89b0f643ee0261ee774

Download Submit
C:\Users\Admin\AppData\Local\Temp\Awcs.exe

Filesize
318KB

MD5
f88d1801ceee7f822f9467c4f8acbbc8

SHA1
5c6def0bd2b45b67b6ce8f8c989a6af08af62850

SHA256
88971970355db08a9cde9712b57061e96c809c04ce41b2114e987972d06ba8eb

SHA512
aa1022d25f4829b3eff7433ab7a8301de3c5f3f3fb6e872c1d096047b5654ec93c38746836f775df16d1803ccb6ff9a2ba10f3b7c83595ef31a4065e011e081b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAIo.exe

Filesize
206KB

MD5
e63419feb4275d596e625aa1d7550080

SHA1
198350469beacbaa0d4f04ab40f31834354f4201

SHA256
e78712bbda19b0663e9d3e9ad870c35b8538885f1bbd553cbc20f93996befb8f

SHA512
a057e3eec8b335e6069b1dc30fe73c8f413e71e96c1bd3d94819b996ad7971a841f5e7d99017d07f08ac6a0696e6c322eb8cc5edff4964f1310d6a7d93d7e123

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ckgq.exe

Filesize
186KB

MD5
63b049534fb730e772f8b127c569e7b1

SHA1
fe2ab0822b270630a85f2240486e02d39e3839dd

SHA256
60678f90fbe348b0442dd258fad801814b87e093100ba3d41a9eeb001ebc7436

SHA512
2d226c37ede7d21d5c2524a333013b36f0b0b1a22bd3277e2b221ed81ed777201c9c3ff1c1b20955a6e9a2a42a7590136293af93456c123c2eb0f4f3d8995c55

Download Submit
C:\Users\Admin\AppData\Local\Temp\CoQK.exe

Filesize
230KB

MD5
c8eac2f7ff28fef90e4c91b42622fe58

SHA1
636d8c85e2fbc573a9b41f9b80072ab370eb16a4

SHA256
d32a80cf5996fefd8d4414d2eb77be8295d2118bb01f623025f2bbd20ba5fbb1

SHA512
a0ee00b075f29bca83d67f1ac419b2b29a27dd2b63b1ce1d77fae7703838569b26e515381ee00ddb2b9aeff7a2249f0d4d21a6104e994605bbb89a7d687032e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAYI.exe

Filesize
183KB

MD5
d8c7c5d38cdcdfeb1383b3ce11096a21

SHA1
e7d8384d14fd58a498d2370de7500669c5a9b0bd

SHA256
184c0cc9c4fcba453a778b025de31395a7a3c4ff1286bcb094dfcff90d471784

SHA512
19db7b4b064a1ec782c9607c8e33673815aaf51416794b20d7370e5587e5e7d9e6b489c23711b33183cfa4e059000d059046142e223f90f3913171b98fc54ee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\EoYc.exe

Filesize
194KB

MD5
1c67794c925fb5b5fc6343627544dbd2

SHA1
ffc9ae0fc5781dca5d4d9fe7dabaf116bdb53bd3

SHA256
f0e8b7605bfb23e5e495c5760d4ee3baaae428ae4ee121327b960470a0350268

SHA512
716b26248b3840c37f083c345d58e44a7eaa08645dd07391a1d888f8f17cb33b94b4bf456e9e775321375a77ed6365e6768316724027125b1559aca7e9954415

Download Submit
C:\Users\Admin\AppData\Local\Temp\GAIW.exe

Filesize
192KB

MD5
f0e0ecc1e817d25f313fca9e60b304cf

SHA1
8c1f32a5167f98f9271d7b218daecbcac90333ab

SHA256
2f12459bec87eed0541f7ce46d869f0f7d2eb64a0d521c62b13c047f0435849b

SHA512
5dae13f26435798d82a1fed055c2c900a3bbf5b6209f7ce17336d3696050f715c90e6adebb1fa6a18f5f2be748299471d71b7e19ada105736175a38b12d01b18

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEsc.exe

Filesize
203KB

MD5
e6e784a44bb01bdc8e4391fc02c43c76

SHA1
3856b5682147cca7cd2d865eb3e3e50aad17a58a

SHA256
659e8f6d05e3e3490fb911ec73bb0b82f20434c96e948a4ca555261e05a90a49

SHA512
a6ad393b9a96c2071a963d228bfbf1f523ea2792727fa795a1a2159a96333b5bc02b79598a4ce5de6b229ec4548d4248de006c32100c4c7476d9a8f0fa8ab1f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\GMok.exe

Filesize
192KB

MD5
6f72a5ad74790827b3450a2d7d5e0c48

SHA1
0abee5045c02db68154028b84708803c01732e7c

SHA256
462387a54a0b0652295dab3b735528a52ee651ec093be571e9315e729bd77f4e

SHA512
5db5f0b5ee72de4cb11b7a585dabfb5193bf8694f6cf6d731b99ee4fbc1b7b32152a138d12e43aff771a5193687ec7417a7664e10a0f5d7cad73a5b1d83b269f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUYa.exe

Filesize
190KB

MD5
916af75119afe5d131a868e92ca22b5e

SHA1
e3c61e3aa4b4002a43ebd4371cb52010f5d440bb

SHA256
94c8dd9ea9235555c4dabbd76e59c5ce7a34753848a6df7414c4725cda653033

SHA512
a5fa3c538d30a8a04f82c338000c68ecf56845d4153df0c38177801f744dac46990b9a72324f8a0655e2db298fc6eb34bc8447b7fa17e8b468d42b10e61fd3f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEQA.exe

Filesize
313KB

MD5
f5583fe32224b4c7d8452eec7a4f2ed7

SHA1
d8caf356bbc436015af38f1bde80db89d9e28cb0

SHA256
624c832aebfdb98ce9501a8832e19a8459826ea17ad2bc591b038e52cd8b9a17

SHA512
18a627d54de906daca7575a9336bf0ccfe1c33bafa0364f5c74a85c745a7f10b04e86565752a4c2936ee384403cc28a6fa6029f3593c04d071fbd4197dd87a36

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEQY.exe

Filesize
184KB

MD5
41d0b1a0d6fdf765edb181383d18526b

SHA1
776b0407ba558949b5f10d0e65ed1475a17151d1

SHA256
9d6f7626ccbf10c45fedccc2c4db121b910b38cfc3d2331e8a5ed32627e6ec3b

SHA512
060b211fdad93b3e3b35e7e1f10e2cf9fa5516813252da1bdcbb21a47ffd100364b59437f2b8353b11535e937722e5ae5199727cb05489c6734b8e09837b626b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEUu.exe

Filesize
191KB

MD5
575e9ab711d559d45dc7c415d68472ac

SHA1
339104855f4aea7353791ee342a1981a245fe247

SHA256
ac12b5a94398c7d94d6ab6f9b2da7399fb3b3b4c20b7a8f419285e3532729ad5

SHA512
0f731e78c8e8bbe4ed9655e6be1ee56beaf95841cd1bc66a1c6bdcb517763e292dbef389fd027657d4ec3ff2aa1a66e95b30ee9de43ec6630eafe78831a32250

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIMq.exe

Filesize
192KB

MD5
e573d40af01179edd41d84a4119412db

SHA1
ba221f688303f6e221d2e3324db12d471b544a4e

SHA256
29229273d8081a032d2e960dc848caf99423d4814af2c256bec656e2e1e0b1b0

SHA512
cafca3c7843c875b4aefeb575a6f5e5814de5cdb770c92c948d36b6942564b238a32d7f95b07447f0a63d0bb700c8647cf110f2eb0b624a56e4713700adee854

Download Submit
C:\Users\Admin\AppData\Local\Temp\IocA.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAYc.exe

Filesize
184KB

MD5
7e662eac832a6c1fdb056a98c00c7eb5

SHA1
bce91c0af16c8bbdb3e24d6aeeeb27af880de212

SHA256
415eedb0c58863cf6f7ce39ee565d39b5d1472e3f72665c8a7599f38adb4087e

SHA512
b9a5efd706c0f6a058328017bf9932bc619064ac2c1e2f373fa04a2f09e8d3c2046a4ceca14fe50d04b838a61d9cb9920aba4b173b6e0770d4388555c9fef63f

Download Submit
C:\Users\Admin\AppData\Local\Temp\KgYq.ico

Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAYk.exe

Filesize
208KB

MD5
aac92578f033317bf7706a165e4fe557

SHA1
260b787688afd260987596caef0ca0c34b53c8f7

SHA256
31b18065f9ba4da5810b0d208bc2eb4db4171877ae7b62d325e8aa7789f2a73e

SHA512
38f1c276747739c0ebcc4e55aa71897a21ad3dc57be8555f088646854c59e8ac68e238c5724bbf10fa7f5cdb4a4da23f67777142999c171fa2c50f11948055d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\McAM.exe

Filesize
192KB

MD5
a05d5bf3f0cc55733354a0cf9d40fbbb

SHA1
a0f61464ffdd3baec54981db200178313798c37e

SHA256
7e080e84d725528e70c2cdd563143b77bc96267cc491816e9e389decb9dd8764

SHA512
692be9bda1dc490d7597e73e56c5a25252697d2c248a331c496886cce03cbdfaaab943dc022bfb1c118ecb51bde6e346e2645537d197c36894dfa9e309d75bd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MwES.exe

Filesize
775KB

MD5
1b247392bc01dfe69a6ae0c9c7017138

SHA1
dbab8f05bcfdd1b7acb2f38ffebc04ccaedade7e

SHA256
dde42abe235992133f6dfc03bb3704414c11ffdf497fff12458b2ebff1c3845b

SHA512
72759775603b8dd5ea41f836c47c36f95f8ea641538e46fa61a8ac655c845f56d2ce6c38f9b99a164aa76ad293fdc21acbcf69a0b82e7eb179e59737de2e1d13

Download Submit
C:\Users\Admin\AppData\Local\Temp\OIYw.exe

Filesize
209KB

MD5
b845cbf812c4df401327a3849c01c6b3

SHA1
cee0a80988f45cf77510ccdcc3782ce4d22a01ef

SHA256
47ff670d2990bb20a99c30169c94e7915f6dd058bb50e219e29cde5fab7f9d4b

SHA512
59380fb465514730c5305136c86e0a1744a3ef21644d70e913cd012610ea49590361dbe9623747f1cdb0337ae829cbd19b638b69e2187d066cc3d14a46438117

Download Submit
C:\Users\Admin\AppData\Local\Temp\PiQcocUg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\QEou.exe

Filesize
553KB

MD5
58023fd41b5e9eb552793d7a0e81e174

SHA1
c566541c7f45767ec6cd54d04d0ee6f536f82758

SHA256
0839caa541ab1e8bc05c94513cdc3b8292030c022cb420c718cfd4ab39b6df85

SHA512
72d5df06d0bcb42a43d8db00f28e63d20d1ea2a79910fe84ee3f0d84628df9efd7ecfc7a26b082bb0a3b73ef6842bc01fde2177669e2088cf589c8854f41fcb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\QUYM.exe

Filesize
182KB

MD5
98bb5ecb284e717cd3c5d8949075972d

SHA1
b6776806e1817e3a40ccf057513c23edae23a4db

SHA256
bf9ce89178850ded6457c3c0cfe77c4e8415ae806aeb0b43bcc569eea76f94e7

SHA512
7d90ad68c5883aa5f47369bea60438b8dd9816a19f9d60fa5f9b47444ca886e3f65a93b06f68c70cf2a110dd7a389ffd074840532bf8a967153caf7040912d9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SEYM.exe

Filesize
209KB

MD5
1782f5025006a829b1e8e32a7c970af9

SHA1
a913f02f1570e291b5e1561e3b1144e7335f1ac6

SHA256
0b7b9a22404cffcc2f38d31428c954d3fd852e1507831abce5fa4c3853ab0a9f

SHA512
a7b1ba82aede5a3b063b37dd9261253d2e25d648e98b7e3296a7ba10edf59861e11c53ebb9f77bb4164b8b83197855ecc25caed86be3f4ed216cec7a49cb9d68

Download Submit
C:\Users\Admin\AppData\Local\Temp\ScwA.exe

Filesize
205KB

MD5
98229b537cb739915192566245e9e656

SHA1
3f0b916432fb07abfd70a4013bcc22ee0992b826

SHA256
98381066c76b1b83f29992a2239a8562c1d5c9b1616eab3231ab7bef8e89565b

SHA512
c724dc89dfc02390cf32adf94d47ef754536825cb5a59b5bfe066de3f978a29e9223835ea2506a1986457d7a3994fb2b67bf6f2822a69bcb0cfe6e1d92fb11b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Skws.exe

Filesize
1.8MB

MD5
0d3cb57ddc9cd4b6be553ad773e9bd9c

SHA1
78345c54fc5744a4d774399126111a53a13d51a4

SHA256
89cc25246672afe958a47cfde89124c384263384bf3dc718ec8a012df6c1aad4

SHA512
291738f1fa00329af5d340ee0573280cf607cf0cff428c4021a563acc9d076eac57d963581de343f194e8ebbc683385d790cdc2fdbb5560eca4b1dbcc1e220c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Swoc.exe

Filesize
191KB

MD5
d382bd9efdab77d6fd959c7faea010e9

SHA1
7374bce9361ca6173ab840cfcf50a9d0e46bde1d

SHA256
c205444387caf081e0698ab876bdaf2035458f1338eb7f90226cdc591167d232

SHA512
4ab2d4b517c5f8f58aa70e270258c140c712c52b4e17309032f426c31458966ce2fdcd1f23849ad8b6d482308ea7bdf618175fb87917197b5cd945db1dcd75b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAMI.exe

Filesize
204KB

MD5
058247d0d5206029651e73def633472c

SHA1
5a0cb1dffd7b500740229fc58e93d680c2227b78

SHA256
8d68f097057020588d8e6de3e0bd87ea4cdab91ad76b70a05d90447779181021

SHA512
a279dca6c3d4e3692aab4e1c623261fb9b7ca9deace5a1c7757830da8c50ddbb116341ce894d6142032129ec9403e08c161f2974647b3ce214c1b166906e2610

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAcQ.exe

Filesize
203KB

MD5
4935d210c02fddfd5ec6f2dddc816af0

SHA1
428e8c7dc8116c873643e711555b701c5608fa15

SHA256
17061a1d80a3c894547d9da98d59188d228f98954abd118a62426679fcb113ac

SHA512
4466ca24cb9fe19c7f2de92bb48b6ab75d0caf53cea4c1e40fd387d881228725dc32f8547a54644e9d333178362653160db396e3c67b57287fcfbcf52ab5854e

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAwy.exe

Filesize
194KB

MD5
a2c9107e3b4e85cd08f023948f145717

SHA1
64872777e2cb8ee146321a26cec521feed375d29

SHA256
b7c297d0f5efca1768ae814865d6a0aa9656978193e541d1a9a151aceb4135b0

SHA512
023686af10c92800f469ea7cbb973459f902776aaaea1e54d120bd1ea3096d92ef4cd79f82d1bd91c5db50034c3f4d8a7f8ade80a0e324c1d4830641aedb80de

Download Submit
C:\Users\Admin\AppData\Local\Temp\UEMi.exe

Filesize
189KB

MD5
fd354c2d6ee7f75bef406a474dcbce38

SHA1
0ea7ddf5345db5b25cb25fb088137d1712552f2d

SHA256
2feb502ad92e4123700ec2a5267c448cb075addbd4e083583d7fd6c5a295003b

SHA512
c0e5455b23f98e641ced9e2d74013c1bd440db5a1cbf502aff9a5b71acda3ced4e5adaad26848d44825c91980109f2c2861cf5a0fafd801bda52f17d2dcb18da

Download Submit
C:\Users\Admin\AppData\Local\Temp\UgUi.exe

Filesize
788KB

MD5
cd0029a52647ede682131ef0bdb7f54b

SHA1
b85f11ef72dc912b878eedd3109046d72de25b73

SHA256
634b7c8748825d0ddb14911d35120c5a275f82c8e24aa51cc9358a5ab6b0dfe5

SHA512
341bbf36ca85d88844000b32bf9fd026f45b0bf7c9ad08332db3a06be084a97f1d7266b8a859ca8a2b89873c96bf3c9388f758ceeb82d4d06ba1a23916add894

Download Submit
C:\Users\Admin\AppData\Local\Temp\UkMm.exe

Filesize
244KB

MD5
555e26179082d7d503ffe52bf6d65eb1

SHA1
60fe63fdb473fbd19bdd4d48637f2b732bc6f2ab

SHA256
24f08ecabed4a806fcaa4619000b372da43d4dd5481daad1158b41c658daa92f

SHA512
aa47ce6ba2a9cbf11cdc0fce0d0fed48432cdc44b4237649ef3e1f8d0b0e9f47ff62ee975388e0ec145f7a934f22074e3d020d4f1d9ee3c24b184c6801ce7c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\WAoG.exe

Filesize
828KB

MD5
7d8bb942382d21b4a7f96677a9c71ddd

SHA1
a3d9ca647dc3cdd5c44b37b88f42197064c861a3

SHA256
5b54c7548718daa5cc1cbe56a62d0b231d5a1e8e3cc05b0983b0b84b73bb9504

SHA512
c7569253bda56169cf952feb97769870e287abc8cd257fed284c6c4806b9780db32aaef233e9fe9b1b9f4dae6bca9e2e2ad19707c6988ada3df5eab3f701033e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WIkq.exe

Filesize
630KB

MD5
d682d97b472760508a44f8fafb7b38dc

SHA1
0969b62044e68750b1d0829f851974bc8e6284e6

SHA256
8a97736abc8ad033af4ee62d6470fd60ad3024cbde97e5c4658970a012ab4bce

SHA512
c29498b0b2d5941a52400458d2572806605e63dfa14ac99b6d8a6a05f7a8841b24715ff379e6a283f56d99173c438cb108e3e6688eb6cc1e6b9c6139d463f2cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\WUIw.exe

Filesize
190KB

MD5
36da4080b2843f0dfa2325d8d02da304

SHA1
66f71adfcf5980b5742b0ce10f0f8d4102606519

SHA256
ef82835b688225727d898bdd060e2d3bf060a0c55f24a427814af723b5be2576

SHA512
3f12c7f7482f67abb1a8c5de6875b0829502d3cc7246fe9f3f6a19dd01755fc773f66b5edae7344cdde19ed149a76b2025a943a50e1d66c78947f7ff9d59e86b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WcQy.exe

Filesize
190KB

MD5
30d60ca785c857afad81d3cf8de03d90

SHA1
911edeb62cfe73ae40b1c1557ef05b3a2d841c1a

SHA256
b90dcb9c3bec73d8b3a3a7790a8640c272cfaa95d51fe45305275cbaed794322

SHA512
bea3746859317bd1499bb4ba991b0774f16c511cb51978dffa0b0c0c8b32a787e3028728de14af321bc5ca63e07029cf62fb669a26849166cf6ac6288004e5ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\WkAo.exe

Filesize
210KB

MD5
da4374097fb1ee64bf3bef7118d417fe

SHA1
61632cc7af90718087fae05d6d3dd9b288940b53

SHA256
c5cbbc512bba374a66936e8a779ed03607a3a9e9a5b3495718d2efec6ae87915

SHA512
4dbf2f5d74909d082f36558af99d60627d8430a928a1489365d54dc2091ed2b22221b2d8885cab576ab26ec65496c33044d8d6c34efb0acd44465b850d4e2175

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wkoc.exe

Filesize
191KB

MD5
deee2ca235072b82bf0aff5e90c0bf27

SHA1
8cad4a9cc720e648b65685b0faf20de9b6a9d6d5

SHA256
030340fd280dec3fa9f76fa36951e81e92c7743d54f0732be3f332d6f851cd20

SHA512
1f6f915931500d6ebbc76ceb4319c1fa09c9aeaa8dbca6c23f07e26a50d5a7176a8ef068f4285f6e56d5d6207a60d3d6ed1391395cbf3ddd48b0f91575272c06

Download Submit
C:\Users\Admin\AppData\Local\Temp\WwIs.exe

Filesize
596KB

MD5
403acd1e12cb97db04f986d3250b026b

SHA1
41d88403ebf3e0bf92f81005f64ec2f7cf89d83d

SHA256
90c0248eb2c39f57c0a79ba42a12a1d1a409d680318540829a72fd3a8b61573d

SHA512
58b2ded6ac5c6e5047042ba814fc02037873e8b9646218292f1993ad02f8729996ef149f5487fe3b5b18f359208dea1faa539ec123d114a30f2ed3fa277e66eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\WwUq.exe

Filesize
200KB

MD5
13be1d0c5d3cf5de7e1d1689acda64ce

SHA1
079a6a74e1d70b90d6f78351b2736443ad2ac691

SHA256
c57554aacff10fb5b5fddb529ae57c25e6d49c4def7629341d3f806fd8094d50

SHA512
ac7c69d142d00c1ba926992d1e6b9aac739b3013655efe6160b9835071eb93bf0d7233a97985961c1eee958f7a9e10afd58b0f21d0de973ce57a6ede3e0a6ebc

Download Submit
C:\Users\Admin\AppData\Local\Temp\YMAC.exe

Filesize
198KB

MD5
ba13e41dcfd3ad49ca4eeede57c692ec

SHA1
b98f16bfd99f1ec1cd6251e6ef1cb92841695e8e

SHA256
0736fa6475839ccc7a64d7436792aac326edce851b31a17726112cb675d1ce79

SHA512
4ae59158fb392288f1dd01278ffe12c1d0b5b0c2b8ea65025015412e179c84b228557ade191d78f8385b5dc08f3c1f6e318c63bd606de1f256172ebcaaa2eb82

Download Submit
C:\Users\Admin\AppData\Local\Temp\YcMS.exe

Filesize
656KB

MD5
b62aa6d5fd39438a40ca689ef75fa7af

SHA1
4ccffa9f521f5f88ef13fea4b83ef9fdd4adb55f

SHA256
2bbd0094e930027f414b809a51886afbfe3db08ba848c1acb727d4ba4dd63410

SHA512
2e15da21fa190a31716ec1cf94980d16d253f8c13af42b734d4aba7e2bc4ae20b3af58746302322f35692a28d7229daf713e9b5c359cf0926ad86b5a6351e9b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\YgkU.exe

Filesize
188KB

MD5
cbcb813d1fbf5185213967be0837225e

SHA1
c9bb4952378c2a83610c823c635a391a91170e11

SHA256
d8ea58021f20413aa9266fbf34bac4db37c742ca6d1630a08ab731372fddf82e

SHA512
faf3f79ff823877bb418c2a3ce240a7541fb9dce2949feb85b944166265070d80315ec5a7b9ba5a59a680c1f9a46876cea6491c9289069dc4fe3f6edf8bfe951

Download Submit
C:\Users\Admin\AppData\Local\Temp\YwIw.exe

Filesize
209KB

MD5
1fbd972e6fdd0d9480ef6f7ea4fc67fc

SHA1
d4b697c1b99ba70b0aaee8694f2a7c4795320305

SHA256
865e14d0ba357f4965d2f4ad24bdee0c8424b4fbb1b82d38733d56956d937c33

SHA512
7c51fd1c1988104458b4def24c2099922363dcbd18b131cf2a449c4ba56193634302c34f94c43c341a379559e9ae9aff99caca22777dcabb57e2ab19e4e34ba1

Download Submit
C:\Users\Admin\AppData\Local\Temp\aAEI.exe

Filesize
186KB

MD5
4335f54d8fdac129d2f35aafd0dee1d6

SHA1
5d1ea79387e03792e9e969c3f72dd64ddd0067c1

SHA256
531c40e55c116e753763a20781ec92366cdaf9f6179ab974b78a3a970f695cb5

SHA512
5662863bbc2736e3a76ae17c7773d6fd1b3335f3d8296cdf8ae043ed844b68b3f971cf82dd9d1c2aa5b8403f8fdca764d63b1e3ad012a6455444faea8e84ab8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMIC.exe

Filesize
199KB

MD5
e30f53442e635bca5ef9bd64fa9b327d

SHA1
cc1ccac8462d043e6913dd28f47ab94e4cf78695

SHA256
6161378f6a83c68f7077ac84f26fd51543167af7343697a816426b11737a48f8

SHA512
2b5b98b766b9a8ef2b4b5f0ec49f4ad7561c1adde95739f2c9776a15153dccf8eea371a6a829a7e5f3b5002b1fe1c51f196601bea6626971b85df45b1246ecbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUQm.exe

Filesize
781KB

MD5
af02b00c29b5fc7b1e8d97d83d469fc3

SHA1
efa43e05bc3fd95a3df5b110381a42e29e648023

SHA256
563156df0434e1de0a26ba5b437c1bf94ae911db17d15b86c78d60561d078799

SHA512
ea495e36a24f7cb7563d44d2bca4f12eef83b9ebf6c36ed70a248db5dddf16c91e53bdcb885abff4b5b7625fd6ec84cb543e1cb9846ff5fa0064136dbaed43db

Download Submit
C:\Users\Admin\AppData\Local\Temp\agAC.exe

Filesize
466KB

MD5
df9d27b1140eb507bb9a3bb37f998720

SHA1
475125fe0beed68bcb1687d5e63dfd4b7982a99e

SHA256
5f36cdb365b39a3f7b3f441d3a31c5acfc8fd8ff11b166023a301bb87e5b3bb8

SHA512
104d4b28275b7413727c0afc9122e67fc2b2aec0f0a2d78a40d76caad2c7515f8a3e7adeebc9eec6cbb05ecb0e3e3f25b2e44abeb8293a233fb4964e4572de7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\asIy.exe

Filesize
685KB

MD5
e1992b6e239a45511e2c3b29f4fcb485

SHA1
1778c2ab08dfbd21ffb4f244971eedb6417aab51

SHA256
559d77627b2b5bf55ce6bfbdbc9ceb6568722e1c14520761aa3d4eb7d173e463

SHA512
c4a120fc5da20ec3d09f50250c62b4ac1510a9d41e51ccad1a4865371aa5b7826be0adfef432c03fe2f839872e0e5e8eac947c2eb60e437da2a473291e4e5e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\cEEa.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIAa.exe

Filesize
195KB

MD5
0e9753f3f1e7082b8235ed2726c7e76b

SHA1
48d8a2f3e842259bf84932271ed271fac6859913

SHA256
7162dbb0695695d50dc2588280337d583ea72cb506c84b80943856728cca989a

SHA512
c503a0ffe20b7684f3abf66d4270e98b6f7b081239760b4ba9b46099f2eaf7c513eaf743c99c45bcf1ff6e834531e415e5045978c702c34b80890ebb5a4da382

Download Submit
C:\Users\Admin\AppData\Local\Temp\cMcI.exe

Filesize
226KB

MD5
ab78674b41a450c711a49bf156f3db73

SHA1
c34c6361c48431879f97c51aa7d9569b60b8ad96

SHA256
f6253eaafc9a9752bebe4dd61985a6e4ccca6494d09234d737e0eb02555a0346

SHA512
c22ef4a437ab9b0a7d8b2ad5cf379e36553ac2d2724d0d6ed25bdd395ef9d661bae37353510a98615928ca5dfd2287c23b91b6b015d19e78a7b23a97b5e30802

Download Submit
C:\Users\Admin\AppData\Local\Temp\cUgW.exe

Filesize
648KB

MD5
652877a2d9ec4fcd3e93c49b02c2cab9

SHA1
ede8989e3e06419eb1f042a6b705ff47c933577f

SHA256
a3e6fe1f540fecb013f988f7a2566ab048fe315a1d5ece57c383853bf1dfeeae

SHA512
1a149cb0f1f148f28385818b77444a74cb656198fb1b20f71e0c7edd6ffdd786f13683794dab42b6721d8bfec3ae5638af8bf3155abbae5398cc5e91b1facbde

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgwY.exe

Filesize
209KB

MD5
4346a704cccd9c71dab9ddd6710b5e71

SHA1
0a06cc15545c67fb90cba4f213b57a2d42095d68

SHA256
1d5b5321de839878a828d52723d73fc2b8a799753db11368899df849249153b5

SHA512
64ab4cf20e5ecc5d40a1d9b0ac1ce2217ed4c628b405c3df62af5e90b9cebeb7232958306befdf7ac72b43800da53be3b8c2236baeb9d9f8a552733ac0cffa00

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckQS.exe

Filesize
235KB

MD5
c01179bb73d8c92729fe8126a54f6543

SHA1
78a9737c28fc864983ede7dd182048e80b4a3ebd

SHA256
6d7db65f33026b657059804a0d97a984e1a3e9b6651f85d5cd7827ddbb72c8b9

SHA512
d3bb14a362b18cff67c49681dbea8e4a277c0a143ea10a0e4431a3038e44c606eba674927c635369d1516c77a80a13038258ee7eff56ff68e77669b770d7b608

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckgI.exe

Filesize
777KB

MD5
d8baae1e26a68e21333b46555beca9db

SHA1
23ebcceb42a12080d32e8ac94e8146d39290c20f

SHA256
d55b5e395b04a223f7194a1ed0c4c7b26940f498db1530d5a45af7e632d9bcf2

SHA512
5ebd6fcdb87ac11bde2f6c3b74671d8bb9a7bf7ecd772eb0aee9e0f49b88f6fdf23c5dad01b518afff9765773ae66ca60009009dab61e9705c5504682ad547f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\eYUo.exe

Filesize
634KB

MD5
4237ff2159d87228eaa979e4e3daa242

SHA1
1ed577ab639ed6077a83b3dc71d169d19d889129

SHA256
6f04fe1164ca74efab9bf67eff8390423ea08dda34305a359b25adf3343f9b8d

SHA512
07f522eee99e35ec1ac92d5393d7fbab21366a6780877dbbfa786321bb865486bdd84bb55c7c3018a4ea29be93201bc10dfe8e54c6aecab9d916ef05181ad5bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gUoC.exe

Filesize
225KB

MD5
970d5c7519ce5f55197b881976c67ba4

SHA1
cba355d32801538a7724a7fdb90a984d3294100a

SHA256
44ab6c40d340f828baf1f914199b4cf3124f951e7135f5a3e5a90b5d970e0ee2

SHA512
c3ac2c8a78cf7307a2eaeb357fb99d833f59ff27a1f54ac693ebdbf194e86eebc5d62ec8f8f1de2449b8093a367abc961befacbd62d2893f971696b1e78ea4d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAMA.exe

Filesize
484KB

MD5
431c244dd84154e054960ffa03f80ca6

SHA1
725c07810866d66b2a158b6bf8a0e6a9771a0332

SHA256
9760a9be6dd731c2f071f2f8a16ad2ed4e7c5e1af62625c14fcd0a0c0e51e0d2

SHA512
078e15a7f9ad63fb7a130e4ce2444a0a83672bdcc1704e594302a16651f9eaf86361dc0b64ddeb528e4e3e3b49cd90869712e6f1bf3842c7070d23e7d9e32ab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAMg.exe

Filesize
228KB

MD5
4ce8b127f86317d5b21b2f78121c4123

SHA1
3d6ba7f61679384c960029095edba6eac5ba8895

SHA256
a956d18ff5b4a14ae49a09b39217f932fe68e8f541563632f44d12a06f82ec29

SHA512
f7dcd51e3db6346110e53943b441bc32e7eb3e11c52e3521154e350b67b43c8f71e3482414313e81214ae98eaa3f09de0adcf19343bc75d332f4758df2dce68b

Download Submit
C:\Users\Admin\AppData\Local\Temp\iEkW.exe

Filesize
204KB

MD5
269eb452424dc1792735e159768862a1

SHA1
ac75a9201929f2ac2e967c191ca5f335ad338c27

SHA256
7d179f4c50eee2520efbe0223600404615398c3a5cd3f53802fcc6c24e08422b

SHA512
be33c71f3d783eaf51d08eb19783d977b0984fc0dbd0601b236455ced5e11750ece9e436f9de1436fc6daf660ce791b83be32f9c18f1495a246c8d573ddcb29d

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIES.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIkA.exe

Filesize
206KB

MD5
06e9c634b45d5576eea4c1b028f1c95c

SHA1
5a2d3d693396758cc8d35ea3fc6e6ce8f4133c90

SHA256
c8318b62d9baa3d0e0a51be67dbe6a9724f81129ebf69dff134d9936bab38507

SHA512
9917cc7111ac4c8e6f3fca83deffe67affaed12cc0a7a17909a036a50477f146dcacd32745c8d569718ede273d557ff835df437b08a0a894ff221769b36ccba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\iMAk.exe

Filesize
197KB

MD5
4404b94de400926aed9f51926cef535d

SHA1
bffe7613c362b34ada06f8d7891960d0195b85ed

SHA256
f68ba4d05b86c31f4532c9ab9fc82adff1ed67cf55481a382357f2837023c5e1

SHA512
15b63ad57cd23c20905e913e62240ccfa8969d0a76f284da6cf0bd8f2795c37f4ed3372a2ea222f2a0e9c235589ad36e374ee4d13f240dfe613e6a282c1ab9ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\iokO.exe

Filesize
199KB

MD5
9671673d930249865826ff94fbb8020f

SHA1
b8263f03efad47e74292b01ceb6c75b63f95a88a

SHA256
5455b5f2c074f54fc9e089779ad52114a3306079143b320293fb174d60403e47

SHA512
b83ed464cf2c5dfdc2cddcf2c1520d9a737109765e3f6ad99cac3562aee72cff4ee59c2d2003b80adb42a8b3fde609b3d04856d0873607588e78b684edb99317

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkQK.exe

Filesize
210KB

MD5
83ad59a9a85193ff579c1f572007c38d

SHA1
82cc1a035f8d628be95ddd13454c21f81d82f754

SHA256
097c2c598042610ebdf46f7b9165762aa95a379d91dabf7871cacd715256ba7e

SHA512
6875e1433de1f50f48107e8f4bb05d6917ffb6a24885dbca356e1678c282d6dff9a1f5bfe4d592abbbfb55b8223387ce3930cb95e15dbfd962be5723e86ecece

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgAQ.exe

Filesize
186KB

MD5
6c11646c9f2e49f68007b6d0d697af69

SHA1
6b50d58f0e7481f1e54e39b67a0757ac871acb95

SHA256
8076ad4e1f24c6db6084e54fb331004f78b1ddad3ab0a6580bca109cf12bf400

SHA512
562c46b4e79ade98945797c294cbabe709c5646f7756f21dd8c779ba1475297e53a614daeb075aacd1e0aaa5c9efac8688a77912a6710a29dcdb26864809b963

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgMu.exe

Filesize
187KB

MD5
cc7846f07c09781934d9dabc7cd86888

SHA1
c79f7e0c15841fc4b52f9d4c449b60a95a563eb6

SHA256
7ea13df782cc4c64795a36f1a8ef75d4aa7d5a82ad8aaef9f61838da17a0c21a

SHA512
a14a7fc55a04c24629372190beb8b019dcc813a3ed6a8ddd742495eb470abefa5336f148f95c3d3cdf06b223be4642ee6e9340ac58c9d1d01a6ac114d39eed7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\oEMs.exe

Filesize
197KB

MD5
34b404ab6fc841f874a6b4ebbceed8dc

SHA1
88d6400e8c46abd4a360897ffe7fff11bb4e7787

SHA256
eee8244bd644545e993982fe11cc07b36ee2db8a1c2bdae8b42c43be22e942d6

SHA512
ca5ed2f13771c44fe9031fe2b775e8ed08feda78dfd85b8521136dafa3bab192a2080b87bd626f9a8cec37a94c16fbb9332bfb57c1b96dacedad6a45fffc57da

Download Submit
C:\Users\Admin\AppData\Local\Temp\oEkA.exe

Filesize
271KB

MD5
aa11e8c9d5843c5ba8e2641162d2f430

SHA1
47554ff4f9e61a827b57ca1f6fb074cbab46a383

SHA256
62ee0e4a021f0dd47a13a6393f3ccc89e10341cb93cdf321a1fb9c3ee4d1a50a

SHA512
844887965f2ccfacf360a61cfff60d55a4064b6d73b07bda47d531005f362ccf45a47abf30b6c5a40237cf75304081a45cbc93dbaa7a82eaa7f991149d60dcb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\oEkS.exe

Filesize
194KB

MD5
e17e2c1d98a1ab541613c87ef91c4320

SHA1
5379d5dac499d035264561df3ce5f9a891b9491e

SHA256
59602dd4a1050dd84cf76d8359e289bcbe2371e622772d28a0ae7c3d21c08532

SHA512
b9a27ce5d8d02ce5fdb67d50de32b0f91dda7e2581ab7f9b3142594b530de0bd02ff4116ad021a909a1ce2ec76b79783dea1ea97eecc96e38ce93846a3e05282

Download Submit
C:\Users\Admin\AppData\Local\Temp\oIUs.exe

Filesize
195KB

MD5
9264ded5a8d7bf3c31c9001c890b459f

SHA1
4195343cf4ccfe677e0697885c27bd487cd5c5c5

SHA256
7b2cd29e3291444f1e99a915597f0a7f77a06a31784b4172a979c7e87f545510

SHA512
ade69acd2c8e28b112dd65bf8350a7e6deff52dec0c1b78d0b41b5d94aade3f404fa16e60b5384959a69ddeb919677ec2761de38f161fce26e68415d6c04a7a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\oMEo.exe

Filesize
208KB

MD5
0f672c71bcea5c5132928c1a3766bfed

SHA1
7d02065188dabaff63ce0b2716c2e001fe6dfa1b

SHA256
3213a7b3a8d82edb507d949c385bf64adc00189bcc44f4ee1072711efad97cac

SHA512
198e263fd620cf7e4ca43f592a11a8ca79e6f0a64c001580c9e54f0900be1d1f35a3efd87f51e29874ce20df8799af049aad49cf78f1d7e79a61e22c68155f17

Download Submit
C:\Users\Admin\AppData\Local\Temp\oQsS.exe

Filesize
540KB

MD5
34c00c155fe40231c461a2f155d68f34

SHA1
b0354712778c162a8592a059fe620a49181d6a9c

SHA256
d5191fd482597dcea5620fdbf583efc495275cbd203deec187b9e8b176a5cbc4

SHA512
528e6a7990140dd04d2afbde6a98077676334076c600585801588b1a8eb90c135d63c3a93f62e3aa63468cc0aebe67ad3279ff4aa7f77367fccfd0f3256d7c55

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogoq.exe

Filesize
184KB

MD5
7115f6bb22b25d78203ca0f5e6cf7ce3

SHA1
302ee32813ebb661acfccb8b65e2eb43bb0464a6

SHA256
92f930610a57b6a35b5be7a55c930c33bd9daf2d0e9f2613dd40acd112b2c085

SHA512
f485bb7a9e860e3e56e3616c4064193159d568fe1f5b546e0252fbcde758aa10b12973202659d41d18548cde585e3a163609a3c5ac1f6fa5a3299dbff9a765de

Download Submit
C:\Users\Admin\AppData\Local\Temp\okUo.exe

Filesize
625KB

MD5
b602f78463ebd24d979af97f5ec23846

SHA1
3853da4f002df92b5e87e04e426ba263cb1209f3

SHA256
b7ad7df026184e6c4fc7df98410f08c8af0c72a1bb28ff6f7b8bffbc0175d575

SHA512
47b30984ff30498507d3103345aa38f3e0fa58cc294223a71ac3adefcc43388bc5630dfad03e4d0f87ddaa2f527b4f7c671afa9a2fd1d46198d15b19c9f870f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\owEq.exe

Filesize
326KB

MD5
83ceda5066dd1a989961b4756a90a9bd

SHA1
7606320f56107d157b585a7a171a9ea4cf2d39be

SHA256
7d5737b4d6c7502ce15028207a8d2658e578821cc7065fa99d50499181fcb820

SHA512
baaec16117aa46ba3d46bea1da7912936ecda4b9f9f8056e33d744d65449d7a061dbc48e6e63c727a959299dc64f8a73cd09cda8de582537b9b8c3cbc2ccaae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUkS.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\qYsQ.exe

Filesize
824KB

MD5
90e333b553b61cb46b302d329f3f808e

SHA1
ebdc96ed01a4dde8f0f1267c9a0c711aa21c9c47

SHA256
ef52a5fd748fe61dbed61d856c1c85aa642c4d578011c252475ede555f9f8cbf

SHA512
d0b6ba256db7c9113a43c9aa27f121f9f2c05596fd1f2dfb07990ef6d9452cce8ba1e6a9cd9b130c3dc690660e989cabb5e411f98da5ebc7454620b3e111a90b

Download Submit
C:\Users\Admin\AppData\Local\Temp\sYkg.exe

Filesize
615KB

MD5
cd391884e1f43fb76ab5e8cc00435d49

SHA1
7c056c02a5228bd4249545325a0c76d3579c0d4c

SHA256
d47bbb06cfccca9e43ccc4c8a42308147744d613cd9717952e6b583d42fc4c72

SHA512
21ee1d8c57aba93ee98dcd932e501575cfb2b4851aa14cecb060e434c82418b86c898829e87f47b6887a68ade5c162645a5926d7142776783ee8693a44da1e79

Download Submit
C:\Users\Admin\AppData\Local\Temp\swoq.exe

Filesize
779KB

MD5
3ac5a437e9f263743637af5c1be38023

SHA1
5ef9be4fd74f888e757c71c9af27334af5b2a9a9

SHA256
50c5083f5d51d323c267c5c6d8017f457f231e791d2841ed5c8ac14797cdf8bf

SHA512
c68b7186ec252c28e9fde3cadc2004f90d96bc125e5bca6d0076d3572547925122443dfd002e7ffa54e863d1bdb2bba104925007222465245b866f7c8cc94915

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIIK.exe

Filesize
201KB

MD5
2613c7aa414aa20c2bd7d89f7742d279

SHA1
740801ee61b313f2acead142f108c5bf7ee09f68

SHA256
0f466c9f9085bc4311d781fd07b8ee58c520353e1e22237666cad864b228c08e

SHA512
1194b3875e63f09add2dbd05b3a128d4bd403fe004f6f52b77282373079a8a37cb8d072408cee501dc389fd347be9f187437c1b667ee5a5c73d367dd7f88a0c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMQG.exe

Filesize
185KB

MD5
91ebb6cb44dfc04840f3e8ac3b0cdf1f

SHA1
f2f73a48258a1a87b9207f33e9c6c1a3879e0586

SHA256
7765f7845ce70c136ca3c9a02fffef9ef418442c057873f268a9c8d14e21e99a

SHA512
faf7df2a08f7e815bcea0df5a52db658f102d237aa8b4e2ea2c2478df8d76e41345a3d6c01ce83812f4371166602f3d76eb0793e5830343d68424f1df2c2c754

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQEy.exe

Filesize
306KB

MD5
e51008224b7e59123326c5c01f5fc81e

SHA1
36ddbe2ee3f543adb467e4323cc8827bf53a0f69

SHA256
4d697618bf4383dbdaf87379e60efe310fc2be18071642b45ad3f79f8f18945f

SHA512
1ba8ca5fd0a5a63d8e5213b21cea3c206b743ac2ae6d73273fee9dc4159a148596ce4fc952e7f7d8638e40e119efd72938db128a7efb09c444a22fd2e30422d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\uUow.exe

Filesize
202KB

MD5
ccd3d5f4b1616de4b9a0124eef939c2b

SHA1
822a175bf6ac2b426186f56b2a54a2ddcdb28a4f

SHA256
893ab76e0b31148809bc2164f7401ab27b4957483f4965b2e0ae576159aac465

SHA512
eaeb1a515ca21b0f3261ef5d29ea868268d5814ee4a49247668ec1add9cded6394897795b82ddb349581dd5a70b6d311e63321ec38e60122b7cc0f50fdec6ee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\uUwI.exe

Filesize
207KB

MD5
4f0f4b2823eceadc1b0db71a77435bd3

SHA1
77a5fe78d02c04d5db79ab71ede5355408e2f56b

SHA256
58afbba5062698da974e2835296d6b07960e13584f6553bf5fe073a187163e1e

SHA512
d610b9663f031a884be4e75a0aefb49401bb7b4cfa77d4be1db4b99459db02b79400dd88f65bbf95158ccdac9400a015e91fe19c2b7e593d09ca10fffce7c5b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucsM.exe

Filesize
201KB

MD5
1867af1ab1bbcc7b1c905b0433400f29

SHA1
a1452959cf466c962e319f3591a312b10a8b6113

SHA256
a6b50eabd465900110976d4b19c2695c3d31b1dd99b56df0f9226907784158f5

SHA512
7d70873c0372fd534c41ca5e8b26f153e0e5b8e64c74e229c33f7b85709b6e9064a1c2a7705c940f7f1742aa0825bcd08065d3ca637f5b7170d4d8e766bf848c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukYk.exe

Filesize
218KB

MD5
98d55f0a556b3bdbc60d9861a3ef1aaf

SHA1
09044e6dba65dfc5de415a751f065aaa998c8280

SHA256
91e58c9967106b139728b084360c9ef3fc28e6b9baecf428ce30469685a0e145

SHA512
3089f31b4423fcf716ec051c4ff0dc0d7a7fca1f699476d7097cc480b75906232b7ca1d88079144c2b9c61fa16061ae63d9814cd6af4f6ef9e253d721f53791c

Download Submit
C:\Users\Admin\AppData\Local\Temp\usQK.exe

Filesize
813KB

MD5
2ffdf5b7d2d878f8185fc5eac02939f9

SHA1
54883f12d7cf2b3aee2d86c1bb26b71ed5494833

SHA256
63c2b595b3b803f32f6e76feef0a368cddb873d90584e1714c3e9c153b30adf3

SHA512
6864c433ce3ce0b08ca9bf2f1845d22188810c2973d5dafb16a089abb59ed07da434d3876729fa70c70459ec935f235b8aef60217cf9d87fc2747aef62bffb8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQcu.exe

Filesize
203KB

MD5
6a5963099ae5f3dcd3bbd9ff059b651d

SHA1
b52dfee2ae6d491241271ec379e0923e64aeaf77

SHA256
2f8c17aad7b293cdfa2025dd260894e1b54fc4450a0756f2df09ac1a140c277b

SHA512
82793467100e61a73713c7282a1bfefaaefc45b40f6a3b427710a3eab76109293d81c9914d3d21c85e9accafc2566b39b76edcae8b75ecc275f1f7657f4fd441

Download Submit
C:\Users\Admin\AppData\Local\Temp\yYsm.exe

Filesize
198KB

MD5
04e999cb842954f36233cf085cb9893a

SHA1
365b474f4d0508a96aa049b08d78e3fe0af99443

SHA256
73480dc35fee10cc1262cfe030463bfe6df85b73fb3d588315a1b3ae49daa57e

SHA512
aa9d19ccd3d6381dfafc5d8e5acc1b7e76b2815dfc7d94d97dfd9fb6d005e0d734964882a38284f4106d4d7074b791711d75d061fe62a0f4b93dda01b8a5255d

Download Submit
C:\Users\Admin\AppData\Roaming\ShowRepair.mpg.exe

Filesize
514KB

MD5
074d4e44001f17f354abddd609d9b92f

SHA1
18bccdf22472c570823f0629e55be09e172d78c2

SHA256
30bb798514ae65354887da4ee83d284d32fda6222d2e9a7d7b73d2690f152698

SHA512
884fac50dc6b65dfeafeea17f0f11cd171c8d39c2d372aecbe1d2bcd26a6753997eb94094231e461bd9fc64d77d13f4385b358433f4e097e08eaf3c0b27efd69

Download Submit
C:\Users\Admin\Downloads\ResolveAdd.mpg.exe

Filesize
575KB

MD5
875c6165d1646e673691445a5feb4754

SHA1
dbc150dcd3c8f5f7b4db6b05a014922e9ac97f4f

SHA256
230c027d609d14c9012cc4e01dd8c0618a04c79c3cc2167753e180dcee5fedf2

SHA512
ebd3692c3e37418c52fc63c8655d5a29589f3c449017ff0d5e9e595c680bd1d77720d59a01e707d34dab6fcb8f8910aa38ca3a51a5c5d02de28c89cf49146a0a

Download Submit
C:\Users\Admin\GSAcYQEg\dIAoEIcE.exe

Filesize
177KB

MD5
b13dde14ce4258e2c6a3e98d8a904f96

SHA1
947de0e02f8bb584be3086501978d85e194966ac

SHA256
0374c29503eea3667d3a18e4a12d5e4e5363a0f421c793f8277fdd01bf2b7329

SHA512
169dd85f16c23574f3f618c17932bb624495295e44263331687a5c067cd6bf81e04018c3580b5f966239456675418d47d7faf9f6890c4397a4681d577becc86d

Download Submit
C:\Users\Admin\Pictures\InvokePush.bmp.exe

Filesize
569KB

MD5
26e91cbfe891d7119be310eca19c86c2

SHA1
20fcb7ed0e8c5f37d5b2ba51c3eecd3ba783310e

SHA256
ec2fe6041584578a4bfa7c19a9254b4f74d36cb6d436b98985cf9971ed6bc637

SHA512
53954ada87088ed5a8c5049bec9adb1cebcc8e669689c0e4603139f5f48262e500b17540da9015f5c10b70ba425da0dc4d86d5fe2aedce3f6ddc1ddabf9eb55d

Download Submit
C:\Users\Admin\Pictures\ResumeDeny.jpg.exe

Filesize
634KB

MD5
c7663e6103b582e41946126977a511cd

SHA1
9cdff8a87c2d76ea3a9091d3a4420f9c4726061b

SHA256
19294096100f474509db3593ba596d86f6d50de0f4ee9305a1964b5bb0ba2b0c

SHA512
0a1697a2ee7777688b3b656d425fdebc4a3bb01d121ebc8c231bc77548036b62991862bee34824c87651b1a106391fadd128f811b8025e47485d2908d83e31a5

Download Submit
C:\Users\Admin\Pictures\UseUnlock.png.exe

Filesize
746KB

MD5
d87c6e8ac4473d7505182b63afe4449b

SHA1
77067e886ec22d9ce835032cc6e23189df9f6305

SHA256
09e34b9dc50ae36a868d8dd446ffff4eeddc60fceda06bce8b8b91a823544c72

SHA512
5559743814c9f37f532404c441732b48c6e4c419d0069b657ff9216bf2a0213315ac6f487f3445374ec732d53c41fc224ad7af6253b95795e4f9fdc27dfb5645

Download Submit
C:\Windows\SysWOW64\shell32.dll.exe

Filesize
5.9MB

MD5
26c2da0aca7462aa1d9322c07bdb9fad

SHA1
644c6c6c4bce1ae8b36f38974a2a1a2aa38bf186

SHA256
66c87770a4fd24277b87dc2881b25596d8737840e96a6223c6a182a1031f72cd

SHA512
ca472c9dda942fae6f4f73ed1c0029caec3c3754b666b6fdbc86c16a413a9d1f30ce1eb7aa7a0e8126f1fa5d7f411719987ae22022ec45be2a9938eae5b71296

Download Submit
C:\odt\office2016setup.exe

Filesize
5.2MB

MD5
4afc366c83046ee5066e1cb8972339a6

SHA1
8e9c920261a186b9f9171b0b668eef956c886581

SHA256
a9089f078fe4e0debef149ef1345466b4ce7792fa3f76da08950083e397d89ac

SHA512
97ebb37e2692039bb3885f81c87b17c678c988f311e2f42ba2083868d37d2b9fc23fd22f31add3deaba2a198c3bd0f3547ee9bcdf53939a0b13403d15c3ba586

Download Submit
memory/372-320-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/372-312-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/384-191-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/384-176-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/864-82-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1088-53-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1088-68-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1468-252-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1468-263-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1580-273-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1636-15-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1888-166-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1888-152-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2128-358-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2128-369-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2172-251-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2172-45-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2208-102-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2208-117-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2324-131-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2368-155-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2368-140-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2408-7-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2496-274-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2496-283-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2516-180-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2528-94-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2528-78-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2564-349-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2564-357-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2724-395-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3016-90-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3016-106-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3416-300-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3416-311-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3436-280-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3436-292-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3576-340-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3576-326-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3640-20-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3640-33-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3988-19-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3988-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4076-57-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4076-42-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4220-199-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4220-215-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4400-337-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4400-348-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4516-127-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4516-143-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4536-203-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4560-385-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4636-368-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4636-377-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4680-229-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4680-211-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4920-225-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4920-240-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4992-303-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4992-289-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5024-329-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5088-387-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5088-394-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download