8eb1341e2664ecc472650204fdcb53f928340d4c668715c7950871aecd109dca

Analysis

max time kernel
150s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-08-2024 10:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
Size

191KB
MD5

270ed136d56c54fbfb1966632b078e73
SHA1

ac3844f6244e9526d4ac5767eafdc8164148df14
SHA256

8eb1341e2664ecc472650204fdcb53f928340d4c668715c7950871aecd109dca
SHA512

32d9740d6f8affe38af5db877a8005d3c380df36a23e38b6e131c37d533a1f84e12dc658ac23f72ef6bf8c970bfa2d070f70f98b8702567cf46fe5f213dde69a
SSDEEP

3072:RE9pPhTb7j4r4pQJUNpRXxBd6SsJ8TSZarF7bphNXB0d/bwx5RssBdxVqonXHxXT:RE9pP97j4r4cUNpRXxBd6SsJ8TSZaZ73

Score

10^/10

discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (79) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Blocklisted process makes network request 1 IoCs

flow	pid	Process
28	4816	sihclient.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	SeQIsQgk.exe

Executes dropped EXE 2 IoCs

pid	Process
2676	SeQIsQgk.exe
4196	EugIUEIc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SeQIsQgk.exe = "C:\\Users\\Admin\\kIkQkMYQ\\SeQIsQgk.exe"	SeQIsQgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\EugIUEIc.exe = "C:\\ProgramData\\IoQYoIQE\\EugIUEIc.exe"	EugIUEIc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SeQIsQgk.exe = "C:\\Users\\Admin\\kIkQkMYQ\\SeQIsQgk.exe"	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\EugIUEIc.exe = "C:\\ProgramData\\IoQYoIQE\\EugIUEIc.exe"	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell32.dll.exe	SeQIsQgk.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	SeQIsQgk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
4624	reg.exe
4332	reg.exe
4768	reg.exe
5072	reg.exe
4260	reg.exe
1516	reg.exe
3892	reg.exe
4556	reg.exe
4868	reg.exe
1676	reg.exe
1640	reg.exe
2352	reg.exe
4688	reg.exe
4908	reg.exe
4016	reg.exe
5080	reg.exe
556	reg.exe
2496	reg.exe
1628	Process not Found
1012	reg.exe
4856	reg.exe
1692	reg.exe
3388	reg.exe
4260	reg.exe
872	reg.exe
1256	reg.exe
4912	Process not Found
3312	Process not Found
4412	reg.exe
384	reg.exe
3736	reg.exe
2888	Process not Found
4624	Process not Found
1668	reg.exe
2912	reg.exe
4116	reg.exe
652	reg.exe
1240	reg.exe
4816	Process not Found
4912	reg.exe
2320	reg.exe
4528	reg.exe
4508	reg.exe
4120	reg.exe
1284	reg.exe
652	reg.exe
2560	reg.exe
3948	reg.exe
3584	reg.exe
1632	reg.exe
976	reg.exe
540	reg.exe
4500	reg.exe
3856	reg.exe
1988	reg.exe
4540	Process not Found
3176	reg.exe
1640	reg.exe
4424	reg.exe
2400	reg.exe
824	reg.exe
116	reg.exe
2912	reg.exe
1660	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3740	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
3740	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
3740	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
3740	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
3424	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
3424	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
3424	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
3424	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
2920	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
2920	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
2920	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
2920	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
1624	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
1624	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
1624	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
1624	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
3892	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
3892	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
3892	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
3892	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
5100	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
5100	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
5100	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
5100	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
1000	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
1000	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
1000	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
1000	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
2296	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
2296	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
2296	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
2296	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
4836	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
4836	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
4836	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
4836	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
3004	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
3004	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
3004	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
3004	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
5056	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
5056	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
5056	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
5056	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
4260	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
4260	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
4260	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
4260	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
3468	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
3468	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
3468	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
3468	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
4356	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
4356	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
4356	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
4356	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
752	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
752	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
752	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
752	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
5088	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
5088	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
5088	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
5088	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2676	SeQIsQgk.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2676	SeQIsQgk.exe
2676	SeQIsQgk.exe
2676	SeQIsQgk.exe
2676	SeQIsQgk.exe
2676	SeQIsQgk.exe
2676	SeQIsQgk.exe
2676	SeQIsQgk.exe
2676	SeQIsQgk.exe
2676	SeQIsQgk.exe
2676	SeQIsQgk.exe
2676	SeQIsQgk.exe
2676	SeQIsQgk.exe
2676	SeQIsQgk.exe
2676	SeQIsQgk.exe
2676	SeQIsQgk.exe
2676	SeQIsQgk.exe
2676	SeQIsQgk.exe
2676	SeQIsQgk.exe
2676	SeQIsQgk.exe
2676	SeQIsQgk.exe
2676	SeQIsQgk.exe
2676	SeQIsQgk.exe
2676	SeQIsQgk.exe
2676	SeQIsQgk.exe
2676	SeQIsQgk.exe
2676	SeQIsQgk.exe
2676	SeQIsQgk.exe
2676	SeQIsQgk.exe
2676	SeQIsQgk.exe
2676	SeQIsQgk.exe
2676	SeQIsQgk.exe
2676	SeQIsQgk.exe
2676	SeQIsQgk.exe
2676	SeQIsQgk.exe
2676	SeQIsQgk.exe
2676	SeQIsQgk.exe
2676	SeQIsQgk.exe
2676	SeQIsQgk.exe
2676	SeQIsQgk.exe
2676	SeQIsQgk.exe
2676	SeQIsQgk.exe
2676	SeQIsQgk.exe
2676	SeQIsQgk.exe
2676	SeQIsQgk.exe
2676	SeQIsQgk.exe
2676	SeQIsQgk.exe
2676	SeQIsQgk.exe
2676	SeQIsQgk.exe
2676	SeQIsQgk.exe
2676	SeQIsQgk.exe
2676	SeQIsQgk.exe
2676	SeQIsQgk.exe
2676	SeQIsQgk.exe
2676	SeQIsQgk.exe
2676	SeQIsQgk.exe
2676	SeQIsQgk.exe
2676	SeQIsQgk.exe
2676	SeQIsQgk.exe
2676	SeQIsQgk.exe
2676	SeQIsQgk.exe
2676	SeQIsQgk.exe
2676	SeQIsQgk.exe
2676	SeQIsQgk.exe
2676	SeQIsQgk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3740 wrote to memory of 2676	3740	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe	88
PID 3740 wrote to memory of 2676	3740	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe	88
PID 3740 wrote to memory of 2676	3740	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe	88
PID 3740 wrote to memory of 4196	3740	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe	89
PID 3740 wrote to memory of 4196	3740	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe	89
PID 3740 wrote to memory of 4196	3740	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe	89
PID 3740 wrote to memory of 4948	3740	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe	90
PID 3740 wrote to memory of 4948	3740	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe	90
PID 3740 wrote to memory of 4948	3740	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe	90
PID 4948 wrote to memory of 3424	4948	cmd.exe	92
PID 4948 wrote to memory of 3424	4948	cmd.exe	92
PID 4948 wrote to memory of 3424	4948	cmd.exe	92
PID 3740 wrote to memory of 1692	3740	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe	93
PID 3740 wrote to memory of 1692	3740	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe	93
PID 3740 wrote to memory of 1692	3740	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe	93
PID 3740 wrote to memory of 2400	3740	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe	94
PID 3740 wrote to memory of 2400	3740	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe	94
PID 3740 wrote to memory of 2400	3740	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe	94
PID 3740 wrote to memory of 1112	3740	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe	95
PID 3740 wrote to memory of 1112	3740	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe	95
PID 3740 wrote to memory of 1112	3740	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe	95
PID 3740 wrote to memory of 2180	3740	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe	96
PID 3740 wrote to memory of 2180	3740	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe	96
PID 3740 wrote to memory of 2180	3740	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe	96
PID 2180 wrote to memory of 456	2180	cmd.exe	101
PID 2180 wrote to memory of 456	2180	cmd.exe	101
PID 2180 wrote to memory of 456	2180	cmd.exe	101
PID 3424 wrote to memory of 4340	3424	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe	102
PID 3424 wrote to memory of 4340	3424	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe	102
PID 3424 wrote to memory of 4340	3424	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe	102
PID 4340 wrote to memory of 2920	4340	cmd.exe	104
PID 4340 wrote to memory of 2920	4340	cmd.exe	104
PID 4340 wrote to memory of 2920	4340	cmd.exe	104
PID 3424 wrote to memory of 2296	3424	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe	105
PID 3424 wrote to memory of 2296	3424	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe	105
PID 3424 wrote to memory of 2296	3424	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe	105
PID 3424 wrote to memory of 2160	3424	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe	106
PID 3424 wrote to memory of 2160	3424	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe	106
PID 3424 wrote to memory of 2160	3424	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe	106
PID 3424 wrote to memory of 1956	3424	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe	107
PID 3424 wrote to memory of 1956	3424	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe	107
PID 3424 wrote to memory of 1956	3424	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe	107
PID 3424 wrote to memory of 2932	3424	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe	108
PID 3424 wrote to memory of 2932	3424	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe	108
PID 3424 wrote to memory of 2932	3424	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe	108
PID 2932 wrote to memory of 372	2932	cmd.exe	113
PID 2932 wrote to memory of 372	2932	cmd.exe	113
PID 2932 wrote to memory of 372	2932	cmd.exe	113
PID 2920 wrote to memory of 4436	2920	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe	114
PID 2920 wrote to memory of 4436	2920	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe	114
PID 2920 wrote to memory of 4436	2920	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe	114
PID 2920 wrote to memory of 4840	2920	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe	116
PID 2920 wrote to memory of 4840	2920	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe	116
PID 2920 wrote to memory of 4840	2920	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe	116
PID 2920 wrote to memory of 2292	2920	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe	117
PID 2920 wrote to memory of 2292	2920	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe	117
PID 2920 wrote to memory of 2292	2920	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe	117
PID 2920 wrote to memory of 4912	2920	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe	118
PID 2920 wrote to memory of 4912	2920	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe	118
PID 2920 wrote to memory of 4912	2920	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe	118
PID 2920 wrote to memory of 2688	2920	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe	119
PID 2920 wrote to memory of 2688	2920	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe	119
PID 2920 wrote to memory of 2688	2920	2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe	119
PID 4436 wrote to memory of 1624	4436	cmd.exe	120

C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3740
- C:\Users\Admin\kIkQkMYQ\SeQIsQgk.exe
  "C:\Users\Admin\kIkQkMYQ\SeQIsQgk.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2676
- C:\ProgramData\IoQYoIQE\EugIUEIc.exe
  "C:\ProgramData\IoQYoIQE\EugIUEIc.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4196
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4948
- - C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3424
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4340
    - - C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2920
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        8⤵
        
        PID:4528
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        10⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        12⤵
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        14⤵
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        16⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        18⤵
        
        PID:668
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        20⤵
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        22⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        24⤵
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        26⤵
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        28⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        30⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        32⤵
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        33⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        34⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        35⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        37⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        38⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        39⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        41⤵
        
        PID:372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        42⤵
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        43⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        44⤵
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        45⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        46⤵
        
        PID:3908
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        47⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        48⤵
        
        PID:752
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        49⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        50⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        51⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        52⤵
        
        PID:372
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:4864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        54⤵
        System Location Discovery: System Language Discovery
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        55⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        56⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        57⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        58⤵
        
        PID:4200
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        59⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        60⤵
        
        PID:3476
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        61⤵
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        62⤵
        
        PID:4540
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        63⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        64⤵
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        65⤵
        
        PID:944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        66⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        67⤵
        
        PID:784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        68⤵
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        69⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        70⤵
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        71⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        72⤵
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        73⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        74⤵
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        75⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        76⤵
        
        PID:208
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        77⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        78⤵
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        79⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        80⤵
        
        PID:3204
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        81⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        82⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        83⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        84⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        85⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        86⤵
        
        PID:4692
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        87⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        88⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        89⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        90⤵
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        91⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        92⤵
        
        PID:3908
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        93⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        94⤵
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        95⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        97⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        98⤵
        
        PID:232
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        99⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        100⤵
        
        PID:372
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        102⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        104⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        105⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        106⤵
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        107⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        108⤵
        
        PID:4364
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        109⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        110⤵
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        111⤵
        
        PID:824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        112⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        113⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        114⤵
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        115⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        116⤵
        
        PID:784
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        117⤵
        
        PID:668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        118⤵
        
        PID:4216
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        119⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        120⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        121⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        123⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        124⤵
        
        PID:3116
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        125⤵
        
        PID:816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        126⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        127⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        128⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        129⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        130⤵
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        131⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        132⤵
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        133⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        134⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        135⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        136⤵
        
        PID:3100
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        137⤵
        System Location Discovery: System Language Discovery
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        138⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        139⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        140⤵
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        141⤵
        
        PID:668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        142⤵
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        143⤵
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        144⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        145⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        146⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        147⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        148⤵
        
        PID:4008
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        149⤵
        System Location Discovery: System Language Discovery
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        150⤵
        
        PID:3872
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        151⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        152⤵
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        153⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        154⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        155⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        156⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        157⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        158⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        159⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        160⤵
        
        PID:3500
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        161⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        162⤵
        
        PID:816
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        163⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        164⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        165⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        166⤵
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        167⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        168⤵
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        169⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        170⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        171⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        172⤵
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        173⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        174⤵
        
        PID:1292
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        175⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        176⤵
        
        PID:384
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        177⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        178⤵
        
        PID:4272
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        179⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        180⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        181⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        182⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        183⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        184⤵
        
        PID:3512
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        185⤵
        
        PID:936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        186⤵
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        187⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        188⤵
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        189⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        190⤵
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        191⤵
        
        PID:452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        192⤵
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        193⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        194⤵
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        195⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        196⤵
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        197⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        198⤵
        
        PID:4068
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        199⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        200⤵
        
        PID:4692
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        201⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        202⤵
        
        PID:3236
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        203⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        204⤵
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        205⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        206⤵
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        207⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        208⤵
        
        PID:2024
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        209⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        210⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        211⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        212⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        213⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        214⤵
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        215⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        216⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        217⤵
        System Location Discovery: System Language Discovery
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        218⤵
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        219⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        220⤵
        System Location Discovery: System Language Discovery
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        221⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        222⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        223⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        224⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        225⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        226⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        227⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        228⤵
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        229⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        230⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        231⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        232⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        233⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        234⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        235⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        236⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        237⤵
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        238⤵
        
        PID:4200
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        239⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        240⤵
        
        PID:2880
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        
        PID:3204
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        241⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        242⤵
        
        PID:3396
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        243⤵
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        243⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        244⤵
        
        PID:3892
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        245⤵
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        245⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        246⤵
        System Location Discovery: System Language Discovery
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        247⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        248⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        249⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        250⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        251⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        252⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        253⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        254⤵
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        255⤵
        System Location Discovery: System Language Discovery
        
        PID:1060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        256⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        257⤵
        
        PID:348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        258⤵
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        259⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        260⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        261⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        262⤵
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        263⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        264⤵
        System Location Discovery: System Language Discovery
        
        PID:4844
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        265⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        265⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        266⤵
        
        PID:2836
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        267⤵
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        267⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        268⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        269⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        270⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        271⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        272⤵
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        273⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        274⤵
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        275⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        276⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        277⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        278⤵
        
        PID:3396
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        279⤵
        
        PID:100
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        279⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"
        280⤵
        
        PID:856
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        281⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock
        281⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        280⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        280⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        280⤵
        
        PID:2148
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        281⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QCkwQsEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        280⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        278⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        278⤵
        
        PID:3444
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        279⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        278⤵
        System Location Discovery: System Language Discovery
        
        PID:5072
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        279⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FYoswcwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        278⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        279⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        276⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        276⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        276⤵
        
        PID:452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hEYIokAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        276⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        277⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        274⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        274⤵
        System Location Discovery: System Language Discovery
        
        PID:2024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        274⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TUIYIkEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        274⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        275⤵
        
        PID:924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        272⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        272⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        272⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xKsYMskg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        272⤵
        System Location Discovery: System Language Discovery
        
        PID:4864
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        273⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        270⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        270⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        270⤵
        Modifies registry key
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OAIIoUsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        270⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        271⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        268⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        268⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        268⤵
        Modifies registry key
        
        PID:1240
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        269⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oAsgUIAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        268⤵
        
        PID:4504
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        269⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        269⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        266⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        266⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        266⤵
        UAC bypass
        
        PID:652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kmMMsUgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        266⤵
        
        PID:2152
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        267⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        267⤵
        
        PID:452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        264⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4076
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        265⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        264⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        264⤵
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wEUMEQAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        264⤵
        System Location Discovery: System Language Discovery
        
        PID:4344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        265⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        262⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        262⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        262⤵
        
        PID:2216
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        263⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uqwgYUMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        262⤵
        
        PID:1296
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        263⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        263⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        260⤵
        
        PID:2584
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        261⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        260⤵
        
        PID:100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        260⤵
        UAC bypass
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HCUMoMQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        260⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        261⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        258⤵
        System Location Discovery: System Language Discovery
        
        PID:3140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        258⤵
        
        PID:636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        258⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XSYYwMcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        258⤵
        
        PID:4540
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        259⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        259⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        256⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3748
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        257⤵
        
        PID:228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        256⤵
        
        PID:944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        256⤵
        
        PID:4200
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        257⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RuwcQwgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        256⤵
        
        PID:4352
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        257⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        257⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        254⤵
        
        PID:1576
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        255⤵
        
        PID:664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        254⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        254⤵
        UAC bypass
        
        PID:4068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lwYAcYUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        254⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        255⤵
        System Location Discovery: System Language Discovery
        
        PID:4684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        252⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        252⤵
        
        PID:4980
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        253⤵
        
        PID:232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        252⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yOAgIwIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        252⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        253⤵
        System Location Discovery: System Language Discovery
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        250⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        250⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        250⤵
        UAC bypass
        Modifies registry key
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YqgMAgQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        250⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        251⤵
        System Location Discovery: System Language Discovery
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        248⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        248⤵
        Modifies registry key
        
        PID:3948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        248⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\scYYQMEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        248⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        249⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        246⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        246⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        246⤵
        
        PID:4216
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        247⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ASAQkIwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        246⤵
        System Location Discovery: System Language Discovery
        
        PID:5040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        247⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        244⤵
        Modifies visibility of file extensions in Explorer
        
        PID:928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        244⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        244⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JcoYIMEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        244⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        245⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        
        PID:764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        
        PID:976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        UAC bypass
        Modifies registry key
        
        PID:5080
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        243⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FmcoUkwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        242⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        243⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:3212
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        
        PID:3068
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        UAC bypass
        
        PID:1504
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FmgUMYwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        240⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        241⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        
        PID:1000
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        239⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        
        PID:664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LWUEEAIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        238⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        239⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        Modifies registry key
        
        PID:4120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        
        PID:2864
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GYMEAEgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        236⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        237⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SuggsUMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        234⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        System Location Discovery: System Language Discovery
        
        PID:400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        Modifies registry key
        
        PID:652
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        233⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        UAC bypass
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gwsYkUMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        232⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        
        PID:1060
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        UAC bypass
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TGcgIcUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        230⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        
        PID:3592
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        229⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZQcUAokw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        228⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        UAC bypass
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bkEwUMcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        226⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        Modifies registry key
        
        PID:1256
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        225⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        
        PID:452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TasYsgoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        224⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uewgMIww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        222⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        UAC bypass
        
        PID:2452
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        221⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CSMoUQMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        220⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        Modifies visibility of file extensions in Explorer
        
        PID:232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        
        PID:816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        UAC bypass
        
        PID:3356
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AcgkkIMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        218⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        Modifies registry key
        
        PID:3736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VWMAQcYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        216⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:100
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        215⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fqEoIEQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        214⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        Modifies registry key
        
        PID:384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        UAC bypass
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fqkogwkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        212⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        Modifies registry key
        
        PID:4116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gUAIEwwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        210⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        Modifies registry key
        
        PID:4260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IAgMkYcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        208⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CwAIgMsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        206⤵
        
        PID:64
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        
        PID:628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oiMswIkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        204⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        Modifies registry key
        
        PID:5072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        UAC bypass
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FUoMYQIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        202⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        Modifies registry key
        
        PID:3892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DckIMEgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        200⤵
        
        PID:400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        System Location Discovery: System Language Discovery
        
        PID:3652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        Modifies registry key
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dwEgcosQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        198⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        System Location Discovery: System Language Discovery
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\roUcwUYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        196⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        
        PID:928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\euAMIIYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        194⤵
        
        PID:944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        Modifies registry key
        
        PID:3584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        
        PID:2920
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SoUYEkQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        192⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MAksMYgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        190⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        
        PID:400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XGYkMQkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        188⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        Modifies registry key
        
        PID:4016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        UAC bypass
        Modifies registry key
        
        PID:4768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hgcQcYQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        186⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        UAC bypass
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uMIAwMMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        184⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        System Location Discovery: System Language Discovery
        
        PID:4960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        Modifies registry key
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cqEIAskg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        182⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        UAC bypass
        
        PID:3396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OaYAwsMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        180⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        UAC bypass
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aGsUIEEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        178⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        Modifies visibility of file extensions in Explorer
        
        PID:752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XukQgYYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        176⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        Modifies registry key
        
        PID:1516
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        Modifies registry key
        
        PID:1640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        UAC bypass
        
        PID:4904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TKMgUEUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        174⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        Modifies registry key
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rSAAMcEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        172⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        System Location Discovery: System Language Discovery
        
        PID:4768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        Modifies registry key
        
        PID:4508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VSAUgoAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        170⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        System Location Discovery: System Language Discovery
        
        PID:2140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        
        PID:208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        Modifies registry key
        
        PID:4908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EeYIEgMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        168⤵
        System Location Discovery: System Language Discovery
        
        PID:4524
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        Modifies visibility of file extensions in Explorer
        
        PID:952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wUMQsIQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        166⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        UAC bypass
        
        PID:3496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mwIQscYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        164⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        Modifies registry key
        
        PID:2352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qgYAsQEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        162⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        Modifies registry key
        
        PID:4528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        UAC bypass
        
        PID:4840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NcYMoMAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        160⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        Modifies registry key
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NEMQMskY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        158⤵
        
        PID:652
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zIckMkcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        156⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        Modifies registry key
        
        PID:1692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        UAC bypass
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OwoEwcwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        154⤵
        
        PID:764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\skEAogos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        152⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OywUQsQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        150⤵
        
        PID:400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        
        PID:764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        UAC bypass
        
        PID:3708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAMYMYIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        148⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        System Location Discovery: System Language Discovery
        
        PID:4840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LkUgEIYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        146⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        System Location Discovery: System Language Discovery
        
        PID:3876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lWoMsgAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        144⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        UAC bypass
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DUIAEQYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        142⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        UAC bypass
        
        PID:3176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hUYUEQsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        140⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GUwwUQgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        138⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\akkIwwQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        136⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UyYUYUUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        134⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        System Location Discovery: System Language Discovery
        
        PID:100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ucUQoMUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        132⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        
        PID:764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VoUoUEAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        130⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies registry key
        
        PID:872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TUMkYEco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        128⤵
        System Location Discovery: System Language Discovery
        
        PID:4668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hYIscwsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        126⤵
        
        PID:936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rKgIIUEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        124⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UUoogQIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        122⤵
        
        PID:232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        Modifies registry key
        
        PID:1676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        
        PID:3800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qKIUkYwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        120⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        
        PID:384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SyIoggAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        118⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aSEkgQgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        116⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        
        PID:4948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lEAsAMQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        114⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        
        PID:100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        Modifies registry key
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rowQckQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        112⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        Modifies registry key
        
        PID:540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fewIUkcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        110⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        
        PID:924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CuEoEMAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        108⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ksUwwkAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        106⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KCcAYokQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        104⤵
        
        PID:944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:3188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EQMsYEMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        102⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:3204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        
        PID:1372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jyQswMUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        100⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TsYcAEMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        98⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PScgskMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        96⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        Modifies registry key
        
        PID:976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EsQAAQEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        94⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\guEIQEcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        92⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        Modifies registry key
        
        PID:824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CUMAUowM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        90⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        
        PID:924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GMIggsAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:3388
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        Modifies registry key
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RuQgAoog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        86⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NmwwoUcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        84⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XYkQcAQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        82⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JYkskIco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        80⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:4980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\myQMsgIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:3220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aSYQcAAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        76⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        Modifies registry key
        
        PID:4868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ScIUkMYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        74⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eGckMMAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        72⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        
        PID:920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hyskEsEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        70⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        Modifies registry key
        
        PID:4688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        Modifies registry key
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TsEEgMgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        68⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZSIswoAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        66⤵
        
        PID:232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:2340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies registry key
        
        PID:4260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wcgkgQAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        64⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eyscAAUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        62⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gOgMooAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        60⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        System Location Discovery: System Language Discovery
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\keAososo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        58⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        System Location Discovery: System Language Discovery
        
        PID:3224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        System Location Discovery: System Language Discovery
        
        PID:3152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dWgUsMIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        56⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZMggAYcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        54⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        System Location Discovery: System Language Discovery
        
        PID:3876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HeosMIIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        52⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CKEwoYAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        50⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ocgoQcEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        48⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        Modifies registry key
        
        PID:4624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YgAoAQUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        46⤵
        
        PID:764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:1340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mCIAUIMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        44⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vawcIEsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:2428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HqgwcQog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        40⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        Modifies registry key
        
        PID:3856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BuAUMEwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        38⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:3736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lIYYMgwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        36⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EScIwEUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        34⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies registry key
        
        PID:4856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:4628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WGskoowE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        32⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:4004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        Modifies registry key
        
        PID:2400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uwMQIAwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        30⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HIIwkokY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        28⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        
        PID:824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        Modifies registry key
        
        PID:4412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dKAokQgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        26⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        Modifies registry key
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fEAgwQEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        24⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies registry key
        
        PID:556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:4948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IQosAIgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        22⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        
        PID:920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IIIcAYco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        20⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:4152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QukEsYwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        18⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:1668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        
        PID:384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DycYcMYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        16⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:3448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pwgYIAgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        14⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        Modifies registry key
        
        PID:1012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HGcAAMMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        12⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        Modifies registry key
        
        PID:3388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BkgIYwQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        10⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:4200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gIEwIgQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        8⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:3800
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4840
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:2292
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        Modifies registry key
        
        PID:4912
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uKEwIUYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
        6⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:4120
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:2296
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2160
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:1956
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CgYMkEUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2932
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:372
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1692
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2400
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:1112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wkokMEYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:456

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv Y+ZLcoi6eUeYCB936RxksQ.0.1
1⤵
- Blocklisted process makes network request
PID:4816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\IoQYoIQE\EugIUEIc.exe

Filesize
183KB

MD5
a531f90000b3ca742ab049657048da76

SHA1
cc828163ea77feb15a74602529f93713b036147c

SHA256
48b3eaa90ca5682401464b34cca6190d58cc949ae0206e38a7b2f44754fb0e23

SHA512
70ee847ad212fcef1fb8ebf30795abe0f5f83330338c7185cc54ec06bbc37fa9a74e18d50114884f233a68082cd0745e6c4b38047e07ca00dff99cf96bed5991

Download Submit
C:\ProgramData\IoQYoIQE\EugIUEIc.inf

Filesize
4B

MD5
1969300fd57da1844d69021067cc1405

SHA1
6e3c98374e52fc786396549948d9b1effd002468

SHA256
777d5a88173aa145b2668097b6d59a4ec6d01b97a279e0dbbfe4df778da96e47

SHA512
c95b89bca76836f1b318e05efd09c4fa1f56d16a53aa0d564bfb89af451621cc73b431d5699857d838eadef4379cf85df24f68511c7453b6f19b51fa873de1c7

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

Filesize
222KB

MD5
83c87560b82cc77e1b58dabfe1b9eef9

SHA1
c4a3eb31a82af5124ae4d0d09242cb42eda860db

SHA256
6e02ab6f5ef9846f39b6e290f4499e725e9d9ba0b450578af7ee162c5d212689

SHA512
7796df27884457a1d28676c4175456d857f2530d58df4e45d4623c833a28b6b08de772df93c6e8d5eff5620dbfbe055c582c66a0151aa38f7e6eb31f74b8464f

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

Filesize
229KB

MD5
b647a51772257486d9a53b1e2d81b2a2

SHA1
68d7a5f1daa775a5786de35b6ae3b631804fbb74

SHA256
ca9df8759dc9c1cffa3ee005be83cf253a9cefe36e0f85a5f733834998b9b3d3

SHA512
c8f859499c9e877521595e11f8d95bce172444c2b4181e81d19b8205734c7c29607be4c5f1a9d5f9d57ae8652590e149974e5aa69f11123a29f1d135be9b268b

Download Submit
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

Filesize
826KB

MD5
4fbda5fc59787ad15878cc57f0413bf1

SHA1
55eb932eba66849d1224d944730e33d90831b81e

SHA256
00554bf632ec105ddef828306ae5dc34dfe4501dc6857d0dc837bde76fe886d3

SHA512
39046189cd1993b4f8c91c3c6c81bb43718ad27d1022b4b39d204fd6240002d315e91151584b04a3fff14a6f6f4224f907a21565eb3de637ec5ad01c80dcc87c

Download Submit
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

Filesize
829KB

MD5
dd5963a6869efbf4bdc82ced1cf5d5bd

SHA1
59245b2f54a93202db356ac1f15dd21ab4e7b30d

SHA256
cbb23833afac3614b5baa06837466ccead428a956b305d9cee44980f28626307

SHA512
ae3c051f14e60b4d323bfaac558404bc9abd6ae3c4aa6d2630adca15abc898f1714e1290891a81667a48af6d9679de909e7a1804400fa7268270eaf1bb557e15

Download Submit
C:\ProgramData\Package Cache\{ef5af41f-d68c-48f7-bfb0-5055718601fc}\windowsdesktop-runtime-7.0.16-win-x64.exe

Filesize
803KB

MD5
245aad88d11615ec4699526b603654c1

SHA1
3b7339f73765b145b8529ef9bbf8fd90dc315985

SHA256
e59c6bc974a41ca8ab36a780dd656fb030ea177193b8ad08a47d2293101dab64

SHA512
a879b1225f7fd9346748ed4d394e4a7d5cacdf7d6fba8a27f835bfc0e8f894dd9066298b286adad4920f07b97ce476f464c25d61502a7fe0a8a7b0b959e2b018

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\128.png.exe

Filesize
190KB

MD5
6a0bf8b1a8772e1e394eadebeef69d97

SHA1
1373bc12520b1ed4619dd985fe15e08eb598a922

SHA256
68ca4d65e93e88a85b387adca2d6a23a6cd83ff0f3343c5530a7f3d03674be5f

SHA512
077566e881ecceca1d15932997b5e21455c1ea1bd272df448b777935748b2ebe6c422f485d71a27ff918c994b07173834cd471bbbae57954b5c1e00201461921

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\192.png.exe

Filesize
199KB

MD5
aa4c50b465e7190da1a30c2361891c0b

SHA1
a72c228fd74586400a58b564d9a6e6eec556b6ec

SHA256
9827eb058f6007bdbdbd69c09b3e568207c6be00618b578f0f63bb6159321e2b

SHA512
b752f96fda6eddf7ccbf4ad32ed7d6892e07d73fcbf2f878ae9a3628e16b024e81488fa625aef563977c71b7319e3061b681b8cdd4b6bd6efd96fc433b784466

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorBlue.png.exe

Filesize
191KB

MD5
101e9005a6398e6f0884a35375371e55

SHA1
ed412304c06af02b22cdabed9dffde6262e81002

SHA256
c31c057f3f424f7983763646ff7374375e4cd96a639a74e8721278c280e4644b

SHA512
f7a8c571a695ca36ddaf8701a0f5e349d121e206ac683fb02562c6ba1abb5a38529806adaaa3361921cdf2e460a4cfba9812a4e5b4ffb8d14ba8105d3f335966

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.gif.exe

Filesize
574KB

MD5
a5973eb9120bb208260ca4be84d4aae0

SHA1
adb1a9b8075c4c3e55f8cb6a34716ef95e4ba9ce

SHA256
d51193e348628195496d61ba15eb9a370507393a5a4f0be49380020f8755ec98

SHA512
d98bb63aeea1c43208b6a175a4eb65f8b3b9d2c46dc267a27ba56c75ed22818ced48e490455f76ee3352c5e04af92843d2bd46833cd78be72074c2b532ab8239

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMScanExclusionToast.png.exe

Filesize
211KB

MD5
49b4c3da268481c0fd0c3d32d95175a9

SHA1
c70798641e614b63237011916a805d6e6ecc8b27

SHA256
aa7392dbad89c4fd226ed1a9ba1b82bc4e589f9b4e5666958a2833c71e64b55c

SHA512
adb870cec80d31093379f0293c0583a632bdb49795a3f9184aa79abfd5e43684b320ee605bf1b463407b94ca7f20e8ce56ba50940d6e2ea977e5d073d76fcf86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaError.png.exe

Filesize
216KB

MD5
4cf2bde5eb3835f48a9ef8630658a016

SHA1
d72248b3c136e12c9ee5e1765f195b906f5b6118

SHA256
d06a3c29f543f8647b453984f4e6bfc5fc374968444fb02f4d3121bf2422e805

SHA512
f04ae094ee6e79316c5805b32b4607dd31298aa30720581c7f020a7cd4e6590732496607113e3bb21812c120db7369776c35dd913fa270224e4d0e11f5ed0e86

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\squaretile.png.exe

Filesize
196KB

MD5
32076ba4de565a739156d70e93dfba7c

SHA1
5bcc827336217a4d3efedbd106ce3a6753536878

SHA256
a4e5e1996fb394909ab6df29f82a6745443a2cde9c0bfc333e3db635fb7b1d6f

SHA512
44dde73c070789428a7707073dfb93e351484b42054cc54255b3e47fa3b39969589ac8b89aa99e55a2be379f76e502c9a3ccd6ee6cfcbecd4edeb74b577e6957

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock

Filesize
6KB

MD5
f7953a3b741c1502bfe8d89c55c09ed6

SHA1
6aa8958b7e36b8834e9a6d81a6d276e7dc1e488e

SHA256
ad1065b3d34b2416e7675e20de47a870775bfa9eb472e037eb4abbde2b2080fe

SHA512
71e7b52b4c734d98079ae15be005c9e7c7a2187d355fb4979ba0cd20edd8310181bf44fb1ef185bac601d35e534e78b8559be44e6bd7dccc30ec44e94dd66c0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AEYO.exe

Filesize
5.9MB

MD5
09e6744e0a5078bb3680ed2474834714

SHA1
dfaaa961f0fb92cee0762c13016aef259bcae3d0

SHA256
f260f3db23aaeb710598bf788c2947be9b2499493e0646c4f8150959d9c69de1

SHA512
d805e423f04474d34f81cea6460bfe100a9e3c6175bf88057fd1ffe0c266b01572e983d6847e8fcfb1f46b530022b297d6a75e75833578f68f3b482ef7daf94c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUwC.exe

Filesize
204KB

MD5
a408798f031d793ab8d5621cc05ba0fd

SHA1
af688a49b4ac575b99e76dd53434ada2c26ddb95

SHA256
5dab775dbf64631b44dab81ca4154f9755397a42f8c633f3f7c62f4abdc595bb

SHA512
9408311a0410860ca4148137421dc4f6b8ae2bb5739d23b211de4ac0ffb358f507530fa1a8052542a8a81d98e23a3d5ab0fbb05ebad5d468085f7e65e296c99d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMgi.exe

Filesize
183KB

MD5
3f6ba0f20b53b5af5994c5016c9145fe

SHA1
a44a06b5441c0154e78bae37b867dc461cd39b40

SHA256
8d95f5b40fc1587b7dbde28ebe99cc4f375c7e25092ea1660257a07b01366c12

SHA512
2f32e5d7313da172e92abf113cac922ad5918b787b2a968df55bff421d29e18f8fa42dfdc70f1d5b95445eb277ebca14410dd55a9f346a4d5dc685d9f2f24a56

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUkm.exe

Filesize
193KB

MD5
86800a9b5c6b25a597a0b6c4ac048cb7

SHA1
a1f8c39506d716e6c38c0e9a3e9d114498836f6e

SHA256
ee7d3788afb27f83a394ed6f7bdb05e20f3969eb983a2e9946cf2f521db0441a

SHA512
7a37b75044ee2ebd9e1707ae94159602ee5ca90f8ca67e61e50ddd6b11bedb438cf4480c4d5f1475d9fd15264ed946d76f8c9c531a333fa57ae163e1d24b5a5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\EcIE.exe

Filesize
419KB

MD5
89dd6c87537efbfae7a46c55296ca155

SHA1
9107734f4beb93ebc381415e0576739269791bfe

SHA256
0d2d6108c8f60f8963731cd038266e0620a9125eb08c1abbc52ae80e3279407b

SHA512
5be39501c3f57a58fc01e87523436d714251fb75a1789c109a6e69966f10fff8c0f1afeab0150ad4614d7093e262c3bdf136e1ea2f0a8c79954affb87c1ebd13

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEEK.exe

Filesize
1.1MB

MD5
f112f370d280d741f0a5365954c10f01

SHA1
4c7a1e2acaaa3606a2da810dc526505caac075e3

SHA256
59cb3f07aef76e723342553a7147f3de1a8fdd6335d73151841c7fe9f310cc54

SHA512
714b5008716dba14ed5de02354f879df9136eff54ba9d0099f4744da79a9992ddf24fdad0bda6820ad088a0f157fd6a8d525ee9c6d2e147cb70ec24b34c18ba7

Download Submit
C:\Users\Admin\AppData\Local\Temp\GIYq.exe

Filesize
636KB

MD5
66fb6424e4fa37b0fcc62e353e1e885b

SHA1
5de5c63d377c47bf3b505ab8ae2de8cb03c9a7ca

SHA256
3f10cb4e02ae5072b56d4dae348fea7e0de72b68b47cee4c59864698fed3b282

SHA512
00d6cafb05effd15f17804eac8d4031d3279f3f86fa2e85938a6c22e212edcbc9f7fa3a49dfa820d7ff7eb36ecb4928cfa12ddaca0a8de605bf784c667f23e8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\GIgq.exe

Filesize
203KB

MD5
31b632affaf8d9cfc71f8207128f40ab

SHA1
6d0037e630a40c7c53ff674d5d716e3b24753a48

SHA256
9ea99a7012ea42ee58a4d5c8f8151443019364ede701f0fbdf4a629ee981335a

SHA512
389c9f51031c9dc2d3121988dc514592974e4786f939a15b9d8fe1236b5cf79462c9f82aa6797a8ca1bfab610f8e0462e62a89b51996f8023c30e66acd911262

Download Submit
C:\Users\Admin\AppData\Local\Temp\GQEO.exe

Filesize
205KB

MD5
c27128969dc4e7218516969ab3864a96

SHA1
22051032f603e03c1c326bc467c625ea9090f899

SHA256
42c2f42474a9ec2c0017805fca3694aa6a7c71b13bafe3e3001f5d13f3390cef

SHA512
503e41dd254f1ce0726b90c01427efab00f160e55aefedad80cdb963517a99e92264a2c3a228e66128c0f69098c4dffc1d6085044888015539540292f299f7f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\GQUQ.exe

Filesize
209KB

MD5
b4d262e360da6e6eae810f05a0ae9464

SHA1
ccbabb0523dfb24dfb12a90b5ee215a05714e66d

SHA256
310e1542db725bd6e676e178e4fbd0da4919a2dfffa61e3e55aa7ce60a66f79e

SHA512
8e96a8e74d67dfd7675c86cf4075e212955fc80e790706783a0889e8d19630fbfa617f43729e3bc78b6c097f6fbe4065bb5191efd6011f56804e6c5ee1bd77fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\GQwO.exe

Filesize
630KB

MD5
af2abf1f9de818a06ad62a1ebabd1dcc

SHA1
258e63149ccb775fd683e6a7b4150e03622906fe

SHA256
3a64cf606d61d24f6ad2197bf0569a7fba81813e803b989cb86d3bd4dddf7428

SHA512
343a9032b07431facff4f8a126f5febf53149119817059a9faecc8ad0892a19373e0c8994b6fe167d659e07d046179f614c00bc994f8bad11ec5fb90e270af3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\GcgC.exe

Filesize
189KB

MD5
fc79fac615d9c1bde1e399e987b351c3

SHA1
a607f3c1cc3480495a3279254be439b4c533e416

SHA256
579b9950bc55b7b57288173715d6496dbdef3b8b1f1d0b90b6334f2e62ae4cde

SHA512
956bb9733e1ce8b826d59a965fcd4729f655501daed1aaa4d82d61f2f0127b9aca1b9bcac3427a28b4798babd28db5d046d5a434a3ce40b57957b587b5399d7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GgQo.exe

Filesize
233KB

MD5
5d1040be08c135235593bd730dad1360

SHA1
e98fd55aa8730717a4b1db09926ea52133d56806

SHA256
82273d2b58989ef562b9e5bf59862c5cbeb215ffe867b950725b839f4ffbc278

SHA512
28414dc3c4c56a45c620e6a1234bd8f6e13bfb3906fa608e0742d90d1aca0c79f0955ea8d36e4ceab7231c6a8b9de3b2baf3b8c49b6ad60d1daa956108af2f07

Download Submit
C:\Users\Admin\AppData\Local\Temp\GwQU.exe

Filesize
185KB

MD5
694878dd5a5ba2a48cd56b3e31fd4fae

SHA1
15b9c66c701550a4d9dc0032bb0662cd4214a123

SHA256
db423a824e8a01a278b2773341ed5bc64c8a3eeb3e315968417e6563e7cc38e3

SHA512
e754637c5528223aaefc578523762d711a8a415b60d73405f720a0ba1ca5effab4ee047089252fbb86143c7ef374e64c2ecc06878928695fa4fd50fcdeb2b4c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IQAi.exe

Filesize
209KB

MD5
e687e6e2319fcf8bf32199e446ae6d43

SHA1
65450957f95861848195fc0991f768068cd0ad87

SHA256
e1f963944a489cb48d58ea34653b5ceb4c6eaf6710c1e97ec448dbaf2ff7261c

SHA512
aedd152fdcd2b13ad18feb1e7bfa51a73175499d7aa64c58fb7ee96859e893ae1f54cf8b55d1eb9439f5d02698c93cd773c358d331e091842b3704754e1cccf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IQko.exe

Filesize
334KB

MD5
7f815b2c0c23066b0b78f2c171bead5b

SHA1
078d1045aabdb2482ff534c28861d5a24d34b6e7

SHA256
c3f5b4fea2998fb1ba03eb9169103c27ecc7e0b6643fb8f9cb1354a1d02b0257

SHA512
c40e2e2a12f9e170a6548a96f8eba48add739bca043859713aebe59eeabf3379987d4bab2cc69aa83ac789bad3a72cd2ba761514af65d4a8e5415147f0f485ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYEu.exe

Filesize
197KB

MD5
61f6d5744773eb9e79bf80405ac7cb07

SHA1
d1f3aee25534d770bd81686f6fa999296fed60dd

SHA256
15146834a52358ddf3d5e7f81fb6e409b239c4c528affa9887896e4ab78fcac4

SHA512
b4a97b940c79ac4f34bfd4ae3b72d5ec0ad882d56464aa6f0116149efd935d12503b150881949a98b05112a6905ace31eeac97d18c8bacfb3a0148f2751f6423

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYgM.ico

Filesize
4KB

MD5
d07076334c046eb9c4fdf5ec067b2f99

SHA1
5d411403fed6aec47f892c4eaa1bafcde56c4ea9

SHA256
a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86

SHA512
2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ioko.exe

Filesize
624KB

MD5
21ab8dccf6869c82c235d1923c58ff72

SHA1
8b5cf0a88e9a3924e5be9ef1733168616fdfc463

SHA256
a62b506f1a4aa47c3a275adcf491b4d871e67376e55c5c70aaea84c6d59a473a

SHA512
054fdff2192e67a83fe82da5b284806f2b347a980597f651f407c2dac1e3e59b3e424d4c6f2f57596558c668bcd8cb34dfc8c40384d43c035e2e2f3057ac8f31

Download Submit
C:\Users\Admin\AppData\Local\Temp\IwIG.exe

Filesize
197KB

MD5
97559eda1d85f7e78bed044d24f24497

SHA1
77bfff2d88953db387cadc2853bef873bef1241e

SHA256
ce09b8f93b2ae3c4877e5902d799b6734d06f0f2a470cb205e06abad044ac1a8

SHA512
a380a5a387a9967071a3e3a0be8d191b9085bbe57fdb92ebb0ac481b16c37e67e2edff45c31d9c3cc44c329f91e95edd3917b0962f39749e98bc282666950dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAQs.exe

Filesize
199KB

MD5
9cf0147d66031ae9f94ab10e99d218b7

SHA1
8d7a6631bdfd0840926866c9eee27c921b6e36b1

SHA256
8fd2a49b816a6d81ca36ecaa4f7480429ab143f4b1df01f0b5be99bc565ad3c7

SHA512
79d6e39377ea104b2e2abd63fb3baa8d762a36fadd5b85a7a43be48ca42a0645621e85d6fe71eb0c19d7f1726c750493b0bb439f02906d7cfdd78a47e270d64a

Download Submit
C:\Users\Admin\AppData\Local\Temp\KIAq.exe

Filesize
327KB

MD5
e5b5595cb82ed2ec00f63592f4d2b7ff

SHA1
ec690f20b23d97cd6e70f21aaf5106fed9dc5716

SHA256
66c6537ff529f681431908d8e780b7d6689474af618ef787b85fb73b02cfbf0d

SHA512
dd406a136271f9c54f202359191bfb812457c3eb698ee64b732a31d0599e818b08048aa8a0ba7e4fdcc68ec16f4bce6c43767b8775c7620aa9a61fbd934a1442

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUcq.exe

Filesize
189KB

MD5
bc29e79cccb2ed8e8b52ac1ee93f78ec

SHA1
f61aed31cafa4d5440f7ccfe25638eea127f7479

SHA256
ffffe2e207423b0347b89e5557c63ae13b79e9a17db2afdeb4837b0d1ccbe948

SHA512
cec56ab19e364249052af5a6d5227d45156332d88db7920ea4800766e410b59c3b370649297ef887e8af44ccdb67858e323068bb1cc08b0810bfa6cf34065c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kcoy.exe

Filesize
642KB

MD5
66abb147bfd73d886b532552f22408d3

SHA1
73b8401350f85ca49f1b2a86f5bf1ccdcc310f6d

SHA256
f94ccfc8f28a06402ea1e3282049de56175fcebfc333d232a804f06846ce443b

SHA512
ab1766453c525e473305efdaa661f3da5821c7587add64c190e95f0d1299a1d3e9b7510513909a88a52b1d463387b1c755e1348ca4ff2373cfe9022952669873

Download Submit
C:\Users\Admin\AppData\Local\Temp\KoEo.exe

Filesize
216KB

MD5
e1ec8452a232eec1b17344ede229be7a

SHA1
a9d8b1ad5e48e6915b3ee31955be896037b36a01

SHA256
d734de6628c2ffc6adc2b9e12db8d1c809c58696649fe055839495ee37ee81a0

SHA512
e288521d0d7d77fac7b95e7a7bbb702df3cd28d6585a123cda4a17d763a6b0c20d4512d426a97254c7ade67c0350c815141f0ee872520d44c7c8f0f64c5ae40d

Download Submit
C:\Users\Admin\AppData\Local\Temp\KoMQ.exe

Filesize
1.1MB

MD5
672eb3437251158ce59e248fb6f38f67

SHA1
b2537cba25b262d050e3a451d62ad86da53371d5

SHA256
e19ff5e59753e8a0b7faed45c0a7e2f109ee950f52c4a49f203c107249df3f9a

SHA512
491ada7656255019f6bcc01de73c5eaa157fdfd6702a49a4b937a9599081abe53036b0f3bd43b3e957f0c824a2f05e477a74ae519f671923d338944db1c4488d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUcq.exe

Filesize
192KB

MD5
9dbce736ca378c155ad633b825ac7582

SHA1
b839830a880a961e7bbcbb6cd32014e636362e8e

SHA256
e620bf7dd6b0fd4e904d680aa738fc2d49d02f72a721de47b6363f64fe36b067

SHA512
5dce08028786c43564bcaaeaeaf639b9e63c29283e03fc93aef244c34e36a6fb3b5a1b62b27513ebcfc8cedc61652916d2cad7ead6eb225b3cc7807fa9aceb8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYYG.exe

Filesize
186KB

MD5
dbeaac10c7ceb71f4db9b5b47b16470c

SHA1
05498510275e6e13e968da8a7626434c552dc935

SHA256
9f5f2a248b31c2cde9e257b7b5e341e522841ee9cba49511242d854090bf0b00

SHA512
4201f72031b4910f9b866b67f8d82fe378fc9b033729ead4628a55b915074455eebdefc03004528c165c1d6b6ffcc5cb26a91923b235eaa9fc5e3f67a653f608

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYwK.exe

Filesize
188KB

MD5
eb0e8ecdc994ec2a7f4e65a43c2d4f7c

SHA1
dfa3846bc0b3676d1808087a02c4aa288494f6b6

SHA256
71a922a26fc380c4a2d64dd76d2e0fbb4258064180899536783c56d27744a6cb

SHA512
21563b56932b68b88676b4e214b55561d02e8fef9a70971e112cdc34897b29451fd944aafb9ffa7525a58ec39241d49d035614a537f3de18dcf31d48d4d0ac3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\McAQ.exe

Filesize
190KB

MD5
36acef84834167eab9431dcd9fe81726

SHA1
f19efcf995b9f0ac1c807cd7837a435ce0243bfc

SHA256
3ae64ccb6604af793b80f03d4ed73c7380bfdb7db312bab97a410f3b0f55d097

SHA512
b7f90eed0def7b691ebf1e4f77cb2cce6d2571a2d9017ebf80dc700cc25ce9a8102b18c1227e19e2c26d06f5df9996cf00cb340dfa6b16cdaceb19fd920c4f46

Download Submit
C:\Users\Admin\AppData\Local\Temp\McYi.exe

Filesize
216KB

MD5
6ae084237fde18781327f23f12bb5db0

SHA1
2ca986d9b113042b884abc94b937cc4b5e02c9b9

SHA256
f6dac79cf5ee927e8ae49ff2ab63911d8f577847a36abafbbff64df4d4c69cc7

SHA512
b7c47cde72cd22960abc030e558476c64184562194f192729cc37b1047dc93d772822340d10304912c70f250bbbf79d5b6cc1509eb371de24128df93fdb67347

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEEs.exe

Filesize
182KB

MD5
3a98a73a6e3f1ca4900a4b3a20e737a6

SHA1
10d27d29ca907b753d2ebbd143d5fd80df1652fe

SHA256
6acc673c6b5b2b6b639ca3f2ad9f372760e99c576933ea9d1d65fe4aabf179c8

SHA512
8f16d41938ea2d9a4c1faf101fd4eb570681514b4c3a074fa6c71fa33bc04dc9aaae8f157b1d90bd2a56140b3d7cf2dd40074985579a16e8f3c16756604b558f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEUm.exe

Filesize
1.8MB

MD5
6538fd1b8accd98627fc035ac8c77663

SHA1
913d692a50ccba17d51d78fa95a57c1f44a55fcb

SHA256
a80bcc34ece0aa4a7fde7590d48d1c495bcd122b95e0212b2d9b4513b94ac7ae

SHA512
ab7b3db1200c7a136104f80df16ca77622fa749953494a6c91ba564c447d46bec2e97b70bfc43a0cb2f85669a709dbaacafa9f2a9b62d0ef56beee9b184d1f58

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUIw.exe

Filesize
186KB

MD5
1f90a523e46a775c66b77dba57112e38

SHA1
5a438ba56c68de7ed5edd2bc2b46518d1b1d3b81

SHA256
f2d1c42196310299f5968c0ba4130556d9e6e8b1a688bd953b44f916984e18eb

SHA512
82c28b5ea5f87e133e0a961b5f271c9a83483c67721b9d3cab0058d1a6273e28e473856e502b05d81f5ae159fa50a41a604c7ab2e20a74b591b2bb9076828d7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Okss.exe

Filesize
205KB

MD5
2a2424398a19e01857f67de88a102b2d

SHA1
770701a287054482d6761bc24e2d271356db5052

SHA256
035bb75e933f558ac1f4e835c3ea25561f6a84083484e07e64b146ae0277c6dc

SHA512
e3317ff6638e6f243ceab04ef861c95b3f04d7d46dcbbba5bc1e2eeb9cce73df336cbd70a54d41a58ff3b029b917241c6d6bbde519c003502b968f277ab1232a

Download Submit
C:\Users\Admin\AppData\Local\Temp\QAgO.exe

Filesize
201KB

MD5
1fddf8e601b8ef0b7d17f529094ae3db

SHA1
ef2ac2698e20dfdf148cdfe52ed1e4232e785f11

SHA256
ab27872d9f8e2dcc04eb9e2e7a0fd8011939cb23d2fa568878daabe0e763c48a

SHA512
2478e291b3be3c967cae897e150d8e2c7bec55690a1556f9482db3731ebbd56a4c72210f346527db4a85a9f1c8c3d825a38b953a7bc999abe59f118143228a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\QEkO.exe

Filesize
288KB

MD5
f88d8aea9b88a1dac0184dbcd5533f40

SHA1
42ffcedb9e1639a32b6fbaa15bd120aaf799cb7d

SHA256
ea9c22f7df13fc4376f38c59fec5fa92529b7a27da4492237950402bd19abe83

SHA512
bb0b57dfcf98d31949ec05952c38c79d6a82d2e9e783e34c85f886f12920182ea048dd4e03ff4786e9c6d987a53c818926678f40653d75727e44a78397e29d89

Download Submit
C:\Users\Admin\AppData\Local\Temp\QMsW.exe

Filesize
194KB

MD5
4e69e359da015b41bb49931377cdb6c2

SHA1
34b5e2c9ebd5d1756b5b40c424c0009f80f7dfcc

SHA256
c758590e5160f80f2734e90e9245e83f271dbd04dd4d4aaac81fc3ba0a210c1d

SHA512
77a2b651dd3df65b63d24a9e8d45528b54856fb56eee01cf0a5a62fbc00e41c29716d72e42862e05cc3d8b31c7d356d8b43533fce6d52ae0a2c78f485e75e8fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qgki.exe

Filesize
642KB

MD5
057648dd5a34f870a8c721c036a83ede

SHA1
2e83c3b89853ec831ca692598639c9ed7c147c21

SHA256
a3bb4ffc8ea46b57c0fe2dc2e94da6f74228b0dcb90a7963d8047283ca55dbeb

SHA512
5dafc5de27a2b7443cf293e304d95f809e93ff02382996f31041cd3392ffbd6830d67b22c3422e2949a160abbc2b025bdb796245fdd358f6ba317343113d8ce0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qgoe.exe

Filesize
676KB

MD5
f434239f757440d69ac43a6a20fc9df8

SHA1
c7bd29fd382984b0ebb64478ce2ebcff3faf0bc7

SHA256
2e3d0cc5652472a06752d1f0d0717ab5d03cb63e251edba0623636e8230bf362

SHA512
e10f0b2ac2e76c29a224e4aa0921feecaa094ec8eb20de61b9b9513d156710b3c2b50027c41a8f7c11e15fc55753fcc9d792e8a9a378d16fa0f7762e6dbca97f

Download Submit
C:\Users\Admin\AppData\Local\Temp\QsMg.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMcg.exe

Filesize
780KB

MD5
81c8acefdc66d2b856c42ba8668baf59

SHA1
8c4f31ce4bd097b96a65984bfa971250f64fd187

SHA256
263f95c1f875cf959d0bb39ab59bdd57f16d97959f970cacfb992b770d2b40a9

SHA512
da14f1b9dbd1169f60724b49e8b55877ac6a6f6415ad510513b12cdf695adbee7517560b672ebda8a873b549242cacda6896b7f617b995cab45f32f602698a1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQoQ.exe

Filesize
1.2MB

MD5
7cba2bc14a173183cdc3f62903ed90fb

SHA1
6338f56e6ea2582424141a455289cd5443213bdc

SHA256
d7036f8bcdc17b12a8a5b62f530b029f23a3a14dd6a9d558efb79900ec0f4b40

SHA512
a8cc0da97b2f03ab9d7777cec06f3140d97f9aff7e0748c04335292363e57ee1785f7accdc304079c5731a4733b4726ef600f6816e763425dbd77368502fb0b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoIi.exe

Filesize
1.1MB

MD5
1edba426c9bacb2af95b3205b6301bd9

SHA1
e83682909e482b4bdb31f02b1644ad62f35037aa

SHA256
e73394e8ad250a3347ca05b530ff0c297b939be41e6d98e5f7afac6a48b2cd0c

SHA512
2d12bd04b40ab0333394b320020129c1911d158864812ab15e593c837ed4ec6d80c9381de92725b44a61f86519aa686f285e30d17c9b0988a90e2976396908cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ssgi.exe

Filesize
208KB

MD5
c8f4c74dbb22a1a77d06b8cd73837c15

SHA1
dcf1b3d10d7e39b74335e835654ac546a99c9906

SHA256
d72d51b0cc7c571e33cf11cbf9a55e02ee7547ff165de9aca7ccbf28c75df520

SHA512
2780c63c5546f314e9d2b7ab18c4c5eb17d445aeae19c050809ae1ecfc3d9f7d2073a568259916e64ba33545930068f0517875ee55e2e4137ad630e865220814

Download Submit
C:\Users\Admin\AppData\Local\Temp\SwEU.exe

Filesize
194KB

MD5
4861e0ef65c6dc631fed20b9bd07e0a2

SHA1
25c57e5e6f20f7c3ed3f6fb3f97320557249f721

SHA256
df4bc438403afee49b9f9670d790607a84b09c39512d4cf87b613e3aef279b6b

SHA512
bdeb4864211fed92c795a8f068938594c433dd2be3138cf14ea390a89ad8535e8b7f6b7b719d387b7fd017b3ecae696d4c564acf1ddbd82deed657dbbafad4b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIEg.exe

Filesize
202KB

MD5
cb42e8592625a5acf058a37cb416463d

SHA1
c87db52aaa714c77f1a48334682e4dbcc6a4a742

SHA256
22bb2277308bf7afcfe7b94a4565f1f743ae4bf10d38f6c68628e4819e89cca1

SHA512
f995b18c2b0409bf9288e80323e72d42e8fd95fbd5fab0946059c4ea364d3c6f87bba6d4452c6423678c0197df89b14ea1c676e5a4cf74f44b92442f3c80ecfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\UYAe.exe

Filesize
199KB

MD5
9eb6dd621f7dda9eacb7b425030a6cb2

SHA1
a772db38e98e087bda63e8096b989af5a5fa8e19

SHA256
ea26865af899988b841e3c7259239342fce31b19369f65b60a465aceae794be1

SHA512
c8db3d4cf2d76e963d139314cd681c44b5c421e05f4dc536dd7a6027e0fd1ed53220c93871019b2fe6da1ea9c314bd6bb623634145b5cdec2cbd274517959ba0

Download Submit
C:\Users\Admin\AppData\Local\Temp\UYoQ.exe

Filesize
225KB

MD5
adc530faa94e0a0d884e885c1f385217

SHA1
49593ba58447bc8af2f7eb60833bb684360635b4

SHA256
5b28b919d776c6b24829e867d6e2d5dc0c8a37db2c37518bc50ff498365700e0

SHA512
9e9b51a61ea510d90635e2b9d22669164d64f59aa0b8b87b02474d3fab892896c924f55d23fd9ca3df92d4dcafc3064653bb807163c3b5ab9ae7502efb295f3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\UkwM.exe

Filesize
222KB

MD5
9b2252fbf858a750b26048e9e904e5c4

SHA1
15b82e355c9ac34f799bf7606df92553283477be

SHA256
ea581e61ed56d2009dc3d1f1df8a1e3365e229294908d2962870b5291fb6fdcb

SHA512
727ad309248a84e0fed1b0719221b19698e53b0225bc7453b5bfc175c24ac15ce6377bc042b79a1137e077801321e54ee69326f685a910d8085f28a86b63f568

Download Submit
C:\Users\Admin\AppData\Local\Temp\WYQo.exe

Filesize
797KB

MD5
214cc312295f721d5a574ea6a6b4a3fa

SHA1
cf380880fc792b6f79c21715911cfbcd66f631fa

SHA256
fe130d5d4cb78e9e9dd249ee8b72bafe2656755ba1917f88d91025631b0f50ad

SHA512
0e3b0b35767fead1e9e57b68d086fb98110b0dadf314662c3955d51bf0a62a9a41bd61196ecaed569402b81d2d5041e5fd7db30d92d393010afb6bc733233c4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WgYK.exe

Filesize
791KB

MD5
9c6a1a64283d58fc990e1afb1591cffa

SHA1
77388f466881ac3c250825ba555d54487547abc5

SHA256
b57491fe056c2b614630cbfa3d5015a4c18d0945c6eae6c6cec477eb702595da

SHA512
a283c85a6c6027a9123ce4c14ef6db950b8cdee5730f0c92ac648169af2931eae834f7eb2b40d22062d00e7f558f174ea1ceb790728ef62ae615bcf4c486a818

Download Submit
C:\Users\Admin\AppData\Local\Temp\WwAs.exe

Filesize
181KB

MD5
1f26a981f3a7adf370cf7416b7411f5c

SHA1
cd17f14cf4b5f5643869231767e91b65f5c1aa28

SHA256
cf120a6f34e7cb7ef72e6f6a3e8939e06dd0ee81295ee8d01cdf0ecb7f4630b2

SHA512
131cb6ba52bb1d8771bada6c9919518600e8ede1f2fa97d5930d233119be85c2b6e2f2d9521ec70ff30050d9080860514a9dd36e7248f8c3a01b35762c04d0d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\WwUg.exe

Filesize
197KB

MD5
8351b74d29bba637b25897325ceb6c2f

SHA1
f610426da2e21ed513d6861b6b49e20e736b7e7b

SHA256
81145591750b8503e5f5c152ce0ed14ad34ca771623074bd8e9acf20065e6663

SHA512
77ea4d7907298685ddb525bf697ccd04eed824cc8104c196a1f8acf87dbf5476e44941d5a28a987524a2bb7857d016acf43492735979001977a1e3e0ffd8c102

Download Submit
C:\Users\Admin\AppData\Local\Temp\YIAk.exe

Filesize
200KB

MD5
eebaf30331215936d5e34da60b149f00

SHA1
105fb6352f4205e4d0ffb5db39535df16a5d8c2f

SHA256
3a2bfc6658739e3d5593271d55d4d6596c4925286086fb6c01ee22e03259fc70

SHA512
86b7e1163c48ac2ae58f8ce22384b90b2feb69a7e445e90f54eee980bdc74819bdf56c76cf7666cc215ea5aa395fe28f1a42fe85177ccaa3e7b1b5417dbe7ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\YMEs.exe

Filesize
327KB

MD5
d30e49295a46797f4b4aa804b12912b1

SHA1
7ff75bf38a061b1f25b639776c4baa930c741a93

SHA256
089e6a02e94a30fac32b24b5611c80ecd74eabfd4cf3bc34f722e26fcafd21e1

SHA512
bbdcdd3261a3cbbca8424ba44b60230a797d9e8b4a02bd45357f66e174397c62eb9e23b86b3b74271cf6f24bfd220bb70f089c81d9ee44b453d971f1441347dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\YMkw.exe

Filesize
371KB

MD5
03f72349869b717f3dfb1fa201ccd5e5

SHA1
8222deb3c6c7f3cba9278d83eb3c1d09c16e5972

SHA256
7484f7ccd103c40544912ff9859129e4636a292069eac61c424f4c47d8cda4a5

SHA512
0aff3811e058c480a5e716a3e2eb2fdcf55040396813fe3b7fb3989450611508fcfc0464cd2ca740fcd4ce0e4a890b1d0c59f5452d587467c1b29c557649c244

Download Submit
C:\Users\Admin\AppData\Local\Temp\YYQc.exe

Filesize
652KB

MD5
e05741b0a6142327e929500d33c587ed

SHA1
227188264cfdf19f7c0e82791cc90c3a5c8892c3

SHA256
658908172033b0d28f2dab75a8e881faa5aebd98cf4a0ebd30c49857a553453b

SHA512
0687bc5fa02b9b9407d1910225a73a4225dd3771ca321a09a5c185bcca193444c06cf8b07b84dd3f9adc874f13523436a7306b04a1a206990928e9cd62e7d229

Download Submit
C:\Users\Admin\AppData\Local\Temp\aEAq.exe

Filesize
186KB

MD5
a7224b5abc1ebeaabd748bd338b5d62b

SHA1
8f071598ecb4d1bfa1f2d7b2910f54cf8039ed07

SHA256
986f8b3bbd42b399cf82cc1288bf11b9727ff1bb04121c0c95564d56658ebada

SHA512
0fdbe8fa898fb350469ce585a90110646076d500f2f51722e3b298b8696193109657f44444407bb5590f3cd0e15fe297f86d91f75b89382000aea8f627991139

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIgO.exe

Filesize
1004KB

MD5
2396f17fdacd6f9105ebdc97b90c3db0

SHA1
51c67ad6be1cd1c38aed429e5621bc24264936b2

SHA256
583cd0630c1e96bff217f40f06d6c636bfd09a0fcc264b0bf6c1ea25043bdfa1

SHA512
0403c0f6a868a990ad94f87565959a345574d7266c005a5e0f23d69eb5bf0c162eddb4a0b2b4e434fdfd02d8e86381d2a50b455779987a1514d424d52a6934e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIoG.exe

Filesize
569KB

MD5
891b9b0608deb7e0d19a2490872479c8

SHA1
4ef86cbf440e7dbac6942c3dd01618b391969bdd

SHA256
a2ef08fdd84c76bf110c3fde97d381d2c7fbd9426d4a8e5017bb5041130a9a90

SHA512
ad9857744a82cdb013f3abe920c3ef3e68ed062b688e682738bf3e74671123f8decc7f8fa3fa43de5159f4f462dbf40cd9a4f0be14a9dbc0a77520baa3a9c4f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cMUO.exe

Filesize
5.9MB

MD5
83005416c82238bbd4e73e442ea273ea

SHA1
ce19d3b2da83c8e1a1e3122dddb043419fcc460a

SHA256
287a250faf0df3482aaf3659378010ca9adb6a4af328825e4adcfa97b68e9603

SHA512
c597c25facc75c5e3efc3f2bc13727fefbdc85c2d01b7c3f7b6d35a1d2a660ae828a8fef07750d162896905822ef2de3686a444aad723f48642d727c4e9cb6cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\cYUQ.exe

Filesize
585KB

MD5
25f1eeffb3204c1bdeedb4afc0ed338f

SHA1
7e2fba293b23b7a4623e299748008d4dcf4a13a6

SHA256
669d9ba5903661450de96afdc08329097bdec49f7ef55ff2202f0859e168c12c

SHA512
33cdda27a62db1b8f0ebcf96d4b04879105b9886a82f409005a0aff816f1a9cfc70f89db89943a0a3fcf03b536671329595215365ecdf7c714708bda964a77cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\coQC.exe

Filesize
197KB

MD5
d9f5aef61fa59170f5a3edd127ba4c63

SHA1
81ed96a067c9a9ae1db643a9e01488fae8dac4e3

SHA256
cbe1a02e58ca4f05149c9171cea46d35e1ef57767d73a59b86cbdf11605ece46

SHA512
18f37daec43c24b26b2a3d1bb9df1cd55af3322a50d43b7f95518913ed91e1b22d22829283afc13aa89be2499445ffefefa00bd0a69612017a0bd2902d5d4980

Download Submit
C:\Users\Admin\AppData\Local\Temp\cscu.exe

Filesize
204KB

MD5
7d4704ece7939477f15ed077a704c791

SHA1
93b487958ce2bbf6c25da29a8ddec85b7219a30c

SHA256
e201e373b900ea4d4e0bd06c403c7241083341e3d4578d318ee7cd571ce4dd2a

SHA512
b01a291d3231e1c58374848ba792155cf9f5123302c08bfd7cc418e8a0075f52dabc8b58242609bf1144edd58e91c7c623b43d3960e9d594ec41763c9ab4b62b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwQu.exe

Filesize
185KB

MD5
37a3289377b7603c9c4a5a178d244e57

SHA1
246f8bb5b6364fdbe6035b74de214b0618035904

SHA256
60f5e029edba44806e2a2b59652fd71530f27a7c51a80936d4563e9b117f9934

SHA512
a589f360169d1839dbd1f9aaadd2485a076e18ea38b39d5b377535853c2d98f34e89e1f11bba73096644de80c71129b23b20b614a2aa759cbd3789efe16c886f

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkga.exe

Filesize
269KB

MD5
633ce7d433b7bd7417e3bb8d30f279c1

SHA1
c1d5eca7947df733ecac0462baa1dbab69a11e65

SHA256
f1fda341dd7d72ab26571da6fb2a04d80f3ef567a7f59bd6ef2cfa6134fe6193

SHA512
0ea293339fcd9d628c65be1e392f35abfd609cd306a4a7d115f16236d9762caa59181e93d626c2e011205bac6d7191b629b66a9ab1f01e8581740146e4791648

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikgc.exe

Filesize
201KB

MD5
fc811afda4058a759038e08244f9d2db

SHA1
3dc5494ebc4cbc4218b3b9d82ca7f25051a5dd83

SHA256
f9870a2cc99c16aca40085e053a6ba475214f7edf97e0c4054af47039f34a21d

SHA512
66fa0b38955cba96b48dbc95acb2b8d73e9290657bc9023fe0a3263ca85ee93cef2f8166ebdab90ec71f3779e962864ceb422c2f584b4706d7e295687a4d2059

Download Submit
C:\Users\Admin\AppData\Local\Temp\issY.exe

Filesize
1023KB

MD5
7c40e278c864629bac28de60445aa387

SHA1
a23921f1a88d27bb7a8c1befad21006b06846e9e

SHA256
acdbd7dd36db7a491ded8d9261194046c0b9d3aa2763ab8ad082ee44062dc642

SHA512
ddeb0f0cd96611c8a1f438f10fa5ca52d94d1ccd2bf527f80ac2a70709b6f8e34d4df3126d8f41c017f75691aba4dd25c9d076d4079342b602935e896598de2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAEO.exe

Filesize
196KB

MD5
f224840fb342adb735b0e2c4014cb25e

SHA1
d1b903a497b371a0121ee80fcde2fc3275f8cbfd

SHA256
b328987e1845e88b2a48cbf4e8d35654de29e3e95f73f5616c6942a5ecbf3e75

SHA512
23e1c49b758622addc08a7e1f2e086b27a20c545c78f38fcaace59a6fd8dee353cc88e11802d4bc8750d9d2cfc99078058c7c8cd1e7b279c594e7e6dba1739d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAQO.exe

Filesize
188KB

MD5
9ca364c6463d5bc9282b3920d18b0ac4

SHA1
1f6d5797244eec47c12b6ba57e9d0f143fe69885

SHA256
638da5a56435791a4e8e13c3129baf76d457dcc1f897154446a6098fb9f0beb4

SHA512
448f26718200673c52586faaeeb4b793c92a0fafe1209def5d66f86e71c24bcafa64893e8e5965def69be7f64a7d90923cd4026326752527af0ddf4b41b7216b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kMUM.exe

Filesize
815KB

MD5
8c0a43a20bdc69c63b334e3626a8fc1a

SHA1
111153119754a8b64ec04e3ecad98371b52c85ba

SHA256
f319915acbf0f8031f2da656cc3a59c63527c3a55b4b548da56600ad72260186

SHA512
c79f6fad8d6d3661dcf29d9893b67348dea1ef8a82864e6778b3c399ee7295c085faa5318e1cc5996a0a562a21fa0c0683fd93623c9f51933db449ded763e66e

Download Submit
C:\Users\Admin\AppData\Local\Temp\kUMo.exe

Filesize
184KB

MD5
5d3fa5b5f83f438874de05068bdf3bad

SHA1
482459cf09c1a753ba551ec57d6ebca3db751c16

SHA256
753a71e05224967aa64fe863e9dd0e9ccb438a8706c60ff365d2c74d8faf2608

SHA512
0f8f21717edbc9479fc3f47844b087a04607940fbcc9b7ec4305151190feddb22c6ba63d9f1cd4ab18a3d9fb8621470ade8810e4c5275cb527a5831043c9ea14

Download Submit
C:\Users\Admin\AppData\Local\Temp\kYow.exe

Filesize
192KB

MD5
cfa453568a8dc77d09fecb7d07f46e13

SHA1
0a6d1057ee9685c6f8fbe7996b77f17c9bffe1bf

SHA256
34efe112200d93e9c5d0bb5cb8e7a5df8085321ccd3fd0af61bab75821c5db41

SHA512
32e0ac0205151dc0cde214576c331a23cbc0495c6e6bee390d796f3a88d716e1f07b5de9ba5eeb525b128628a39d67302210d71aa7365ed46cb8ed875b1ba2f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcQa.exe

Filesize
327KB

MD5
849ec1ca1db4c2678ec48e5e713e8827

SHA1
09574baad8e2d623808c6c5173cd7cd59ac10ef5

SHA256
e46be77656bfdcd74e54cfce49631fa57872151cf6aed4dd500c9651cb44710d

SHA512
d47195354ecf4a32bb32c1b11a31faf7ed152ef8193f68f2c108bef832eb532c607c9f358cc7a4c1d6ddab2add74f17813806ab0cf30f9b45276ef7ddf91231a

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwIM.exe

Filesize
203KB

MD5
486488eefd45fd4a3bdaac532ecb8646

SHA1
822bc052f55169372edb4c4e1906fefec97d1391

SHA256
206066651dd51d841b3a807975095cbccc6e25b309b0e3993dd91cf1c4bcfceb

SHA512
cced71c08f6bd6aaa04a979d8bd2d6d94d57ea3a32eded86f8ef10fdfe6621e9f6d3cda16abcab5688a5c5bb42c0a04714ae21b9bc6efefd94455957b3fd1125

Download Submit
C:\Users\Admin\AppData\Local\Temp\mEIU.exe

Filesize
5.9MB

MD5
66a2387ee806cb6ff3ad9ee9dea9f28f

SHA1
d9e558ba871f47ad55b4914da0b71a04acddb476

SHA256
1abe47232cdbf4c56de88cab49bbee72ad3958fc6702c647b56494389da22744

SHA512
c8758d5de5be178ff2ffc77d5001ab9103737f57bfd7652fd25c809d70516a74556ad46bbd570a7711c89c1ae7caf0b57f1a8683e8baa6f99b49c5f079169018

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIEK.exe

Filesize
773KB

MD5
d29caadfc9bc46478e8a3cbdd12fbb0b

SHA1
fc03dfa8e3936c371d5479fc8d1cdfc2e98dff95

SHA256
c7d17abba0f0cbbe85a0f9e0b243f958ec0cc8cb41ef1ea2dd7e16719df702f5

SHA512
db317c627680ef2f1cf4addc629f44c2fdd32488ec77fe83a5496f0ce8bb24efc4a1388fc5e4cb9cf99d47b3cdbec0ab68addfb6130b036d4b37486497e893d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\mUkA.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\mowK.exe

Filesize
202KB

MD5
ac26b032251daa210900de382b6ff4aa

SHA1
0cab87f31bc1ba566051c402a6acf633f6978709

SHA256
45179b90ba2a94a2718fcb1ada5e54a96f1b1f5abc78b42d2a020007e0d83310

SHA512
5df06571cbb533a43d5df6a0fcdc68bc97984605f2aa471705e6cf390cb715ff33f6318133febe4f8925269bff94a4020dbb3074e74403d718d47ae577b60838

Download Submit
C:\Users\Admin\AppData\Local\Temp\oIIW.exe

Filesize
204KB

MD5
677d3878e3f7b048baeeddee54489396

SHA1
549689a1b5d72134867ffb06d751750b2fd9604f

SHA256
27463328fa2958ddd96500de8ce1f655c75bb843a4ec898b3fd6fe57d8765166

SHA512
2baf45b2f939c592b1831679b5736d8e2736f9d1e958320bd2a56eab315b063e40332fb3c5eeedb3b1bda8152249070b9b32f0538a535d3f857307a25b7b5929

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYQG.exe

Filesize
326KB

MD5
cdea13505d70cbe6bd727d30836a1820

SHA1
3e84839b240721e79f378eecd08e4b707053afb6

SHA256
694d11e76ee968c352738e15c308a5ef8552ee3d5f9a8d78af5d82262f373065

SHA512
f18348a7f67cb92c6a14a7be272e3268fadee3871eb6370467107867a6669569f25ac7cc618d4bd79cfb0b9f1156ca3d0e9457f1e037168fa5a13941ac8098a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\osQc.exe

Filesize
895KB

MD5
c3b98b3b78a932bfb963b0db31126b02

SHA1
82dbda6d154a7562c2f26a75e324bad19616dee2

SHA256
e40199e0d380abfa96f1a7c3f95e70723b986a37dfce0ff33d4a38845e55af2e

SHA512
2cc38c76da475c726694564293da3183b96362be045e4c7523d1d4d6d4ff268430622f1dce9455f0b318b4e6a4f6ae30e13934f7eb3c8a5fe9b3c3670098e857

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEAM.exe

Filesize
196KB

MD5
248bb4d0e315689f3d61fe0b42a7bd07

SHA1
4d1d9c71b6f2d683300021451b69645d36670e59

SHA256
08d2bdf747e1604605ecb8770becbb09adc7e4f72c050d1cac96ed645bd4cbb9

SHA512
93ad54506ffc154ef703b50b8226902da4510b2eb8d99c6c76da823ce60fdbf41cb88a1fcc0422be6588e64ca7d1e6206d35663e1c9751694d89288a4696cd14

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQAi.exe

Filesize
193KB

MD5
4113d58fa51a000328287085d68a341d

SHA1
f1ca08b0d3d21c74f7d0367a49ca02ca978c2b8a

SHA256
3473a3fb900008f555ab6d3760d517a7fa40b955b1d6f67c7988aed13d80946f

SHA512
a1fc878d4168d7346b09267cafd872465ecbcb1c9169ee13c8df66235f7100dc54de4837ef531ffede482e88eb7a40565c4bb2e2ce1c988b4382af648c534568

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUkq.exe

Filesize
230KB

MD5
b16812ca4d2302fa4a69224778bf39ef

SHA1
f42d1c6ddce9fc4f09deec1cc4e60d3019bfec1f

SHA256
448590ef438cd3ab69d9710ddd98825b86e86fe90d125a78b99634507d660c8d

SHA512
de35d388969a3186f2fdfd6bdefccd1833a3bef3fff1ee4a75c90787315ecbcab8a40b88395458a9e1b1bee3c7a001730c4ee7533573c0d4e7b53a636aec2194

Download Submit
C:\Users\Admin\AppData\Local\Temp\qokg.exe

Filesize
185KB

MD5
048742b5ba2882d0d4add4502ee0c079

SHA1
449e3a8ad0ccba8993e6e5110296df39de785cf6

SHA256
7ca4ee6dd334346bf3ba67ed0288148030db486b372367be5a78a2b1b2bad2b2

SHA512
3e172c10c829c55398b8a13551d4397da20c08173c3b71e77e04209eef9e0d8f8be0520b3d900173ecb72a8b758e289dd2470b82de85eb5b6a149db9bf8dbdc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\qski.exe

Filesize
203KB

MD5
9974006a8d3ae573c96482e8a0860d65

SHA1
0f020e36d45a7c731e900a2a02c3a0af1ca87330

SHA256
0d4c572041d4fea83490fa721faa8478d24c7ac61f7ac585dcc5978ad7ede24e

SHA512
8728fc9770dbf98dbfdc90fca3dd4f2ff2bbbb10d1133153e9b3917861f7bfb00dd6e49e87202dc8b6535569ce76809fc5f6ce01113fc2e67852eed8d6946559

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwkG.exe

Filesize
181KB

MD5
986b9b40af2922495b6af217e9d63df8

SHA1
04ee45ac923244fd20c806978f662d472bb1a670

SHA256
e9480d8b005fdf5578167a2060d88ccbba345a9078667a0a65e41213142d0a44

SHA512
db8dee0be50fc7777fc74b23111e21c9fa32789f13469e240ddf79ebe1cf32683d38c758427431b389204251a84e63695a35ae0810ead33c3b014c9ef978f1d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\sIEa.exe

Filesize
205KB

MD5
8980b4756f165590efacabe58716385c

SHA1
58fe919a92c28ef66f0856219804aefd26e48fb3

SHA256
29c0a13be3cd51c8f7803e29aee3e50137eaee73cddb00d7581663bd9e5bbd13

SHA512
fb68342a3bf2b397b90d2e46492009cc384ac2074ff8507636531a2a660fef18a314876928cb923a091574b602ae8e95c2f7f94836908a8a9a7a5027586a9c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sowm.exe

Filesize
184KB

MD5
a22060f7ceab1a54ec9e6959d3c8be11

SHA1
060fbe8a4870b5dde2c9bca9c273113017eac47e

SHA256
527aeda24bafdcf2a6b68e0eada8cb1358f1fb08c32810a565d4aabe1710ddfd

SHA512
019a72339649aaddb1b00c806a369bc87377d375758fd2c677e5891ca11223c9d5ae903d36052772e732c7be9731d2d5e90ad84d094b310c04dbadb12a625a42

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIsy.exe

Filesize
200KB

MD5
82241a35e2e40c7e5de178bb32a3f4a4

SHA1
515468c6dda2398d8585a0086086abcddc305e39

SHA256
329d432c24aa136de7863ca0ed184bb250a0a7f41721f03fa975d6b70b5bdb18

SHA512
ad3d3b45409e175bf5e07f302185881dc6880d0208c35563e8f6936e3a96437c5ee33e30fea6fe05b89e1d42dfb83aadd862d69aef1e102f97873a1e3f6531a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukwI.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAMG.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\wEwQ.exe

Filesize
188KB

MD5
8b05185b0c2551c635c0145318067af2

SHA1
42a75e295799d88595b368f560e62c4b5575a2e4

SHA256
81e08dfc15575fbd50b214ff2c85e5383cbf7477861b2f42b854be5ab47e2112

SHA512
171d3fa6fac09279890cfda8ea98ab41081ed6f1fd2417ea55918d175f69b4d9fc5ab200c9c275587fc588c09ba1c222a7aa933ff768e0a73b4679aa5f9d72d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\wkokMEYY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\wwIq.exe

Filesize
203KB

MD5
201f077feba623e898e22a44d6a5b6cb

SHA1
2b391ce4d232100d7478935664192f540ea82a2b

SHA256
c22f7415ca7bd8244348d1d162d7ec762db113440878adf0168633d72dc2523a

SHA512
bd3e4ebb5433bff5c59d6f5abaa87a83dacf205db23635eb0d048fbac8f07812658a49d83b92a64091b690cbb6b4dd725cdd2d0bd3c395152b5930cd1a98881f

Download Submit
C:\Users\Admin\AppData\Local\Temp\yMUC.exe

Filesize
201KB

MD5
5ae3e1c245507e8ec7103745641c6d32

SHA1
e2465ff7be8940ac6e4c4bf56d66f0933759479d

SHA256
7ece86fce326347dc54ecd87f61123addc4fbedf4927ee3d3969640099a4d363

SHA512
1c7a4dfc3ec153f25613c7dcad95d3ac1ee97aee6b1056bf7182c85abfce29a68992928374be33c7fd5c02fe73d1f3c640617f7f83e095362abccf89229121a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQsa.exe

Filesize
220KB

MD5
c11a77737aee940f53ec78641e53e7ad

SHA1
d9b1afc0247e2718b5169c8a42210bead8f3299c

SHA256
1f3d718672c2965c909fe34eeb50fe709d5e9eff668f1cb35c76f9d57a48982b

SHA512
ef47eabda23cfa8efe9e571450dc2c0e09fb5ef06278379f1fa3846b592c7d042346ca1c90f8ee412526168fc479c6a109f3d1b8bb294f58d5589e8ea9ea3746

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUwk.ico

Filesize
4KB

MD5
7ebb1c3b3f5ee39434e36aeb4c07ee8b

SHA1
7b4e7562e3a12b37862e0d5ecf94581ec130658f

SHA256
be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742

SHA512
2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\yoko.exe

Filesize
299KB

MD5
2f8839c25f8506993e85b8786d639f85

SHA1
2b58ede777b66cc3f0845e4590f5edf0d1f9a8ee

SHA256
65670801ae4fc05c19aa46671e63ad4d9b5ad03f1d163214553ef4ca9cf89215

SHA512
22f14648ca4f7139d08c6c4717f31bb57ce67331e6fab5918da10f1b3be8a6196ce26c26444201312ee7881ed4dd69ac288a0eaa6b0d8ce55e00e7427b4d384a

Download Submit
C:\Users\Admin\kIkQkMYQ\SeQIsQgk.exe

Filesize
186KB

MD5
d35d229aa7651b1b9d921fc9efc928e8

SHA1
c5e1eb625b863a7c17581662d0592d758e452b00

SHA256
dac193dfa8671b780a54391f5b26e7b1c1ec1b8f274be4491545ccff537772a8

SHA512
01fe1e93ddda05b44d42d0d794ff6bfafb4b4ea92b21a0ce5c1aa562abb8b11fa3ce1d81fb2450cc5070eceb2c1ecb9e2503e08d78213b7afaf06af83480cdd2

Download Submit
C:\Users\Admin\kIkQkMYQ\SeQIsQgk.inf

Filesize
4B

MD5
65e472eeb49aff8375fd7913adbd5b45

SHA1
6462d430ce66aec136e2d61103865520ab8a3bb3

SHA256
ad3dc3e793382ab4ad1ce9d2e1e1d8f52b9a27e14c4dc822be33f0f014506a43

SHA512
5e5fbac0a8fdf7a2a89cc26ca2d91163cb4bfb6d60dcc4abb8dbdb7a7d5bcf42f5e11a7fa06a49b2d081cad9a26428dbcf29233b1e4cae841ff29ac61c26b7b7

Download Submit
memory/208-540-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/208-527-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/372-265-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/372-255-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/752-192-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/752-357-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/752-178-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/784-373-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/784-385-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/824-587-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/944-376-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1000-94-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1020-275-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1020-285-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1052-512-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1052-501-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1068-493-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1196-274-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1196-266-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1392-393-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1456-293-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1456-302-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1520-358-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1520-366-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1624-46-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1624-58-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1652-595-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1760-568-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1760-557-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1784-331-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1784-322-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1928-502-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2068-402-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2068-394-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2292-539-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2292-550-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2296-560-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2296-106-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2296-551-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2484-429-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2616-475-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2616-463-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2652-421-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2676-12-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2684-312-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2684-303-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2888-457-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2888-467-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2920-45-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2920-29-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3004-130-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3008-203-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3008-217-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3220-256-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3220-243-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3424-19-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3424-34-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3444-330-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3444-339-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3468-155-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3468-168-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3596-349-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3740-20-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3740-0-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3892-70-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3892-54-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3984-522-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3984-511-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4196-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4260-142-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4260-154-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4352-438-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4352-449-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4356-181-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4356-172-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4356-294-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4528-519-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4528-531-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4572-485-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4708-569-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4708-578-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4836-102-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4836-118-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4864-321-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4912-228-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4960-445-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4960-458-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5036-403-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5036-413-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5048-244-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5056-131-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5056-143-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5080-437-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5088-206-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5100-67-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5100-83-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download