b098e7888d8952873d9c7455f548313596c775eb6dfd30f3971ac5671f61b5cd

Analysis

max time kernel
150s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/01/2024, 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
Size

209KB
MD5

bd0b4c1285f94222c22c6acfa4dc9384
SHA1

056a7c7c8e33a2adf4789ac00f59c35cf3c4e783
SHA256

b098e7888d8952873d9c7455f548313596c775eb6dfd30f3971ac5671f61b5cd
SHA512

561f87b8191a100965b1cf92fbb99cd79d64f69ac8e20ad76a8b0cbe279885b5c6e1519046e1242e72576932aebff329994dd64d22f2d4fc6ad1d23e1d41afaf
SSDEEP

6144:nbbgxfwyn8Lqf2yb6TfJBMWe4dD+1zuaTd7OrwmdsHNP4G9N:nO8LFbQuxMyqJ4GL

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (77) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	UYkYgUcM.exe

Executes dropped EXE 2 IoCs

pid	Process
1808	UYkYgUcM.exe
1036	IsQUUUsM.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UYkYgUcM.exe = "C:\\Users\\Admin\\EWIkcUQU\\UYkYgUcM.exe"	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\IsQUUUsM.exe = "C:\\ProgramData\\RwMIUgEs\\IsQUUUsM.exe"	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UYkYgUcM.exe = "C:\\Users\\Admin\\EWIkcUQU\\UYkYgUcM.exe"	UYkYgUcM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\IsQUUUsM.exe = "C:\\ProgramData\\RwMIUgEs\\IsQUUUsM.exe"	IsQUUUsM.exe

Checks whether UAC is enabled 1 TTPs 56 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell32.dll.exe	UYkYgUcM.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
3388	reg.exe
3476	reg.exe
3580	reg.exe
628	reg.exe
4280	reg.exe
3568	reg.exe
5116	Process not Found
4976	reg.exe
4712	reg.exe
208	reg.exe
2732	reg.exe
4348	reg.exe
1668	reg.exe
1596	reg.exe
3160	reg.exe
3348	reg.exe
1100	Process not Found
1152	reg.exe
4380	reg.exe
4008	reg.exe
1200	Process not Found
4424	reg.exe
3760	reg.exe
4804	reg.exe
4808	reg.exe
2208	reg.exe
4508	reg.exe
1612	reg.exe
4824	reg.exe
2828	reg.exe
3316	reg.exe
2060	Process not Found
2156	reg.exe
4064	reg.exe
3772	reg.exe
2836	reg.exe
4736	reg.exe
700	reg.exe
4440	reg.exe
1688	reg.exe
700	reg.exe
2368	reg.exe
2252	reg.exe
1816	reg.exe
3568	reg.exe
1628	Process not Found
4464	reg.exe
1200	reg.exe
3568	reg.exe
1824	reg.exe
444	reg.exe
4312	reg.exe
3036	reg.exe
1168	reg.exe
444	reg.exe
2672	Process not Found
2884	reg.exe
2868	reg.exe
2060	reg.exe
3700	Process not Found
4776	Process not Found
1372	reg.exe
5000	reg.exe
2300	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1552	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
1552	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
1552	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
1552	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
4844	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
4844	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
4844	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
4844	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
3172	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
3172	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
3172	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
3172	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
3844	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
3844	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
3844	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
3844	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
4648	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
4648	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
4648	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
4648	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
840	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
840	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
840	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
840	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
4888	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
4888	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
4888	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
4888	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
4140	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
4140	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
4140	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
4140	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
3648	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
3648	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
3648	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
3648	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
4524	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
4524	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
4524	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
4524	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
3796	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
3796	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
3796	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
3796	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
3256	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
3256	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
3256	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
3256	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
4276	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
4276	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
4276	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
4276	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
4664	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
4664	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
4664	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
4664	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
4996	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
4996	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
4996	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
4996	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
2676	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
2676	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
2676	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
2676	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1808	UYkYgUcM.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1808	UYkYgUcM.exe
1808	UYkYgUcM.exe
1808	UYkYgUcM.exe
1808	UYkYgUcM.exe
1808	UYkYgUcM.exe
1808	UYkYgUcM.exe
1808	UYkYgUcM.exe
1808	UYkYgUcM.exe
1808	UYkYgUcM.exe
1808	UYkYgUcM.exe
1808	UYkYgUcM.exe
1808	UYkYgUcM.exe
1808	UYkYgUcM.exe
1808	UYkYgUcM.exe
1808	UYkYgUcM.exe
1808	UYkYgUcM.exe
1808	UYkYgUcM.exe
1808	UYkYgUcM.exe
1808	UYkYgUcM.exe
1808	UYkYgUcM.exe
1808	UYkYgUcM.exe
1808	UYkYgUcM.exe
1808	UYkYgUcM.exe
1808	UYkYgUcM.exe
1808	UYkYgUcM.exe
1808	UYkYgUcM.exe
1808	UYkYgUcM.exe
1808	UYkYgUcM.exe
1808	UYkYgUcM.exe
1808	UYkYgUcM.exe
1808	UYkYgUcM.exe
1808	UYkYgUcM.exe
1808	UYkYgUcM.exe
1808	UYkYgUcM.exe
1808	UYkYgUcM.exe
1808	UYkYgUcM.exe
1808	UYkYgUcM.exe
1808	UYkYgUcM.exe
1808	UYkYgUcM.exe
1808	UYkYgUcM.exe
1808	UYkYgUcM.exe
1808	UYkYgUcM.exe
1808	UYkYgUcM.exe
1808	UYkYgUcM.exe
1808	UYkYgUcM.exe
1808	UYkYgUcM.exe
1808	UYkYgUcM.exe
1808	UYkYgUcM.exe
1808	UYkYgUcM.exe
1808	UYkYgUcM.exe
1808	UYkYgUcM.exe
1808	UYkYgUcM.exe
1808	UYkYgUcM.exe
1808	UYkYgUcM.exe
1808	UYkYgUcM.exe
1808	UYkYgUcM.exe
1808	UYkYgUcM.exe
1808	UYkYgUcM.exe
1808	UYkYgUcM.exe
1808	UYkYgUcM.exe
1808	UYkYgUcM.exe
1808	UYkYgUcM.exe
1808	UYkYgUcM.exe
1808	UYkYgUcM.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1552 wrote to memory of 1808	1552	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	87
PID 1552 wrote to memory of 1808	1552	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	87
PID 1552 wrote to memory of 1808	1552	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	87
PID 1552 wrote to memory of 1036	1552	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	88
PID 1552 wrote to memory of 1036	1552	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	88
PID 1552 wrote to memory of 1036	1552	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	88
PID 1552 wrote to memory of 4628	1552	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	89
PID 1552 wrote to memory of 4628	1552	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	89
PID 1552 wrote to memory of 4628	1552	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	89
PID 1552 wrote to memory of 212	1552	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	99
PID 1552 wrote to memory of 212	1552	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	99
PID 1552 wrote to memory of 212	1552	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	99
PID 1552 wrote to memory of 1888	1552	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	98
PID 1552 wrote to memory of 1888	1552	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	98
PID 1552 wrote to memory of 1888	1552	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	98
PID 1552 wrote to memory of 3336	1552	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	97
PID 1552 wrote to memory of 3336	1552	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	97
PID 1552 wrote to memory of 3336	1552	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	97
PID 1552 wrote to memory of 4992	1552	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	95
PID 1552 wrote to memory of 4992	1552	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	95
PID 1552 wrote to memory of 4992	1552	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	95
PID 4628 wrote to memory of 4844	4628	cmd.exe	96
PID 4628 wrote to memory of 4844	4628	cmd.exe	96
PID 4628 wrote to memory of 4844	4628	cmd.exe	96
PID 4992 wrote to memory of 4036	4992	cmd.exe	100
PID 4992 wrote to memory of 4036	4992	cmd.exe	100
PID 4992 wrote to memory of 4036	4992	cmd.exe	100
PID 4844 wrote to memory of 3256	4844	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	102
PID 4844 wrote to memory of 3256	4844	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	102
PID 4844 wrote to memory of 3256	4844	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	102
PID 3256 wrote to memory of 3172	3256	cmd.exe	104
PID 3256 wrote to memory of 3172	3256	cmd.exe	104
PID 3256 wrote to memory of 3172	3256	cmd.exe	104
PID 4844 wrote to memory of 4788	4844	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	107
PID 4844 wrote to memory of 4788	4844	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	107
PID 4844 wrote to memory of 4788	4844	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	107
PID 4844 wrote to memory of 4824	4844	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	106
PID 4844 wrote to memory of 4824	4844	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	106
PID 4844 wrote to memory of 4824	4844	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	106
PID 4844 wrote to memory of 3808	4844	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	105
PID 4844 wrote to memory of 3808	4844	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	105
PID 4844 wrote to memory of 3808	4844	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	105
PID 4844 wrote to memory of 1680	4844	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	108
PID 4844 wrote to memory of 1680	4844	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	108
PID 4844 wrote to memory of 1680	4844	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	108
PID 1680 wrote to memory of 2904	1680	cmd.exe	113
PID 1680 wrote to memory of 2904	1680	cmd.exe	113
PID 1680 wrote to memory of 2904	1680	cmd.exe	113
PID 3172 wrote to memory of 1340	3172	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	114
PID 3172 wrote to memory of 1340	3172	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	114
PID 3172 wrote to memory of 1340	3172	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	114
PID 3172 wrote to memory of 4332	3172	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	116
PID 3172 wrote to memory of 4332	3172	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	116
PID 3172 wrote to memory of 4332	3172	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	116
PID 3172 wrote to memory of 3212	3172	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	117
PID 3172 wrote to memory of 3212	3172	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	117
PID 3172 wrote to memory of 3212	3172	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	117
PID 3172 wrote to memory of 2732	3172	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	118
PID 3172 wrote to memory of 2732	3172	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	118
PID 3172 wrote to memory of 2732	3172	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	118
PID 3172 wrote to memory of 1612	3172	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	119
PID 3172 wrote to memory of 1612	3172	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	119
PID 3172 wrote to memory of 1612	3172	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe	119
PID 1340 wrote to memory of 3844	1340	cmd.exe	124

System policy modification 1 TTPs 56 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Users\Admin\EWIkcUQU\UYkYgUcM.exe
  "C:\Users\Admin\EWIkcUQU\UYkYgUcM.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:1808
- C:\ProgramData\RwMIUgEs\IsQUUUsM.exe
  "C:\ProgramData\RwMIUgEs\IsQUUUsM.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1036
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4628
- - C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4844
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3256
    - - C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3172
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        8⤵
        
        PID:3908
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        10⤵
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        12⤵
        
        PID:3704
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        14⤵
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        16⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        18⤵
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        20⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        22⤵
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        24⤵
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        26⤵
        
        PID:3868
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        28⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        30⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        32⤵
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        33⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        34⤵
        
        PID:212
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        35⤵
        
        PID:264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        36⤵
        
        PID:4804
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        37⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        38⤵
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        39⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        40⤵
        
        PID:3892
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        41⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        42⤵
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        43⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        44⤵
        
        PID:3076
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        45⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        46⤵
        
        PID:1256
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4124
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        47⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        48⤵
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        49⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        50⤵
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        51⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        52⤵
        
        PID:3404
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        53⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        54⤵
        
        PID:3476
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        55⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        56⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        57⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        58⤵
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        59⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        60⤵
        
        PID:3760
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        61⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        62⤵
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        63⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        64⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        65⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        66⤵
        
        PID:232
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        67⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        68⤵
        
        PID:4872
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        69⤵
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        70⤵
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        71⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UygwAQQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        72⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:4724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        
        PID:264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        72⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:4868
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uCEIcUwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        70⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:3304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        Modifies registry key
        
        PID:1200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XcwwsUQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        68⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jWYYkcck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        66⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PMYIMQIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        64⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eQwskYII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        62⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gCEUEQgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        60⤵
        
        PID:4804
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yAIIwsIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        58⤵
        
        PID:436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        
        PID:2988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IEsEMAYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        56⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:1100
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lIcgEIwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        54⤵
        
        PID:2812
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        55⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:3320
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        
        PID:944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\diEscEkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        52⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:2716
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:1152
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        
        PID:3328
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pEEcookE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        50⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        Modifies registry key
        
        PID:4464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eqokwQQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        48⤵
        
        PID:4256
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        49⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SQQoQsoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        46⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        
        PID:216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        Modifies registry key
        
        PID:2732
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        
        PID:944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vGswAUEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        44⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:4920
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        44⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FMUggMEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        42⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        42⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CGsgIEUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        43⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        44⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        43⤵
        
        PID:264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        43⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        43⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        43⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jeMYQQsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        40⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        
        PID:636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xekYQwwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        38⤵
        
        PID:368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:3452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4952
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HIMAwYsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        36⤵
        
        PID:944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        Modifies registry key
        
        PID:208
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        35⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\esQokosg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        34⤵
        
        PID:396
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EOYEcQQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        32⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YGcEwIsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        30⤵
        
        PID:368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KkcUMgQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        28⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:4620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        Modifies registry key
        
        PID:5000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nAUAkEQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        26⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VgAMEAUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        24⤵
        
        PID:464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:4792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tSUUQosQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        22⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AAoAgsYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        20⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        Modifies registry key
        
        PID:4824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sgcIMEAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        18⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KsIkEsUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        16⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies registry key
        
        PID:1372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KcYwcsUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        14⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:2292
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        13⤵
        Modifies visibility of file extensions in Explorer
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bEMoIgQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        12⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nYUwYsEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        10⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        
        PID:668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZqQoYUsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        8⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:3476
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4332
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:3212
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:2732
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lwMIAQsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        6⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:4640
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:3808
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4824
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:4788
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IYIkowgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1680
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:2904
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OsAsEcwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4992
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4036
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:3336
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1888
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:212

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4732

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2268

C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
1⤵
PID:4728
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
  2⤵
  PID:2104
- - C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
    3⤵
    PID:4880
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
      4⤵
      PID:3240
    - - C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        5⤵
        
        PID:5040
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        6⤵
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        7⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        8⤵
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        9⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        10⤵
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        11⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        12⤵
        
        PID:3080
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        13⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        14⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        15⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        16⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        17⤵
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        18⤵
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        19⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        20⤵
        
        PID:264
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        21⤵
        
        PID:972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        22⤵
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        23⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        24⤵
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        25⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        26⤵
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        27⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        28⤵
        
        PID:3036
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        29⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        29⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        30⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        31⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        32⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        33⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        34⤵
        
        PID:4860
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        35⤵
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        35⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        36⤵
        
        PID:4128
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        37⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        38⤵
        
        PID:664
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        39⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        40⤵
        
        PID:4248
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        41⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        42⤵
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        43⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        44⤵
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        45⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        46⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        47⤵
        
        PID:432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        48⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        49⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        50⤵
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        51⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        52⤵
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        53⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        54⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        55⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        56⤵
        
        PID:4248
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        57⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        58⤵
        
        PID:3328
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        59⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        60⤵
        
        PID:3868
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        61⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        62⤵
        
        PID:4920
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        63⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        64⤵
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        65⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        66⤵
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        67⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        68⤵
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        69⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        70⤵
        
        PID:2516
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        
        PID:3908
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        71⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        72⤵
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        73⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        74⤵
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        75⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        76⤵
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        77⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        78⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        79⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        80⤵
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        81⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        82⤵
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        83⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        84⤵
        
        PID:3136
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        85⤵
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        85⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        86⤵
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        87⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        88⤵
        
        PID:3588
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        89⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        90⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        91⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        92⤵
        
        PID:3832
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        93⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        94⤵
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        95⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        96⤵
        
        PID:464
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        97⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        98⤵
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        99⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        100⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        101⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ceQUAQAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        102⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        Modifies registry key
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        102⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DIwgUEEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        100⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        Modifies registry key
        
        PID:444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TKAwYgUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        98⤵
        
        PID:208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hYQkAIgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        96⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        
        PID:432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fcMMskcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        94⤵
        
        PID:896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:376
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        96⤵
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qCUUEkgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        97⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        97⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        97⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        97⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        97⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        
        PID:2388
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ooAksckg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        92⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        Modifies registry key
        
        PID:4312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CEkIAooI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        90⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WEcAMMAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        88⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        
        PID:264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        Modifies registry key
        
        PID:2208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies registry key
        
        PID:4736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NucIEgsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        86⤵
        
        PID:4844
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        87⤵
        
        PID:4608
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        88⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        89⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\McoAwskE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        89⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        90⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        89⤵
        UAC bypass
        
        PID:872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        89⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        89⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vGkkQgcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        84⤵
        
        PID:4440
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        85⤵
        UAC bypass
        
        PID:2732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bAkMMwwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        82⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:3136
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        84⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies registry key
        
        PID:628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QMAQgkIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        80⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:3772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wOIcMIsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        78⤵
        
        PID:864
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mUUwsoII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        76⤵
        
        PID:540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        
        PID:2980
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies registry key
        
        PID:2836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:860
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fMAgIUkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        74⤵
        
        PID:4232
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        
        PID:3840
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        73⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dGssgUUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        72⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        Modifies registry key
        
        PID:3772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XEAcYcgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        70⤵
        
        PID:884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\viwgIMoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        68⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        69⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:4896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yGUgwYQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        66⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:2732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        UAC bypass
        
        PID:2664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        
        PID:1824
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EQsQccUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        64⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SeYwYMAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        62⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:60
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:2340
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cgoYYcIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        60⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:4640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        Modifies registry key
        
        PID:3580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BMUUkoQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        58⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies registry key
        
        PID:3568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pUAYYAsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        56⤵
        
        PID:748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        Modifies registry key
        
        PID:3160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BsUgkwgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        54⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        Modifies registry key
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        Modifies registry key
        
        PID:3476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:668
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VcUgEIAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        52⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GeQQsgMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        50⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        Modifies registry key
        
        PID:1168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies registry key
        
        PID:3388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        Modifies registry key
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KEcEcsAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        48⤵
        
        PID:972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies registry key
        
        PID:4808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MKswYEcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        46⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        
        PID:840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GcgcIMYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        44⤵
        
        PID:460
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        
        PID:396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:2412
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HyccMIUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        42⤵
        
        PID:640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        41⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gkooIAgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        42⤵
        
        PID:232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        42⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies registry key
        
        PID:1668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:3316
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        41⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RIQAUwYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        40⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        Modifies registry key
        
        PID:2368
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        39⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        Modifies registry key
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TkcIkEQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        38⤵
        
        PID:860
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        39⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RUYgIEcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        36⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cgEIUgMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        34⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:1984
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        36⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        
        PID:5000
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        35⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        
        PID:232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies registry key
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        Modifies registry key
        
        PID:444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        Modifies registry key
        
        PID:700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GKAgwkkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        32⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        
        PID:664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cKcYQAoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        30⤵
        
        PID:4596
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        
        PID:540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:3248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        
        PID:1084
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        29⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CYUooooo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        28⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        Modifies registry key
        
        PID:4380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        Modifies registry key
        
        PID:4008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        Modifies registry key
        
        PID:4064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        
        PID:3304
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FqsgYcYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        26⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:4776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        
        PID:4480
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        25⤵
        
        PID:464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lqkowUow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        24⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        
        PID:2828
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        23⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\beEUEkEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        22⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        
        PID:2976
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        21⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        UAC bypass
        
        PID:1380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xgEgckok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        20⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:2404
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        19⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wsIcIIgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        18⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AGAcwYsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        16⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        Modifies registry key
        
        PID:2884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:4472
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        15⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uGYAMgEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        14⤵
        
        PID:884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zckIYMwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        12⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NYgoYAEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        10⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies registry key
        
        PID:2300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:3768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lYUMwsUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        8⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:3256
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies registry key
        
        PID:1152
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zMAocwgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        6⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:3248
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:1380
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:2680
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:4996
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4480
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:3704
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CeggYYwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
      4⤵
      PID:2716
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:3556
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cosQQksE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
  2⤵
  PID:5080
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3568
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:2156
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1388
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:4808

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4524

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3568

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3556

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4808

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3516
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2164

C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
1⤵
PID:4444
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
  2⤵
  PID:1168
- - C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
    3⤵
    PID:4064
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
      4⤵
      PID:2724
    - - C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        5⤵
        
        PID:4040
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        6⤵
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        7⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        8⤵
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        9⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1252
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        11⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        12⤵
        
        PID:3840
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        13⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        14⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        15⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        16⤵
        
        PID:428
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        17⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        18⤵
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        19⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        20⤵
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        21⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        22⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        23⤵
        
        PID:896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        24⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        25⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fUAgIcAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        24⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\naAsoAcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        22⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        
        PID:444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ogUcYYow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        20⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        21⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ykUYEYIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        22⤵
        
        PID:628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        
        PID:368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        UAC bypass
        Modifies registry key
        
        PID:3760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        22⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GswsQwwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        18⤵
        
        PID:368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:4508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\keAEAwcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        16⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        Modifies registry key
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        UAC bypass
        
        PID:2856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:5016
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        17⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WmkYIMAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        14⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LwEEkEEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        12⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        13⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        14⤵
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        15⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        16⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        17⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        18⤵
        
        PID:3704
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        19⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        20⤵
        
        PID:3332
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        21⤵
        
        PID:672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        22⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        23⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        24⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        25⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        26⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        27⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        28⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        29⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        30⤵
        
        PID:4104
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        31⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        32⤵
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        33⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        34⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        35⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        36⤵
        
        PID:2340
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        37⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        38⤵
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        39⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        40⤵
        
        PID:3332
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        41⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        42⤵
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        43⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        44⤵
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        45⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        46⤵
        
        PID:368
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        47⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        48⤵
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        49⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        51⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        52⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PAoscEoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        52⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jGMoAAQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        50⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        Modifies registry key
        
        PID:700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bUYAsAcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        48⤵
        
        PID:388
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        Modifies registry key
        
        PID:3316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FugcwUAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        46⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        
        PID:4124
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        46⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        46⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IEoIYAUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        44⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iyYEUwUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        42⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies registry key
        
        PID:3348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        42⤵
        
        PID:232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eAgUsMUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        40⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        
        PID:4520
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        41⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\soQIgMwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        38⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        Modifies registry key
        
        PID:4712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        Modifies registry key
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TqckoUoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        36⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NucQsooE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        34⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        
        PID:2404
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        33⤵
        UAC bypass
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LSAkwQks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        32⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:4280
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        33⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        Modifies registry key
        
        PID:3568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\daMMQcgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        30⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AGQooMQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        28⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:1668
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yIQEgUwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        26⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IUoQocsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        24⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        
        PID:408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AsIwoIIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        22⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        
        PID:692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uKcgcgAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        20⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies registry key
        
        PID:2060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:4280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hIsAAwwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        18⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rEMkgUYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        16⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:3452
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        18⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        Modifies registry key
        
        PID:2868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vKwMoQEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        14⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies registry key
        
        PID:2828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSMUMEIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        13⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        13⤵
        
        PID:668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        13⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        13⤵
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        13⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lWcEwYks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        10⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        Modifies registry key
        
        PID:3036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zgccwwkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        8⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        10⤵
        
        PID:60
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        11⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:628
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:2104
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:3768
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vWAAAgAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        6⤵
        
        PID:388
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:3560
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:2672
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:1836
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:3692
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MGAQoMkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
      4⤵
      PID:4868
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:2368
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:1824
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1540
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:4412
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eOMIUoco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
  2⤵
  PID:368
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1684
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3708
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4176
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4312
  - - C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
      C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
      4⤵
      PID:2252
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        5⤵
        
        PID:2160
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wacMskoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
        5⤵
        
        PID:3984
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        
        PID:3136
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:3388
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        
        PID:3840
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1280
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4124

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4736

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
1⤵
PID:1840

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3212

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4812
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2836
- C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
  C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
  2⤵
  PID:1664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GcUIIYkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
1⤵
PID:60

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2104

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
1⤵
PID:1380

C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
1⤵
PID:4140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OigEgwEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
1⤵
PID:4996

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:4976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1596

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1280

C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
1⤵
PID:4732

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:892

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2068

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4276

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4284

C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
1⤵
PID:2672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IqYQEgkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
  2⤵
  PID:2724
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MSAcwkgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
1⤵
PID:2916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:4176

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4756

C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
1⤵
PID:2784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VuggkQgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
  2⤵
  PID:3008
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2980
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2160
- - C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
    3⤵
    PID:3804
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
      4⤵
      PID:2488
    - - C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        5⤵
        
        PID:3356
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
        6⤵
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
        7⤵
        
        PID:4128
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:408
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EKMwcQoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
      4⤵
      PID:944
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:4008
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:4444
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:3320
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies registry key
      PID:4804
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:972
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3696
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
  2⤵
  PID:64

C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
1⤵
PID:896
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
  2⤵
  PID:3316
- - C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock
    3⤵
    PID:4844
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\esAUMscI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
      4⤵
      PID:4080
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:2712
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2884
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:4124
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XisEYggc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
  2⤵
  PID:4520
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3172
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:5116
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:5004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tIEYYcMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
1⤵
PID:1716

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies visibility of file extensions in Explorer
PID:3648

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2412

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:3568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
1⤵
PID:972

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:4304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xiokMoQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock.exe""
1⤵
PID:2884

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2840

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock"
1⤵
PID:1040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

Filesize
213KB

MD5
780f073ea9ed1f2fc456c760a2b7f15a

SHA1
040fe4c817fa9f315181703c82202bb895b6c2f0

SHA256
7a3a252de537634f6d6a14355a0b7ec89859c38bb01784a765d0633accd41e40

SHA512
b9c18165d81d35dec04bf5c517f9557d1d8f290a7b88392eaec387efe33c5865968e0d9fad76fd4c63e55b53dc57284ecabf56fca86f9d9088d7323427f64f67

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

Filesize
219KB

MD5
cf6018e25279ae1881f88a9ef56b9e99

SHA1
33f3d1d193a7dbe7ca97bd535e5192aae8cb3a8b

SHA256
d7c3ebafa4c184e92a7df4a17504cb3a627bec80e2fa4c4458c71ef0b72a77ac

SHA512
2dec978d9f8862dfdb575d2960ba0bfd985a8bdf841bf72745486b8e4232cde1b2612944c69a61b7cb102bf3904a4672aac0a3b8bbb51f1713ae1123456cfb77

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe

Filesize
773KB

MD5
845a570c7a07a4306e94315bb1c48654

SHA1
42f816bdbdc9f0b4d325220aa3ccd6c8ef3627b2

SHA256
6ae9160f9a3d9d94c567f28000380a130d09576d78c41e9ba2cecd985cc90ece

SHA512
73f599f1c76b7182a92bb4656d4a666190d8ec4c18111242f5b7d1de9b9b8f05562d4d5bf16ea867f6c8530acf3bccb2066396926838020db9c75196a89362e7

Download Submit
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

Filesize
826KB

MD5
4a75d671cc9dcfe8a6c4a5e45defb1fc

SHA1
140be52a0cab8c27432a5b4e4c2ffae7690e0e40

SHA256
0729d80aab98a1c875cab4482ac578a1b6e5a1be5120656f1cf088b8176ce68d

SHA512
bb9076b4d65df0e0151895a2b529f92509477a82006dc216f2f3d63a64c7762d1ec3d58aae3cdfd251ad5b7b2e3ce0cd64148e3b3e84937a06a1d7e02bcfeace

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

Filesize
637KB

MD5
b1d67b9c411f1b8baa835c1ebd043479

SHA1
9eca64cd3e1d53adcb32e5dc4ae212a61c81542c

SHA256
c3109ba6cb5b416a2180ba2849c58eadf6b7ea44fb458e42608c6421343a6dfe

SHA512
b16ed0cd2c68d41d76da0344109d626b4ae9bd6fc082bfe6ad40e9cc13e7f9a84a036fa9567cab8fc475999c75497dcb460d1a6c5ff104022efbf71288d42eb1

Download Submit
C:\ProgramData\RwMIUgEs\IsQUUUsM.exe

Filesize
178KB

MD5
f8f14a2eb643e71b9f938c83cf154926

SHA1
e1c86f23db28e0e179c45b15607260531789fa7b

SHA256
c9f9a7e4544b572bc75591dfcd3819b591fc4fad4a50748bc2794253d6de33ed

SHA512
22527ea9a967e783be30b329ce0ffab464e4d8d7520c3e548b491e90c0685cc465a68ebcb80ef5bd1d580190b07106e7149365592dfac774ace690c480f9a711

Download Submit
C:\ProgramData\RwMIUgEs\IsQUUUsM.inf

Filesize
4B

MD5
16cca5fccf31533bc288c5ab66be8d0a

SHA1
da7948469c33c93207fae73dc97aa94a2cc42f86

SHA256
5b77b7eb0f14fd8bdc2a07e6293ddab567fd80804b8ea2201b7c69917e8cade6

SHA512
9861b965a8d42769503aa1578a5ff69e7506178de85c5fe08202ccdf43a6a4707ddc7f5630b3c2ebb5476d13e77014816d634ed164ae4fb6302744a37313f229

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\96.png.exe

Filesize
193KB

MD5
65daada2a7e3f48ee769a6fbd0e8c390

SHA1
635f1006acc11aadf9b0b16744079838f50c2cae

SHA256
92299c9a43d1d4a97e4007895199525182b9429dee8172c3e88c1ca0f9ac6903

SHA512
3019df80e8bbc4d622fd3a1b92c3e3b2ca5493794fe8ed69c05f1e9827a22f74f3f711dff7fe32fbf35e08a8d5da8f9885b97b4ab82ac31ea4bf65257f9c58f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\192.png.exe

Filesize
187KB

MD5
cab024d918f172b94e80b72b7cf24753

SHA1
0a6e8ea2a8413b968d2ea9edbbc36b712598b1a3

SHA256
242bf72bf631e1b7e8ddb2804f8fffa3654f728f7e950c55c821f0ec29d9c9f0

SHA512
8bacdc66cd34e4f9dba8e24c2777ddc8952c690916652f33c18ec0b703ee0dfbb4e2d99d1b580a80bb01421b5eafc5d58511ff9fa5159e7361196dcb34298b1b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\256.png.exe

Filesize
205KB

MD5
590e8feb100e279fece530f229882e8f

SHA1
1308b6dc68d38f6a3d8fd09def262b23be8a8fe8

SHA256
c2c91f1e54d9d5c0ae7ce03788d9b39a353cd63dcf301d6e210e7932c07d7852

SHA512
92bb998ae5194632009309e140b2e040f4257ab990d03915ac350186de5137f70ca64962b387a482653d5b5d24bbaeebd6a32a7b222212f2468a98c98bb3ff61

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\64.png.exe

Filesize
191KB

MD5
f4444b8cadb8bc144e8f2a03f9c1b4a0

SHA1
aac46f6c5865e3bdc8641a71597aabe2a23192aa

SHA256
e4fe4b34890ad1ad2a20cb5ce469c4aa912b77c0b305f388ec0dc634a4a5ff0d

SHA512
bc2c98247ce93f31b1cc34230a16dfc1cb7fb22366b5fe9f98465b58950c909e6104571a954de5138603e91e5363cb336702e4fbe82e1b4f858cad8f27ebcbae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\96.png.exe

Filesize
202KB

MD5
7f2d2492675d6dfd8a55723ebd2c6556

SHA1
27da539d827beb55ad4099f8a1e168e0b22107af

SHA256
24bf15a510d4e6220b0521a5256ffadf7217aac0bfda3762c4cf9b4bb6f838bf

SHA512
9a176312e7782472244ee83c28482e9fa5f4aaa480012af371de1a4d333365c0b72c8cb36c56ebdbc7486394d6173d454a0fddaeca691fd7035a1fcc4b943c60

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\256.png.exe

Filesize
186KB

MD5
cb7b1206047eeddb6d21dfad02751ca6

SHA1
ba18d2c01a7be625938e3ba610a56fa8d5ec0d9e

SHA256
23b648e206e4ca46b568416456f7bb0d32f470504af2c42811b07f454f8befed

SHA512
363169f3ae413bedaadc87cf251d451366a51378f936213a2333fb22a22c344e4e26e6fb723071c651258c74ef1d156b9dd60e68ec36d93b23b7412549fd7b17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaCritical.png.exe

Filesize
189KB

MD5
d25d350cc9f6fccfbf95f4a374b0889b

SHA1
b07542f2ab684be240e0fcb7530c429fdb61cdb5

SHA256
3420edbcc0f51001e4ad61e049cfb022e66da7fc3a81ebd88e19927f245f3c1e

SHA512
59c0e4c16e38b704164e39713b7d03527395827104ae6cda020c7435613a112b4371f3c4bb2cd580c7f1e9a5c3c5087ac95695569b9b2465464045563f5208e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaError.png.exe

Filesize
204KB

MD5
f5d7d994f9e2c15f488694e51196f644

SHA1
31120dc9ab1d20a43bc2e2c7f1102ec7c1c65b31

SHA256
ba33caf9de06ff89c7fc50654d3b1ac02cee37f09a2285783863e988681bd3c6

SHA512
bc94555c90a6ef3dbfe114775d8b17949a8b851a94175e8a0ff9044fe028ef835de301163def488ebd8ba0cc5a937c475d6940c22278937e3246f628229da176

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Warning.png.exe

Filesize
194KB

MD5
1b986db65e237fcf3d5a8ce878766c39

SHA1
415ceff15b1d2ef3e68d121719117a87132f9287

SHA256
1524c8a679b2d9d3fa71a231ff2c344f00fdfc4bde9e4f7a5090fc78549c0067

SHA512
a192b41d6180ed07773f224a5e2da40cab06e2f226edbb172ff42c98e6bdcc48472daa8d1c79dd9c8428de4af48c047818f74f30dcf36b748d8e793969ef59e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-400.png.exe

Filesize
188KB

MD5
664011d341925fac17d8d158bcc322a8

SHA1
ca38e88304d9e71a32ce38acbd24fad8170ad842

SHA256
caf454302cd3b143c9e32460346d6cd57759a89c8cb78d5cf6e0bd7f7de76185

SHA512
a268e8797e96a19e530bc791aac0b679decf93efdfea8284056e4638552ff2b9368a40f2a84716dc327d31b0f091108aca4626fddcb1c6c70e7090f4559207ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe

Filesize
1.8MB

MD5
27bf19f3b8de1a85df2ed496f8496947

SHA1
20c51200d8a76d102b33919db01691b5b6fe8010

SHA256
c7528fa29e67fb76e4764f3f5007f2f35fb8dc23b2e6820c9bbc4da36547a520

SHA512
fe6b9652fadf0c006f886d0ecd5ffb318913864230cb9be5ce0c7aa0895f824e6f7a43db3d884077555e4cdd25ce10ada691b9e23e8e6d5bf1270a3af698a745

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\squaretile.png.exe

Filesize
190KB

MD5
a4431adb7bf614d94aae9496555c2c31

SHA1
a785fcf23a9b9c817e4cd2a9557b3c4372921455

SHA256
0f7c622eaeb5295feebb27ed673178826880e04544277508a6a46e76bfe2e5ff

SHA512
984dc7d8e91a16b44ca0dc604cdcb9136778e5e95a9ebe05d89d93ea5a62c879c977f5ea9916dbbf4cd28d9a47ce0e04268c509b1c6884872a207a963615927a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\tinytile.png.exe

Filesize
197KB

MD5
6152e2e650027ef4f0b51612241870e3

SHA1
e32af900bf61967c44c5b157a5699dc36575ef43

SHA256
04ff5bb7f8f83154ea6817211f2ab99e9405e4be17c8fed63e6073af795ac30c

SHA512
bfce7714ddaa784a47c94701d81c61f023a6688ac6d64402faa13a102fb36e1d01f5b0b5a13e101b862ee6f9fccaab3a555ed77d879dd7490ef5c249d9a5146b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-01-26_bd0b4c1285f94222c22c6acfa4dc9384_virlock

Filesize
3KB

MD5
542371981ad5d8ed0b2686bcb318e6ac

SHA1
64796f5e9f24368ccd58a4f026e4d9790924a82f

SHA256
1a541ff5a4c4073b946d414bbf734d690d35cd032f958d188ddb6002587b01f9

SHA512
e3aa5121c0f0fae885412ba3a3e8b8cc35b8c0aa69faed21800e2d3f65645d6f836d6f308f5438a192f313b4adc739dc27ff48463131a089378d3cea7cfa225b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAca.exe

Filesize
208KB

MD5
1e2a6063f4e1a95cbef694d20c4fae64

SHA1
0213b8a07b6739755099bd0ee30372a9c44438cf

SHA256
5d45cd0a19c57d2674d64362685b6589ee933d518f1724e18cff22d026fc10d5

SHA512
88f24b91dfcf7a5cd0ca10ec793701be8b8a2bb500cbb2c219cc6a436918597f5fad8a53b2c575b872fbbd8459f57ccc4d5806dce4f1c838e703829eb0672cb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIAe.exe

Filesize
214KB

MD5
b5bda296b5fc8c8dd7134bdb2d2c0f78

SHA1
43b90b7fdb16fcce80ebcf58ca02d3447e466f49

SHA256
8afef9aa3c4b2a777a9f8b381f230f41717831c64b64acb2f0e3a747becd8178

SHA512
42d80cd43aa8b79d0a161121c4016acc77babaff52f0bdb4160e35e036e4d67acf76418ce7d8c4040bc1da7243d36f46986af6b58a30202ecf3f990cfaf38cfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\AggM.exe

Filesize
226KB

MD5
4daaeb1ccaa41bdc155c55270a530e5b

SHA1
eae89a5e436b4753975c94198df19867d56fa936

SHA256
8f5133b2efd5f95055311fff38e9331c2222c115fc31408b82e26889331e8f02

SHA512
31001585acf8da00b0daee8096ab53e26471c6fc4bd3c958927a2a045052a9dc00e2aff96419f209ff2b5fe8c9c9d74afb0fc4d680310afb8ca866a362fe1eab

Download Submit
C:\Users\Admin\AppData\Local\Temp\AkkA.exe

Filesize
906KB

MD5
0787be0e338461e3f18d12ea45b9af86

SHA1
5d2e542a2a66f6d3895c63d580142fbd48f8d813

SHA256
798aff2515cdf3f3388c23d0e6326ff6ac2e527a184a15f9cd2b38a70bc3a35a

SHA512
4d5c16f7969867d5788eeb9a309569d3f5a8589025c1101022c03cdcef400f867db5b41f1251081926ccbe1ada28ffe817f8fe1b14e797a47eebd322527396a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\AooE.exe

Filesize
199KB

MD5
826e1bef1c2b3f34e258284dccecac7e

SHA1
fc78cae94f5d30563b276e99fbd9f37339f3fd8a

SHA256
60239589e24ed49e662a8544b12df09872500c044819f58d925e9bffe83285d5

SHA512
366effd83f868e6050f4f7871d6e3a601102161568b05fd075054918ad6971b0c57a287bb3ae167a64af38524e9e06f92522c7c10a4421e8288247cabe772021

Download Submit
C:\Users\Admin\AppData\Local\Temp\AwYo.exe

Filesize
182KB

MD5
1a628ba3c64b849aef3d9b100359b2b3

SHA1
648f37ca24196c84fbdf953b71b0f9ef395f1c2b

SHA256
46dc676c5583841421d822a31a4ab974a06d101c075ba6d0c486bb0363aab199

SHA512
3ae095f3e83110998d2eef848cc1c5f04ee09ae0342d1286e1c64bdb5ad7897da68bca68d482539ed09494c77cbf66c1b46ff15435cddf6385d1b48cf3acebd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEYY.exe

Filesize
195KB

MD5
c2677076ab70162015882e618652d012

SHA1
eb32441afeb9d6ba0af575a5cbde7e321c78a34f

SHA256
e1ff3928535cff053c27714b9466d88a74cf9d1cf5ee80e42a639d8653adb828

SHA512
d6e644671ecb20806e99d20e04707859ae53890ec194bbe265f3e4bd2b102d4d1320c7c97cec52513d01693fec1763d3c4aca47b6711e93891badf123cfa8be1

Download Submit
C:\Users\Admin\AppData\Local\Temp\EYwy.exe

Filesize
201KB

MD5
bb09ab5bebb5581ccb160445b08af447

SHA1
bc0110fe8f3c898222dd8095834374e3f54019cf

SHA256
ffc074ffc606d6f7625c5c67548f1d840a7f20a3421bc354b601ac8ec26e5307

SHA512
826ba49511b8f00af2b6938e34e046f54a5b891db3f81ad854a19797a4f98d34ff558a781ef017e04ad210ac496b63d520bf141064f1bcf1e7b5776da5db4f24

Download Submit
C:\Users\Admin\AppData\Local\Temp\EoEo.exe

Filesize
184KB

MD5
87957cf78654a127c50ab92a3b39ed99

SHA1
71d4dfa98e74966bd76795b8ef08a2ce7fdcb4d5

SHA256
05a743ca39657ae5521c93640eb788ca498427efaee28da3be79749074a77870

SHA512
00f4a555acb70b7338b9d90687a9581d15f693a814cf1ea4b27cb9ec9199a5e428d6c0815914f594ab30401320ea744169b509b2519ea46cb0a7dfb3e62130fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\EogA.exe

Filesize
208KB

MD5
00336dfba843201369e3e89c448a41b7

SHA1
9eaf1aa075e56ea0c5288ad5aeac0f4445d59331

SHA256
d9275f503b6c97fd6588f127d9edff78804d955b62197d993ded3de4c8480b13

SHA512
69b0587fd61edf85c62dd9a480957aaf364f3cc54f0499c1d4f102116c45c310b28406da3892fe7295a7e3d143c7c0f874aadb695226022844d9381615e6c973

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMu.exe

Filesize
230KB

MD5
a2acf3a5b76533237b5d647a1907aebc

SHA1
ff58dfe46fff3115621ce26b576871d3373b10c3

SHA256
4d6f6a164c50c6d6d913d6578566c5d2bc479a2d9a8144e0e5b8dd8ea2edd670

SHA512
b5b065a9f6dbdda41911dfe6e33df6a676806896ca2caef3d94752e712f9d8b178941c1287d09d44f8dee50c8693995defbccc3bae20b7c69731be2733f25157

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gskc.exe

Filesize
206KB

MD5
399e0d96e61910c3028d077c3254005a

SHA1
55565c02ce4765b7cc440b744b1e41258f7de46d

SHA256
6cc2f0d5e397c3df1852b469af820a46599100ca7699afa3a3ad76c02e34312f

SHA512
2441fd9e3be3b41f01de69ece13b5b6f0158f00320088dc86f4ec5c37dd12bf432eb14f567a6df3f49d9c7dee1e9b89d4359722fa2c344543b6828c77798b976

Download Submit
C:\Users\Admin\AppData\Local\Temp\GwYI.exe

Filesize
470KB

MD5
dc0f1ea5caeb87da978bf44d23d0ce3d

SHA1
9ec01257d5e745277175aa810cb1af2703a2f452

SHA256
42ec166d7fc58b93b9cb8270726ab5f2a5ec94cafce7f984ec43a7bc40a3d6ae

SHA512
2da65bc1cabd0d15d041cabd62e44beabf8a4d2732336edb32cc843109984d0fdade2650a5bc04ee4134fa5ce781fd6ce30076d9abaacca7871a86f29ee81d88

Download Submit
C:\Users\Admin\AppData\Local\Temp\IQQG.exe

Filesize
198KB

MD5
a302aaddeb4b1f7e4b13bcc00efff8c1

SHA1
fe2f6f8c47700981784e77a0e41e9ab4b0d73b67

SHA256
60749a30b320afb7a96f86010a5dd0def725683ca868ea09c1d48cf789d989bf

SHA512
d18fc1ae42e1bf961c725ab1dd0b0ec24490175d98df625dbc790d3535b927193036759f633180956cf27164e7a537d99684a975da73a2a373e49029fbf26727

Download Submit
C:\Users\Admin\AppData\Local\Temp\IUMk.exe

Filesize
310KB

MD5
8d5df5b5386ef8fade08981259359783

SHA1
991f2c082d4831c4b7cdcc394c3570ab2df11f67

SHA256
52bbecc3c31db3335f2dc14ea78acafb59729520966a86e1dce6535ff43d1e2c

SHA512
6cfd8e2cdedb0d960488c5cef9a56b30b30b5edb121980ec217f82cb3eb1f3773434bdbd07c383b120c4454fad1af14f0d45939dbf76f9b821f6c266ac3420ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IcYI.exe

Filesize
212KB

MD5
562cdbee36bad477b708f48917670276

SHA1
d63c9dba52e553150b96b06995787c4ea4a9187d

SHA256
d68dd2dacef8781276b2fa196ebb4b9c52da03739fcd141f0eb07a8e703ae62f

SHA512
c4e280cb8cc3710ee79701646d8209c78348770b869b37340841ac66394e8b3eff7b23a7e0827d1d3943992efc59686fa9033eb93a483ecec291bd04e14b1823

Download Submit
C:\Users\Admin\AppData\Local\Temp\IkMo.exe

Filesize
196KB

MD5
39a2227e041524cd3c7a6d85dc89e7f1

SHA1
1f393da2c8860ac5a969197fd1754b7c2c38907a

SHA256
32958719558b44c864450273195c11ca6d38dde1e9cae2a035b3c1d71cac7405

SHA512
a7aed5b1053f5b5f5ca14c30f36ec8a11dda1e10b1aeccbe57ea5f503ca66da0f80ff8849b9fa1fbeb507a2586cccd2e879a601ea708458a1208d24097ab4d40

Download Submit
C:\Users\Admin\AppData\Local\Temp\KcYM.exe

Filesize
193KB

MD5
adb80f7c3c5c5770f9745a6d02b8c8bd

SHA1
a2cdb9f891ede77f988b3ca0ba0b3d846ab38e8b

SHA256
fbcaa686880225bbe6570a9e524f6d19acf1491489bfb4ca513db1af81ec0aad

SHA512
45ac94e4bf378030e235906ebb7d8597112cf579a618d9999bd51ef84353118c51c0c9b48020bb74f42682a487f7a4d92b2af20d79e0dff74996e57f4d67e9bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\KcwU.exe

Filesize
647KB

MD5
a0da721aab486918e80a2a9209898123

SHA1
fd579bd3ec55eca14418cb98110a7be54c71dc9e

SHA256
c9169e7eb9cb4f67cc2a8283351fc6c9d48c615c22b77c1b9d664f2f183e67ff

SHA512
eab48be21664093d525e9f205a9ca312a5adc14bfa5b741bf741a1c5cde1a9228095b2e253331bea5b3722656b1dab669c32498601a9fb15360f132f5dba2c90

Download Submit
C:\Users\Admin\AppData\Local\Temp\KkkC.exe

Filesize
578KB

MD5
5599bd5b87801fa579db07fa9d250cbb

SHA1
e6731153423aca72e9d85f048a7a222b1449f476

SHA256
f698e07b32ddffac7092658bd06c62024e03aeedf72949c83560b6183f099968

SHA512
c0212963057ad36ab5634c9da905a041297d46275ce3de5fa37862b9067bbe30bf0bd6c63ea535cf2aec037b464e92be0ae0627a9666acbd9b0ea4c236479fda

Download Submit
C:\Users\Admin\AppData\Local\Temp\KwsY.exe

Filesize
229KB

MD5
8e5a9b9d0d482fc286c825758d90401e

SHA1
86473ccad4a244fc391dbdf70d58ce83dcb7aa48

SHA256
926141ce264f01d5fe8ef02908961a4bccffc26c9d4a3cba36d64106c9708765

SHA512
18444e097c88aec32a185aa289ca12fe129235e7e67cabb74146db6da0267be4586b2c696da28aa2f8c21ec45f9a65031854421fcfedcec73f2a03fd58cb411c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MgAo.exe

Filesize
195KB

MD5
525bf7b1c462c31c901a172f1862633b

SHA1
01b3ab0ea1826c83aadc3bbc8fcc5f40836fd534

SHA256
c3d1ac6de53a803cf6dc1e0b503c2cb24380f5a80a7125c9a964ecb1433548fc

SHA512
9ffd38caade5b83b129c2813991e94a94023f3486796aba77f4d7658a0f5ebaba8302411838267a35a8ae6b9bb0af44b2eee99d7a01e1f2c29c903dc22843309

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEkO.exe

Filesize
195KB

MD5
2e8a578eb11f7d962c710c11d580c036

SHA1
c78c6768bcaeac4992a86243fc640ff1d2dcf903

SHA256
5399332827136fd89d75925be4f83ba24fa91f0c730db75839aa815c0c8c7115

SHA512
f3275f168c2a8b53c4992216a0681f4ca7b7b85ea6fe243dd89acb0a492374677616a9ef03df1737098d70e41aa0784500e27a1eeb0e58293e54a1c9868df035

Download Submit
C:\Users\Admin\AppData\Local\Temp\OYQO.exe

Filesize
195KB

MD5
aed590ae8ef444fdbd90d70a514bc0ab

SHA1
f44b120bc1b13ab908b77385e78f32399a77c82c

SHA256
9a5eb17577d2a893633ee871e3cc4ffa8d2df27d628b00c67e0825cef6a49a30

SHA512
2dfc18baffb93b146c1e580a8644272a6c85fa29dfd0e1f846343a97cd4652eecf52faffb514a7317264db028527df33a3fde83a1cd006bbe2709d0095ad3099

Download Submit
C:\Users\Admin\AppData\Local\Temp\OkIA.exe

Filesize
2.3MB

MD5
1112f0cd9afd1b7cff5db870608acca6

SHA1
5aa1d3399cb91d6c27fdb3e735e6b9340c95e7f0

SHA256
94bbf1053c3057c06e587f455dd0fecf81f99a91e333dcfcc1b92c32a013220a

SHA512
e797a9436147541f54bf80fd91ff35442d8c9f2d9410c84c08cbe82d36cbfef399eebef58ed57c40376a2093214428207436ae930a2aca305c3babac95faa34f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ooga.exe

Filesize
197KB

MD5
92f5687d9da6639b0e58e8e062f45d02

SHA1
cd35d386e758f2bf8420283e66038bee80ccf749

SHA256
2589909dfc1aca0a3bc1ffad5ec0f932af8d45863d40eca367df35776805a54f

SHA512
02932f8292955cd3120e4f7c9bd4fb6def2d31dd8c77d64c1898fe0afeb7ce5cfdc7f6b6ba8b0f6ebf68e2a6c4cc32c16580b1d51a632c2f9ee5470b735ba3db

Download Submit
C:\Users\Admin\AppData\Local\Temp\OsAsEcwk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\QUcA.exe

Filesize
635KB

MD5
6438df18449aec17bc31b38c4bdd8b89

SHA1
65611b994e320b8f93c3cf7d93e0028bf664446f

SHA256
61f3edac3e57feaa65fb29db8113b44bd684377bb4da5a9dd0addb0a155fcb42

SHA512
dcc0e497a1625c13cc9edafd4d76f35e9df606a7e4863eeb814c0f6731446a9bc665fff48c26485b620f4b62b0ed57c1e5a4beae1cfa12642745a819c255edaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qwga.exe

Filesize
194KB

MD5
f443621818c1fb8b20136f546742c995

SHA1
a7d581d524ecc2af8410a29b930bf8598782231e

SHA256
13263657a904f3f57841c89de3963f28ae190f7ee5c65d06fe00918f9d4f34dc

SHA512
9b443bfbac2aac7f3d945e4a3c3fa9c1caf6b6da751a19450da7cb5b431c2a9b2ebf014720f5d1ebe7408170f31ee81281ffdee13670df3a95a1862e4fe953a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAgy.exe

Filesize
646KB

MD5
5b6aa0df341f46a11dc3e82b01094b14

SHA1
3b2cf384aba3b58ad08091d5c3b83bdb80a64d42

SHA256
db374d66b487799be14b891cf458d5aad250e2bd50ea17f01ad50a88f17eb75b

SHA512
fc293179d387a9f9daf57dc57f8b860a22673825ccae6c13d676e5f2bb723b867a2d79d50f7228a7d79577f1c34fec37dd4704b510e876e26294add4bae08879

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMgK.exe

Filesize
236KB

MD5
579d81fb031f92c1d48720d9b06e94d2

SHA1
80500af39ffb5bd177b9aa2f125e0f97bd64845c

SHA256
93f32442ba1ae7f6c5ff8a3d855a23582842521e88041df03589cd535c167830

SHA512
1a02478adf6c3b31d2795e0e6d5474ca42bf0c9c75881951102385072a885467254d0818a50d7e98944c1d74a4eed3068a94b7d693beeae9e433943af3482c12

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYEm.exe

Filesize
189KB

MD5
0525f420f36ce75f59076fdfa7ac90a1

SHA1
b4825a1520643033cb7e4571a8db674e362f8d45

SHA256
db7eeac7ec6e106cb801e56bc580813a6630f8a1e2d2e7e6dee6c46432de8e1b

SHA512
2af758ea9ed59756fcf69cdd05e5b26d9e6450d6500cedfa3a443b5c63a9bef7010b50a0e336ea2f36e641bebd420052b1acdc161d1d88bfa95c688307d5c2c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYQu.exe

Filesize
225KB

MD5
c36f9c3e1a9500a7091bd45e72c88beb

SHA1
7c49f2345ada95d34c8ad0d0b6f985d0904b1704

SHA256
fdedbb71fa6ec02727ab228ee01c80ac2e0d8882d7a6666356369750b069849d

SHA512
e6d279a18d95bd4dd31e176b1c8544f2cd0aa30829337ee68322dbecf5709d287d6479a19b85ced8894b3a5601ac327c71eb52091eee97e09b6d14b649d3cc28

Download Submit
C:\Users\Admin\AppData\Local\Temp\SkQu.exe

Filesize
574KB

MD5
63cdb1e70030fdc44eb36fafc2dab9e2

SHA1
e235615885d718028da497e04b7c97119cea6c10

SHA256
921f88347445d93508c5e42f4a8d9b5cc04222a3b3228b85ad2b213c690eeaf3

SHA512
4c114e3583956ca5e9668dfcee59ef7934ac6fee70d7bf85c30e3fc5fccbf90ccf1ca26f3e6651d9843e1fa2eb81e98295b447bce7f559308994049ec45031e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAMs.exe

Filesize
190KB

MD5
083fe5d01315105891b734df182bbfe7

SHA1
79c14da7658636126fa475e52ff119fff9586bc1

SHA256
bfd5f7785a75a6ffb6c9b5a337b34117f4fbd1d29c2e2d2ae8eda3ebafc7f012

SHA512
dc3b4545fe3805820a48158c7b122c5b9c95a11048d9e95c75d25c1e031e30dc62d949abb1c34db1aad2fa955f45351a1e76ed5dee9b234971b6e9419af67b6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\UEkg.exe

Filesize
193KB

MD5
4b8dc9bbaf012a493749d71c367ce555

SHA1
578222c4f8d79fee10ac306b2138046fa610be87

SHA256
cd3654705cb2d065297cba3633c92f46ea5f7b19457566903f147911602793ce

SHA512
3136a05cb459b7fd28f74b952938fb26d5ce5611370e18b695d05324c3d298395d4275992e0c5508accfc8f2147ce5add9e4130fc01e5fefde0e7ec224bc4f55

Download Submit
C:\Users\Admin\AppData\Local\Temp\UsEO.exe

Filesize
1.3MB

MD5
9f935016fb35b62f586a4939e99716ad

SHA1
95a435c411ee32577ced9a85cb534a962872d0eb

SHA256
6a7576d17f032f6368ad2be5a4061d6b51f95fb7e13f761fc55a8c3deb98c683

SHA512
b08a2ab8c326f9fb4ac03c1a362aee9686c291f17c329bd41e8afeedb73536240ef0ad5e6daf566bc16279984917a2ad82bcc76c742619d4fed81ff9441da992

Download Submit
C:\Users\Admin\AppData\Local\Temp\WMIa.exe

Filesize
191KB

MD5
11ec390f89d5b87720cc0120e33e023c

SHA1
03e28e37bf097625f57ff7ffeead62aa4ce50df3

SHA256
2623981d3bd9229cdf3a49f30a9b5d6ceb5d4c9b94298e7a3a28aafb0276d57e

SHA512
8d7492b162be19099a55d818570b1d7b5d58f16d24efde2949200e5f18f2be626924759c1602048f812031a41b834fd9f592543d6a1ec4a7236c1d63be534255

Download Submit
C:\Users\Admin\AppData\Local\Temp\WUMO.exe

Filesize
193KB

MD5
9064f69cc28e49db0edf663ccc4554f9

SHA1
955926b5dca94b1f72bada5012d43550267869c7

SHA256
66a5845c57969d6a6baf3d0c7b778cec2694b79432417ccf7ed2fe19bf1e0fdc

SHA512
c6b9a982e4d9636db921bac4c8aa2f3fc309b49c8cd3fb52f9aaac031ca710463d90770cd363443d27922ecfc7cd0cbbcbe282be204f588ba7a0102caf500731

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEYm.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\YUoS.exe

Filesize
204KB

MD5
8e2b6f52d8d2ff06cf84c66b5aca6d68

SHA1
6d04980a0ee92f5f8f43cc1e98f059e568c0d75d

SHA256
02f692f832f6eb641888fa6662ff6d054b8f24ef73483576e91681b78423e441

SHA512
f022f4091eaf521b22e8887860fd91134a5e0d1e4d48baabae7f1befc2780b6a720f2b1b22ef7d75c4e1c914a6735bac71b4f79963a2fcb2cc515e7e42021340

Download Submit
C:\Users\Admin\AppData\Local\Temp\YkYE.exe

Filesize
820KB

MD5
202e08671c8dbe3eb4500561190359d2

SHA1
7e606b7ceb4a6d1daafc3f1d07698e54aea43456

SHA256
aa5ff668a1667b599c590c85c20a32f4837241257d289e1f241b4350f9fadbca

SHA512
12e7bb62de9ff42cd7a2eaab76a56c99101eecf88dc071a86d1ac12d7e424455be6c054375377e8a0538602de1b76e55b92950cc92edcd6a2d680d48ac1d3e89

Download Submit
C:\Users\Admin\AppData\Local\Temp\aEUw.exe

Filesize
639KB

MD5
7de5e13cd55876e17f4c9cc9a382c651

SHA1
aa5a0ebf38291db5ce1d919836bc9bd0d4ec03ff

SHA256
297bfa38cb893624a60d1a14fc0205ed64a524e3305621d1adb5fa1148d08ae1

SHA512
9fdde5cae230f7c1d74c9bfa153407a52fd47bd65c30dc71bf183d5c9253187f1abe2ab5794b3d4658f2ce90a359a316e0ac971874a479b1e16299e75ac33599

Download Submit
C:\Users\Admin\AppData\Local\Temp\aIAW.exe

Filesize
207KB

MD5
8c025966c65f064a679d4791bbeb6126

SHA1
c3058b65aa9fbdfa2497fcadc0cb8041f6a5bbd6

SHA256
e46fc5a5d802fa0932d82b954cbbb2ef03f48610da21b01068c08cd5b4bc3f00

SHA512
f9a535238ee591d84b39cce59143ac0dfa9bac8ce6c5e91bda96c715f913796d86bbe25469200f3d010230378b8bbccae48a243b7fd3d04ed6abc6ee631ddf81

Download Submit
C:\Users\Admin\AppData\Local\Temp\aIkI.exe

Filesize
1.1MB

MD5
854bf8cfd031980e118fe933661f9c3d

SHA1
9cbe41d3e86198d1ad85828d81fe92b370b39153

SHA256
ec0a7d3fd0f307c5ffbfffd6edef221858c881f664ec4f6a6d9a2d01ea164752

SHA512
5c8f07e57683129c6d9392a86e12a99d1b65dda40f5a3661b6e385a276a84908f863a8d1afb9fef41847888015721f9e68ba83718efa6f05ce04bcd724cb2a68

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQMM.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\aoIw.exe

Filesize
186KB

MD5
c9b43cc3bb9166755bc5d3b8512b354a

SHA1
fb4829ce7937b0c537f686122631ad8b7973fff2

SHA256
df5c0d846f43e6683924003341f2a94faf4f6ce58f36ea3d71793fea7c7b5eda

SHA512
b8405d3b5e8652873694e6cca05044f86b5f6898275d8c877bbb7dee81f9798b4ea593c18b18b4f33e9a478d40893fe3fd8edd9e38c15644f5ac94481e89c12d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cUsG.exe

Filesize
194KB

MD5
1fe5e40151e2526f57dfaea0203bfaad

SHA1
74d986b375b246dd59c2953501c19bd4277d07e6

SHA256
14cf558e156f5b06764dd0a9eb9df1d670e2812150418df49b10759c1e9e7bbd

SHA512
4ea183c3b1c2908f0cf12f3eeedc6c5348c81582bda793e3e773865c62cf1632bb4c903c883ed25e4536f8513e2e50c80baf2338b4ec673f51946a4c2177c344

Download Submit
C:\Users\Admin\AppData\Local\Temp\cYUs.exe

Filesize
187KB

MD5
7c02da4feac1843dfb573f82f5071aa4

SHA1
15094aaaa4b36df3c83c2c32c9c673185b0c531b

SHA256
2dcd92b66bd4080b1ec35c208c3d1a9c8816e1c2106609fc2df7f80cf4a4e48f

SHA512
958066c6d46aca6b588db9ec54f3a83a358a6b29518299cd14a2814e2a4c6206e853b5dfb81fb6be80cbf1199eeda87de0e819a7aa2f4bfa025742722675c0f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgMY.exe

Filesize
198KB

MD5
aa9ffdc590b2f8c8bb24e75fcd86c8df

SHA1
1d2cf3a3020add0b4a91394eda1abd5e7e52bb48

SHA256
613aa432bd066ccca49c1d38987fd0e9e7238c5edeef9e2bb5798837a50a9d02

SHA512
d054b8bae2f53c9c8bfe86ced2d023a7ed421624a4e20098553672498d13015727d80755e81a9f9000c3641a34ceacf4305f9ebc9e7144f22d1e17d542bfd9db

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgYe.exe

Filesize
221KB

MD5
e0b187742846bb2e081cd5b3876fbcf4

SHA1
a4f572aa2555c3eaff0e58ff0ee0314cd397450e

SHA256
dcd06192743cbd24bbab0c11280b53e8fbab94219ad038285190b9de762105f1

SHA512
c4c62156436f2ab2c1b59a5b8446a9371b11fae213d1946d2caf2b40462d6f470a6eb0a690ecf98a5947375762949a70de146e07add2cd0e50a4f42b09f38d13

Download Submit
C:\Users\Admin\AppData\Local\Temp\cggi.exe

Filesize
631KB

MD5
adce7425355854a3d45bebadb68c84dc

SHA1
8be57f40e978039c7db31766a96558f1e428566d

SHA256
e9ba3e8f1157f9777d0d347e461d5daef6f4c0ce2864dbb2cede3888ffaa99ed

SHA512
4c0a41bac6d38538fb4c576c1da5fea9494930620400c84ee4148ac093740f7591f03bacc1338ef81ba594efb1f7572890a9a081e245008fd5056f2ed93a6dae

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwkU.exe

Filesize
634KB

MD5
4670c5a0bc7e19293876867f1474cbfa

SHA1
8452f4c945730492fddca63fae479f45aa24512c

SHA256
bc110025726354a0b73df9c50a9982ee4f87406014109c57752596210203b498

SHA512
6519ae0411414989474641dd353b3f468503ca573dd9272f3f8d19a1e079861f8980da9af404685579724a35c211119abb7d0b5a07fedb518828b00a25e9f7e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\eMQy.exe

Filesize
196KB

MD5
125c9cb7786f8b528c6c3d33f8e7104a

SHA1
44a09f73e9954364485eeba4e95a6cfa9dce400c

SHA256
a652b59febae31915c43b8577f7afe0c59416dbba667f86408771dd553bf125f

SHA512
6d9372562f1105bf040edffed8d2dedc9b20353674f9071bdefb220a8a8b9bac4fa08db849a7a1a37c2bace60ae7a88d7db4c192660e153bb247dcb90687833f

Download Submit
C:\Users\Admin\AppData\Local\Temp\eYkc.exe

Filesize
2.1MB

MD5
96979d05988a9bc6c67b363912729ea3

SHA1
284e0c551f62aa29b79b2add347ffb657d329edb

SHA256
d5b264f4ff6eba95ec15edbd9e105d9a27975edcd9fa8a9afe34f65b93993811

SHA512
597c8512cafdd0862b5c44606a6c5b5e8484be76776a8abed610d616ada85fb8bb3b481735a059ce96839b1b4ca2e4dd93f9c3e8233a669928cde218d50d63dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gUAY.exe

Filesize
197KB

MD5
89ced7fd77633ab456381060dcfa6e3f

SHA1
0f24a38cb442ddfd52e09f35186141448bc3b807

SHA256
72d80cbc68b68ffef26ca77215d14e325f2bea8ab91688641e31a219370b6c79

SHA512
e09f3a2efed2354483789635b1f865e73363922381dc54fc4b00301281f2e8db870b0986170bc68f2eb82912141fe079500239b71214f0e059bf5a17d171c572

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYgc.exe

Filesize
436KB

MD5
9a55db45129a1673799128432f6e64f8

SHA1
fdf02d5ccb8b852fd44af020a45b0e602a336f0e

SHA256
6edadc483aef744ebd355f5d63a557300efa8e0c42c231f2768142fb99cfeb93

SHA512
bb1941a072865547eae69615e94c12aad05ecce425ad7c982104e52a0201f814b4aa39cd8dbb428fc874cb8c469f7353e956b879c54ca5d1d0f5194737b63f94

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcwM.exe

Filesize
228KB

MD5
f10cf02148b29b0a251a67098c0946a9

SHA1
d9490c88207f800de49ac4f718bb850a93c01f56

SHA256
6b224163a76b03f399393bdb189320c16a8face3e72e9adb02aee471bdade9de

SHA512
003ce9db3e6aba0dcc6a6812df6b2e647ef8923ca43b23d3c7fae71917a03e76f84249f6565bbc3c222a522cb259ff000eab8746c8e93b3e4b9ced5f45ac3fbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkAA.exe

Filesize
320KB

MD5
c562bfbdf7ad382c7dbb09a37d8a4127

SHA1
79c91704ad37e125cd14f8e43f8f4f31f1d0a72f

SHA256
1094e78248b18c92bda56ce6942b5fe66455cfc6e716e096e386626224e34d4b

SHA512
f5a8d1f4baea9810af2de5f7eca5c4d9fd7212e3548a2d875ccf75b9d537121229a9e9aaf007e628c96ffe1dddbe8bced7545eb9ad4f94b69ef11756bfda4344

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIgy.exe

Filesize
200KB

MD5
f30a177bb4ff1edc7463f04154b138b9

SHA1
f2e2e3218c7421db7fbed3dbd90c483d650a9a4a

SHA256
57d6cc5d4601a45cc51dda2a3b7a86b516a04f26545bce08ced8e0a7ba3e5c56

SHA512
4d9ce51a8f0c944224ceaa18f4bd4b63fb64d749de4f85805626850bc26ae33805e5489554f2e34672f50277f0cf303219a1316a79d5f7c17f498b8b5d1cce22

Download Submit
C:\Users\Admin\AppData\Local\Temp\icQk.exe

Filesize
225KB

MD5
0730ee8b50ca25bcba256605cb7cd850

SHA1
dabc7580648f748d68ea2714cd6f3eb9053816c2

SHA256
cda5369995092ddec37dfa11a16847c7ea666cedd874f033f20e2ecbae05e10a

SHA512
84ace2d8db4aa845ee13f558f860222497fa64693f482564e5280a500379663c4e0ef6cf254ed2f547ea10cdfd13c5bdcc1c8427b55a9a30789dabfbfe411a5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\iosa.exe

Filesize
192KB

MD5
208d5035fe42f77570a42533b93313ce

SHA1
3478ef072254df9c6bfd012811fb13362edec957

SHA256
6a76b5642c08b03598741a1e4af75085eaf7344c48416eb73e383ed9a0d7d0f5

SHA512
fd0438640e5dbb2bc2a28d8303bf70af8895e601ee882323d671c4f5ab55041262b24e14c1c51683e7ab6348a86cb43a6de309fcf95a49a665d28644578deb67

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEUc.exe

Filesize
204KB

MD5
6834cfa59c25464f881b471c9fd95dda

SHA1
fef4ecd9b07cb75c66e84d80d65c8628590a3f09

SHA256
ca3ab918d55c3ba286436325f7f63f0e4d83a13676cbf564bad3250300d8e5ca

SHA512
ad1ad94d3b53d82943c4db9d30869d85189ff7dd2380575c9999d3795ca295e68b748d39b6eec7aaac6ebf49c66f6df8b5e6f1aea136c0a3b8cfd3b64bf2a0cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\kIEq.exe

Filesize
196KB

MD5
08e12d92bc69bc46f2bff542855ce6f4

SHA1
9407cc45861c5056f7fa5a3ae833cf0b9a8587d4

SHA256
3df165fb1cd2c70f2e9119aea8bee939263d37d581063064ee27b98023961d24

SHA512
54a90a057646dc4bc4ca3fc740bd89199d9d6ca6f1195453c534cf91bc75dc81706a67feaa9e924664371f6a39942fdd570f526933457f631deae243729af11d

Download Submit
C:\Users\Admin\AppData\Local\Temp\kMce.exe

Filesize
786KB

MD5
d8116d9c430bd49b726f88f6fb21b9ba

SHA1
8d8665abe4343af1e734571f710185adf31b4082

SHA256
47a408a42e9e4bf42668b2f1c8c2f51202cdc7dd6a894c4fb8aac3abcdcbbad7

SHA512
227f313ec23925cddfbeb7c0dc5b1eea5a2f10194ee02e93ac18694f7d93e98c980e52c5f81089cb5455de339becd2bcea0accd6e85246259f4578bc73c6d51d

Download Submit
C:\Users\Admin\AppData\Local\Temp\kQMY.exe

Filesize
183KB

MD5
86d2acd9fce2188550c45cb465510cb2

SHA1
1278b04ac26432a98aa044a76078a72f2192fa92

SHA256
22bee444f89a53d9c941b9a47f70b4ae568fe1ada625bf1569a6fd3e3cf65b5f

SHA512
9c7536184f8395d55474a4096aa9d70f57f3eb749530bb00126db3af4fcc2cb4b8809d28467b1843c514cf10dbf7700d14e85960850912ea85d5edb361d0b2b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkou.exe

Filesize
322KB

MD5
33b74dcf0a232615ba4b1efee2d4608a

SHA1
5f1ea81a0af996b99de0a56c178ba94ca20f0a21

SHA256
4e68111a0ffcccbc7aae84805400f496203c81086d98ac38664da548f8d51093

SHA512
f25dc5da2c0af6e56cd3623a778f0d0c521895c00408e83f6f9f087418b665960f57fb85e33b754a4a043e9a559e905f2878dc5a3ee2024d69c63d7a7c3fc0f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\kssu.exe

Filesize
318KB

MD5
2750484a4b0034ef8ce1b7f4310d005e

SHA1
c26dccd4c87286d1086aee9f6fc8df61759346f2

SHA256
60a468431b806242909aa17165ef4d7923d77742b39cfa4ce595b7b4ec8c5501

SHA512
dcaca28099fd5edf9debcd74d1dc63a3a47afcd8100aed4f4c9fa915659b17eed087f4675c534ae23cacad009ee0f5b51ee8b612e9044b9833bfb78d5c39239f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwkm.exe

Filesize
198KB

MD5
eb845cab063e1de01366d23cccc05cb1

SHA1
b8c1e619eb8105ef66d6bfe430cc9a638181e6e6

SHA256
d30d656aa714f0d79e18503300ffc32cf68ec36dc0065442b228a5f8ee2f54c6

SHA512
6b3505b4964ff722cdcf7ae1c74dbfc65c5d0c1842766a02a6acb815385f7170b67f9e92f6b667481b842ea3603ec09c20b40437c2aa664cfa113c6f19a0b0a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\oksG.exe

Filesize
202KB

MD5
b5ecc19f9ce21c5a41f9e2c2e40d8332

SHA1
74f80ff6a8df44b114d42778bb5829de49a891e4

SHA256
9708e985834b0866ebf6afdc9cb55c3106088c8182f2eae4692e83b741926e67

SHA512
a2bd8b563f2939100c73f9b2ed1c741a02c046c74c32e60e87e04b572eac9f7bc1cbd3996439dd83e7a98b812c3fe53801496d1102b76b96d12c49bb59b58208

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUEe.exe

Filesize
208KB

MD5
f0d06c14070e311c518d1e1ca98994f5

SHA1
a2c5b526a04f699acf63a068a8921d6cab38e431

SHA256
9caf52686d0f3cafe942ff0b27863c2431849a1fc27a37c6051107165096d5f5

SHA512
a8e5715e9632c47bdbf64d75f4ff3bd31c968d6264e3eb8c8017d03a4a4131204c9afb44c4fb2cafb67c37b82956fa027d3c053ba4ba0c61b6117b6a23dc2018

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUcK.exe

Filesize
252KB

MD5
ad39d651f6e2087f43a32f7825857e1c

SHA1
2d9928175cfa360d8056ec152748bd12be6b4d2f

SHA256
14aac29a72795d5c3cc9d5d06e047e72d18b21fee716c1f7aa73aa8cad9bce88

SHA512
7d7c7085756ed840a5a167c1dab13541b5f6165655910c2aaa7354f69b26abc6e63566763f965d3686b2247fe571b7a45a7c14b95e8300af6919d51344082efd

Download Submit
C:\Users\Admin\AppData\Local\Temp\sEAy.exe

Filesize
5.2MB

MD5
387e96dcdf1a4607db74dd83df3f2a64

SHA1
37ee9ffcacf688ccd531f5325022625aafd71e93

SHA256
22dbac0ec85d7b024ae33c59a82599271a265ed9a2e4e95fc1a8a14eb9eec75d

SHA512
d322eb8542a0ad6348387676d7114796fd62c245df962b7ae603500c64ed642011974b5f169904e0ff56e9829e5507b67fae48b334e115680a26e1174de27ad1

Download Submit
C:\Users\Admin\AppData\Local\Temp\skIG.exe

Filesize
812KB

MD5
930b566709bf31f7950227275b54ab12

SHA1
9c7147e687f0bd01938e2dad9b388ed24d15ff50

SHA256
4ed0464714feb55f7826910af85556268cc52c7eed9ea0996a89d3119e907ccb

SHA512
34e8885d71d29c3bcf9ddbf416a9867ce05bc6dc78959da0d8723780b1a97f46d00c556dad320909168d88906cc37218ed1285b2df476ab675e84a5e715e9792

Download Submit
C:\Users\Admin\AppData\Local\Temp\soEA.exe

Filesize
197KB

MD5
f0c3e85474f829723604cd3a74690b89

SHA1
1185daacfdecdb74ab8c0eaade04b4d192eae185

SHA256
7d21c10e40d2e4188ea30c3e88cb5b8463e7dc4ff5619e908af667ebfee25899

SHA512
a1b64ca938be99c6cadbeb9a37c67e78e82eb77da1d74ff612e31cd94ed5168a2828d4144a16b4da52281b0562ce0750a5b359df5904d4f4d573954ff5da91b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEIS.exe

Filesize
570KB

MD5
47c52f5095ad1d892959b9012b4a2693

SHA1
5d6c07251db47dfc837c34b00d56d7485bb99e6b

SHA256
16b4881e5d43ad4897457f31e37c0c96a867988f980cee2d16084e3632cd987a

SHA512
13f099ec523a7b6af93fc6043b6d6c9b9239335d3f60ce9e09954108da2c6e3a397803ff77800990a4771fcd903a46d89de61540fd5026cca9c45b006378643d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukUu.exe

Filesize
198KB

MD5
14bb81bc533bdc410ac829c32f394588

SHA1
d70fd6d18fd928f05707b0215b83cb0fd0809a40

SHA256
c43a74eb163c72ccabaa84dd88d025cd7e9ea985d63adbec03382e42002fcf88

SHA512
b9b632ebf966cd607ee4abae958ba04f017f4b9de7689a06859833f93cd53becceda67e7e4a89da22b058ba0712ed8a8488f595e6ad52b18195744d3e7ef3c46

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukYA.exe

Filesize
533KB

MD5
757689f845f4b8e1487568246060e40f

SHA1
a95d511ec1416aa6b94fda40e2603f40a1cb94ef

SHA256
ea8629512bba63f4b1f96445f07502656fb6b4aef2580fd8724609636ca97c72

SHA512
2e2f8605797f05c5da48f690d4473939dae2df90ef589667597715035741f8cf447960a9b353319e0cd44dc1246531a8b7c7092c1afe57c8b97e48ca00f9cbe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\wEII.exe

Filesize
798KB

MD5
dd17f72ccdc4d6d32b8bb424fdbc04a8

SHA1
dc9ed11d4225d6c6810428f37eba73d17a4298c6

SHA256
d1c5d4c77e06769b5417da7b6c91f196b71151022ee49b2b0a4a2249ef471063

SHA512
2dae324101ab3d794304a4648f55ee2397844778c9b9e5dd9df64ccf4c2727868fc42582abcfe175c4f8a7ff201630946c0b675c7cb1c5745bbe43f165620cd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\wQYU.exe

Filesize
198KB

MD5
99687f33e9ef8fd17cbb08645f29a98e

SHA1
93e4f60ba3a805212bc7bba26d07d5ab3a2f595f

SHA256
84d8a0323668659be68d783cfd3daf128c059938e312e2f9281e551a19f0fc8c

SHA512
4165475d36c29fe842ce618e44fa053cf4f7726755a8c1c23171e313edde1d255a903794c7ea1d7ef29122952ad9f89a996a152c2b80f24cd71f795125489ab9

Download Submit
C:\Users\Admin\AppData\Local\Temp\wkIY.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\yccQ.exe

Filesize
205KB

MD5
3a5a3fcbf1f87c35a43b155560b5481d

SHA1
edeb4527750d14df982c6363a33a8359b276c972

SHA256
b26720eb36951ea752dd833a17663ee44d6a73fe8f7ea068374adfa09448b3a4

SHA512
41940ade162ac94dcef8a8580d441ca35dcd1329168d94ecab3cce7e2375f95fc16de5c8de04e686e1ef6aa2240ddad51654c22b20b6a4a9a56f3794c41f29e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ysEI.exe

Filesize
188KB

MD5
4d4b39217c02a4cf79e5d776086998c9

SHA1
2be810b59cdbe8f679ab400eb6067bfd508fa9a5

SHA256
96018c48e182761d8f977065baa3091df7c381fde93537d130dd4d4caedcc61d

SHA512
68a9b83d965de056f757a36bc35140512eaaf281a64eea90654633779365e5133a2fe9e99a23d00b47fcd3e8a153d540bd9c599dfed8d79644cb855fc9707b1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\yssG.exe

Filesize
195KB

MD5
e5337d53a78a5aedaa7bf7c3ef47c2db

SHA1
9c969cd773023fa3986bc2a7e9e7804258a36eac

SHA256
7f89a43e31ba26242a92b407db6486b576b5c19535f83d02e0c24d60ebe19c08

SHA512
500bff7fd152061869cb95b3b4e5cf520b0174847cc65b05a7c66986e151074620e096670ed6b813a1afa4b9d2e4e8c8938633962c3bfe3c8b595d6475d9cd05

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywQW.exe

Filesize
207KB

MD5
df7820af6bfff0290921356fad2a4a3d

SHA1
81097405e0581db52db88eef3bea30c425533b22

SHA256
869e2617e611b5b15e20d571e570f50b534b5d9b08bb5b373e50ed7c1c1612ab

SHA512
345c64e9045090d91db7dbfc6c28a12fff94274c18c5fca1a7d6960a56315dd1b787e248eb6f15171188ea1c4aaa84148fb7b77bca5fd37a26d188c73debb7e1

Download Submit
C:\Users\Admin\AppData\Roaming\ConvertFromOptimize.wma.exe

Filesize
898KB

MD5
8594639d8eb8f250b4c0c28774409944

SHA1
e1462b9b2fc36a7233c268821d6b73b3054c6452

SHA256
b1f3a405c9a0a99ace297e1ae518b9de11837e33614c3c785de2b8fbfb6140cc

SHA512
b52e369331d56c953710ce8471f398adbca76ebae5baca349b630b6086cfab789c4b7165017b12ce2a0df77d305a83a59c9340e4b093434fcb79415ce79c4f0e

Download Submit
C:\Users\Admin\Downloads\CompleteExport.mpg.exe

Filesize
678KB

MD5
9ee160c68cd5743b551602c7c6bcec86

SHA1
b76e12030f1195df713ebad4431313c02aed2d20

SHA256
cce89854faea58b7644f7ac6e4fa7ff76976819943b7e8287fdbf4b336738c9c

SHA512
32c524f37b21668598ce9d6d8b144ab7b85c141ec04cb2a4f068331e70b09292433b34b2f5dbc4b94524e342daafbbbdf299c46901dcda20d42d5927598640ab

Download Submit
C:\Users\Admin\EWIkcUQU\UYkYgUcM.exe

Filesize
188KB

MD5
f884189dbe8751d0b56a6bf5540d24b6

SHA1
7cc35b353c76386afd1fe9640116a01ce1718da6

SHA256
4f00cfb9e67e75d495e91304b685387c57df1db3aec615cc6fb7607de89c3c20

SHA512
2f19c853b592425d616854d72d0c009abd4f412fc67d909e4bc2e5715112fe4ee847c4b7c6b0d0934d2838e44d86bb8426da88ec00cf777ab0e5617f788b1262

Download Submit
C:\Windows\SysWOW64\shell32.dll.exe

Filesize
5.9MB

MD5
ba64f97cc5c79c00800da51167025a31

SHA1
f577a068cf8c5c94659425fb3e254d4019d05ac9

SHA256
8fadce84927598ed8470f59c86dc25b669fc5c4c03dcaf2bf1d3634d9b6ff74c

SHA512
9d08cc6e5757aabad8777c30dc0ae164b55f93b550314ce197eaf8d81e853a00a11b6ef3d3fa0d02e276468e0042d2a7d8b08b35d27ab74e06af693d56b27a01

Download Submit
memory/264-231-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/464-396-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/464-383-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/840-82-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1036-15-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1540-392-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1552-19-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1552-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1620-284-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1808-13-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2100-359-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2100-367-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2188-330-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2676-206-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2676-190-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2816-268-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2816-250-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2980-254-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3036-227-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3036-242-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3112-219-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3112-202-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3160-276-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3160-264-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3172-45-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3172-30-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3256-158-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3256-143-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3648-102-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3648-120-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3796-144-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3796-128-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3844-57-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3844-46-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4140-90-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4140-106-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4176-311-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4176-303-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4256-363-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4256-376-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4276-151-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4276-170-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4420-302-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4524-387-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4524-132-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4524-116-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4524-377-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4596-313-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4596-322-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4648-68-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4664-182-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4664-166-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4728-401-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4740-332-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4740-339-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4796-294-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4844-20-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4844-34-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4888-78-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4888-94-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4896-357-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4928-349-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4996-178-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4996-194-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download