29b205cd7255ed3a9a1078bd396dafe33966ebe5a289881a7f169eabd76ac5ed

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13-09-2024 16:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
Size

203KB
MD5

bb58b8f9026bd66985f7ea212561022a
SHA1

c15422826787e085d0d7b3fcfd1d7f0adb68143d
SHA256

29b205cd7255ed3a9a1078bd396dafe33966ebe5a289881a7f169eabd76ac5ed
SHA512

c4ce24fd55664934f09354e822b9051f90fa84079da30185142b5469d711d1af244b0cf4bc2689f801c9c38da2a88dcabc8d85044f5a1bc30df9044bebfe4d67
SSDEEP

6144:ccevyodMBtHBEPLW7VinSBth+3mJLi9FM9QU2hwnkptBhmiX:cLeBtHBEPLW7VinSBth+3cLi9XU2h2i7

Score

10^/10

discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (83) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	iYsEMcUM.exe

Executes dropped EXE 2 IoCs

pid	Process
3276	iYsEMcUM.exe
2384	cSkYcoAo.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iYsEMcUM.exe = "C:\\Users\\Admin\\gWYwYEAU\\iYsEMcUM.exe"	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cSkYcoAo.exe = "C:\\ProgramData\\dCkwkUgY\\cSkYcoAo.exe"	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iYsEMcUM.exe = "C:\\Users\\Admin\\gWYwYEAU\\iYsEMcUM.exe"	iYsEMcUM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cSkYcoAo.exe = "C:\\ProgramData\\dCkwkUgY\\cSkYcoAo.exe"	cSkYcoAo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iYsEMcUM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
3592	reg.exe
1408	reg.exe
3516	reg.exe
2152	reg.exe
2780	reg.exe
380	reg.exe
4820	reg.exe
5052	reg.exe
3936	reg.exe
2620	reg.exe
4332	reg.exe
552	Process not Found
2708	reg.exe
796	reg.exe
4452	reg.exe
1588	reg.exe
5084	reg.exe
4976	reg.exe
4348	reg.exe
4868	reg.exe
4184	reg.exe
5088	reg.exe
4972	reg.exe
2456	reg.exe
4692	reg.exe
4692	reg.exe
552	reg.exe
5088	Process not Found
748	reg.exe
4448	reg.exe
3588	reg.exe
3772	reg.exe
868	reg.exe
3756	reg.exe
4528	reg.exe
1080	reg.exe
4388	reg.exe
5012	Process not Found
4048	reg.exe
2240	reg.exe
4040	reg.exe
3792	Process not Found
3124	reg.exe
552	reg.exe
4692	reg.exe
220	reg.exe
64	reg.exe
4992	reg.exe
3704	reg.exe
3532	reg.exe
4520	reg.exe
4496	reg.exe
564	reg.exe
3464	reg.exe
4660	reg.exe
4336	reg.exe
4732	Process not Found
3924	reg.exe
1028	reg.exe
3420	reg.exe
1912	reg.exe
4556	reg.exe
4376	reg.exe
2324	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4588	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
4588	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
4588	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
4588	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
5004	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
5004	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
5004	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
5004	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
5024	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
5024	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
5024	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
5024	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
2152	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
2152	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
2152	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
2152	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
1684	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
1684	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
1684	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
1684	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
1408	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
1408	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
1408	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
1408	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
808	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
808	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
808	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
808	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
2240	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
2240	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
2240	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
2240	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
2052	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
2052	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
2052	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
2052	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
3660	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
3660	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
3660	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
3660	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
2544	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
2544	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
2544	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
2544	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
4972	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
4972	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
4972	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
4972	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
4796	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
4796	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
4796	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
4796	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
1348	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
1348	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
1348	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
1348	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
860	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
860	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
860	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
860	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
1484	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
1484	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
1484	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
1484	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3276	iYsEMcUM.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3276	iYsEMcUM.exe
3276	iYsEMcUM.exe
3276	iYsEMcUM.exe
3276	iYsEMcUM.exe
3276	iYsEMcUM.exe
3276	iYsEMcUM.exe
3276	iYsEMcUM.exe
3276	iYsEMcUM.exe
3276	iYsEMcUM.exe
3276	iYsEMcUM.exe
3276	iYsEMcUM.exe
3276	iYsEMcUM.exe
3276	iYsEMcUM.exe
3276	iYsEMcUM.exe
3276	iYsEMcUM.exe
3276	iYsEMcUM.exe
3276	iYsEMcUM.exe
3276	iYsEMcUM.exe
3276	iYsEMcUM.exe
3276	iYsEMcUM.exe
3276	iYsEMcUM.exe
3276	iYsEMcUM.exe
3276	iYsEMcUM.exe
3276	iYsEMcUM.exe
3276	iYsEMcUM.exe
3276	iYsEMcUM.exe
3276	iYsEMcUM.exe
3276	iYsEMcUM.exe
3276	iYsEMcUM.exe
3276	iYsEMcUM.exe
3276	iYsEMcUM.exe
3276	iYsEMcUM.exe
3276	iYsEMcUM.exe
3276	iYsEMcUM.exe
3276	iYsEMcUM.exe
3276	iYsEMcUM.exe
3276	iYsEMcUM.exe
3276	iYsEMcUM.exe
3276	iYsEMcUM.exe
3276	iYsEMcUM.exe
3276	iYsEMcUM.exe
3276	iYsEMcUM.exe
3276	iYsEMcUM.exe
3276	iYsEMcUM.exe
3276	iYsEMcUM.exe
3276	iYsEMcUM.exe
3276	iYsEMcUM.exe
3276	iYsEMcUM.exe
3276	iYsEMcUM.exe
3276	iYsEMcUM.exe
3276	iYsEMcUM.exe
3276	iYsEMcUM.exe
3276	iYsEMcUM.exe
3276	iYsEMcUM.exe
3276	iYsEMcUM.exe
3276	iYsEMcUM.exe
3276	iYsEMcUM.exe
3276	iYsEMcUM.exe
3276	iYsEMcUM.exe
3276	iYsEMcUM.exe
3276	iYsEMcUM.exe
3276	iYsEMcUM.exe
3276	iYsEMcUM.exe
3276	iYsEMcUM.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4588 wrote to memory of 3276	4588	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe	86
PID 4588 wrote to memory of 3276	4588	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe	86
PID 4588 wrote to memory of 3276	4588	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe	86
PID 4588 wrote to memory of 2384	4588	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe	87
PID 4588 wrote to memory of 2384	4588	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe	87
PID 4588 wrote to memory of 2384	4588	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe	87
PID 4588 wrote to memory of 2484	4588	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe	88
PID 4588 wrote to memory of 2484	4588	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe	88
PID 4588 wrote to memory of 2484	4588	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe	88
PID 4588 wrote to memory of 4388	4588	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe	90
PID 4588 wrote to memory of 4388	4588	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe	90
PID 4588 wrote to memory of 4388	4588	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe	90
PID 4588 wrote to memory of 1656	4588	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe	91
PID 4588 wrote to memory of 1656	4588	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe	91
PID 4588 wrote to memory of 1656	4588	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe	91
PID 4588 wrote to memory of 4332	4588	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe	92
PID 4588 wrote to memory of 4332	4588	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe	92
PID 4588 wrote to memory of 4332	4588	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe	92
PID 4588 wrote to memory of 4468	4588	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe	93
PID 4588 wrote to memory of 4468	4588	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe	93
PID 4588 wrote to memory of 4468	4588	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe	93
PID 2484 wrote to memory of 5004	2484	cmd.exe	97
PID 2484 wrote to memory of 5004	2484	cmd.exe	97
PID 2484 wrote to memory of 5004	2484	cmd.exe	97
PID 4468 wrote to memory of 1460	4468	cmd.exe	99
PID 4468 wrote to memory of 1460	4468	cmd.exe	99
PID 4468 wrote to memory of 1460	4468	cmd.exe	99
PID 5004 wrote to memory of 3128	5004	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe	100
PID 5004 wrote to memory of 3128	5004	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe	100
PID 5004 wrote to memory of 3128	5004	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe	100
PID 3128 wrote to memory of 5024	3128	cmd.exe	102
PID 3128 wrote to memory of 5024	3128	cmd.exe	102
PID 3128 wrote to memory of 5024	3128	cmd.exe	102
PID 5004 wrote to memory of 4496	5004	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe	103
PID 5004 wrote to memory of 4496	5004	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe	103
PID 5004 wrote to memory of 4496	5004	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe	103
PID 5004 wrote to memory of 2556	5004	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe	104
PID 5004 wrote to memory of 2556	5004	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe	104
PID 5004 wrote to memory of 2556	5004	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe	104
PID 5004 wrote to memory of 4672	5004	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe	105
PID 5004 wrote to memory of 4672	5004	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe	105
PID 5004 wrote to memory of 4672	5004	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe	105
PID 5004 wrote to memory of 3932	5004	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe	106
PID 5004 wrote to memory of 3932	5004	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe	106
PID 5004 wrote to memory of 3932	5004	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe	106
PID 3932 wrote to memory of 2524	3932	cmd.exe	111
PID 3932 wrote to memory of 2524	3932	cmd.exe	111
PID 3932 wrote to memory of 2524	3932	cmd.exe	111
PID 5024 wrote to memory of 4052	5024	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe	112
PID 5024 wrote to memory of 4052	5024	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe	112
PID 5024 wrote to memory of 4052	5024	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe	112
PID 4052 wrote to memory of 2152	4052	cmd.exe	114
PID 4052 wrote to memory of 2152	4052	cmd.exe	114
PID 4052 wrote to memory of 2152	4052	cmd.exe	114
PID 5024 wrote to memory of 5072	5024	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe	115
PID 5024 wrote to memory of 5072	5024	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe	115
PID 5024 wrote to memory of 5072	5024	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe	115
PID 5024 wrote to memory of 4020	5024	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe	116
PID 5024 wrote to memory of 4020	5024	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe	116
PID 5024 wrote to memory of 4020	5024	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe	116
PID 5024 wrote to memory of 4804	5024	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe	117
PID 5024 wrote to memory of 4804	5024	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe	117
PID 5024 wrote to memory of 4804	5024	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe	117
PID 5024 wrote to memory of 4376	5024	2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe	118

C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4588
- C:\Users\Admin\gWYwYEAU\iYsEMcUM.exe
  "C:\Users\Admin\gWYwYEAU\iYsEMcUM.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:3276
- C:\ProgramData\dCkwkUgY\cSkYcoAo.exe
  "C:\ProgramData\dCkwkUgY\cSkYcoAo.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2384
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2484
- - C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:5004
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3128
    - - C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:5024
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        8⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        10⤵
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        12⤵
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        14⤵
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        16⤵
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        18⤵
        
        PID:612
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        19⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        20⤵
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        22⤵
        
        PID:3828
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        24⤵
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        26⤵
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        28⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        30⤵
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        31⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        32⤵
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        33⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:4200
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        35⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        36⤵
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        37⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        38⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        39⤵
        
        PID:940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        41⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        42⤵
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        43⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        44⤵
        
        PID:408
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        45⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        46⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        47⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        48⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        49⤵
        
        PID:220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        50⤵
        
        PID:4200
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        51⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        52⤵
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        53⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        54⤵
        
        PID:1248
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        55⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        56⤵
        
        PID:4188
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        57⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        58⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        59⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        60⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        61⤵
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        62⤵
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        63⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        64⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        65⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        66⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        67⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        68⤵
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        69⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        70⤵
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        71⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        72⤵
        
        PID:4732
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        73⤵
        
        PID:952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        74⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        75⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        76⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        77⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        78⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        79⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        80⤵
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        81⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        82⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        83⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        84⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        85⤵
        
        PID:800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        86⤵
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        87⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        89⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        90⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        91⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        92⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        93⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        94⤵
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        95⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        96⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        97⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        98⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        99⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        100⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        101⤵
        
        PID:428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        102⤵
        
        PID:3828
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        103⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        104⤵
        
        PID:4200
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        105⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        106⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        107⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        108⤵
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:3556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        110⤵
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        111⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        112⤵
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:1360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        114⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        115⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        116⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        117⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        118⤵
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        119⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        120⤵
        
        PID:3148
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        121⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        122⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        123⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        124⤵
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        125⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        126⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        127⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        128⤵
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        129⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        130⤵
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        131⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        132⤵
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        133⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        134⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        135⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        136⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        137⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        138⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        139⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        140⤵
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        142⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        143⤵
        
        PID:552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        144⤵
        
        PID:1416
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        145⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        146⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        147⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        148⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        149⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        150⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        151⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        152⤵
        
        PID:3532
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        153⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        154⤵
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        155⤵
        
        PID:440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        156⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        157⤵
        System Location Discovery: System Language Discovery
        
        PID:1392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        158⤵
        System Location Discovery: System Language Discovery
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        159⤵
        
        PID:692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        160⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        161⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        162⤵
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        163⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        164⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        165⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        166⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        167⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        168⤵
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        169⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        170⤵
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        171⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        172⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        173⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        174⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        175⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        176⤵
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        177⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        178⤵
        System Location Discovery: System Language Discovery
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        179⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        180⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        181⤵
        
        PID:552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        182⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        183⤵
        
        PID:428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        184⤵
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        185⤵
        System Location Discovery: System Language Discovery
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        186⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        187⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        188⤵
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        189⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        190⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        191⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        192⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        193⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        194⤵
        
        PID:428
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        195⤵
        System Location Discovery: System Language Discovery
        
        PID:3556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        196⤵
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        197⤵
        
        PID:552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        198⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        199⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        200⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        201⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        202⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        203⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        204⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        205⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        206⤵
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        207⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        208⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        209⤵
        
        PID:380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        210⤵
        
        PID:4920
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        211⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        212⤵
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        213⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        214⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        215⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        216⤵
        
        PID:3420
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        217⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        218⤵
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        219⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        220⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        221⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        222⤵
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        223⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        224⤵
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        225⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        226⤵
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        227⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        228⤵
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        229⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        230⤵
        System Location Discovery: System Language Discovery
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        231⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        232⤵
        
        PID:3744
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        233⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        234⤵
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        235⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        236⤵
        
        PID:3720
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        237⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        238⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        239⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        240⤵
        
        PID:2704
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        
        PID:3744
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        241⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        242⤵
        
        PID:1660
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        243⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        243⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        244⤵
        System Location Discovery: System Language Discovery
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        245⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        246⤵
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        247⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        248⤵
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        249⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        250⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        251⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        252⤵
        
        PID:3532
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        253⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        254⤵
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        255⤵
        System Location Discovery: System Language Discovery
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        256⤵
        
        PID:4216
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        257⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        258⤵
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        259⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        260⤵
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        261⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        262⤵
        
        PID:5084
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        263⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        263⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        264⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        265⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        266⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        267⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        268⤵
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        269⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        270⤵
        
        PID:716
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        271⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        272⤵
        
        PID:2484
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        273⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        273⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        274⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        275⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        276⤵
        
        PID:3244
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        277⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        278⤵
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        279⤵
        System Location Discovery: System Language Discovery
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        280⤵
        
        PID:4192
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        281⤵
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        281⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock"
        282⤵
        
        PID:3468
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        283⤵
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock
        283⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        282⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        282⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        280⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1580
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        281⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        280⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        280⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dWwcUwUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        280⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        281⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        278⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        278⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        278⤵
        UAC bypass
        Modifies registry key
        
        PID:1080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tMgAYgYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        278⤵
        
        PID:1972
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        279⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        279⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        276⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        276⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        276⤵
        UAC bypass
        
        PID:4036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RSgMgwUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        276⤵
        
        PID:692
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        277⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        277⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        274⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        274⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        274⤵
        UAC bypass
        
        PID:1408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RGwMUUYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        274⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        275⤵
        
        PID:412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        272⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        272⤵
        
        PID:4856
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        273⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        272⤵
        UAC bypass
        
        PID:4688
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        273⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gMIsMUcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        272⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        273⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        270⤵
        System Location Discovery: System Language Discovery
        
        PID:4124
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        271⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        270⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        270⤵
        UAC bypass
        
        PID:1452
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        271⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OEUogEIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        270⤵
        
        PID:800
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        271⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        271⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        268⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:4140
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        269⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        268⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        268⤵
        UAC bypass
        
        PID:4444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wuUscssI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        268⤵
        
        PID:3584
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        269⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        269⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        266⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        266⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        266⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TCMYAkUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        266⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        267⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        264⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4416
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        265⤵
        
        PID:428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        264⤵
        
        PID:448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        264⤵
        UAC bypass
        Modifies registry key
        
        PID:552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hwgoQMAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        264⤵
        
        PID:936
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        265⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        265⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        262⤵
        
        PID:800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        262⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        262⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bMEggAYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        262⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        263⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        260⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        260⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        260⤵
        UAC bypass
        
        PID:3264
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        261⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YoMwQIAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        260⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        261⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        258⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        258⤵
        Modifies registry key
        
        PID:3420
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        259⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        258⤵
        
        PID:652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OyQEIMUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        258⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        259⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        256⤵
        Modifies visibility of file extensions in Explorer
        
        PID:552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        256⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        256⤵
        UAC bypass
        
        PID:428
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        257⤵
        
        PID:516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ymAMkMoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        256⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        257⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        254⤵
        
        PID:2020
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        255⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        254⤵
        
        PID:2788
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        255⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        254⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qesMEMgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        254⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        255⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        252⤵
        Modifies registry key
        
        PID:2324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        252⤵
        Modifies registry key
        
        PID:3936
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        253⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        252⤵
        UAC bypass
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XisggIAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        252⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        253⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        250⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        250⤵
        
        PID:4484
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        251⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        250⤵
        UAC bypass
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hskMgEcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        250⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        251⤵
        System Location Discovery: System Language Discovery
        
        PID:2624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        248⤵
        Modifies registry key
        
        PID:4528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        248⤵
        Modifies registry key
        
        PID:4692
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        249⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        248⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RAIEcwQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        248⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        249⤵
        
        PID:548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        246⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        246⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        246⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vWsAQIIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        246⤵
        
        PID:464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        247⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        244⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        244⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        244⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AEUkUYQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        244⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        245⤵
        System Location Discovery: System Language Discovery
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        
        PID:4384
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        243⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        System Location Discovery: System Language Discovery
        
        PID:4500
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        243⤵
        
        PID:536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:3660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aEgowAUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        242⤵
        
        PID:940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        243⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        Modifies registry key
        
        PID:1028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        UAC bypass
        
        PID:936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GsskMMYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        240⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        241⤵
        
        PID:456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        
        PID:552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RgAIAcAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        238⤵
        System Location Discovery: System Language Discovery
        
        PID:1288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        239⤵
        
        PID:464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        
        PID:2512
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        Modifies registry key
        
        PID:5052
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        UAC bypass
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rmkUUsoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        236⤵
        
        PID:4760
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        237⤵
        System Location Discovery: System Language Discovery
        
        PID:224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        System Location Discovery: System Language Discovery
        
        PID:1772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        Modifies registry key
        
        PID:4820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zgsYoIUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        234⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        
        PID:516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UWkEokso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        232⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        
        PID:4124
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\waAQUkMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        230⤵
        System Location Discovery: System Language Discovery
        
        PID:5100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        UAC bypass
        
        PID:1288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uKwEsAQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        228⤵
        
        PID:748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        UAC bypass
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\joQEEQkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        226⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        
        PID:64
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAYcQwAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        224⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        UAC bypass
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LEcAcoQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        222⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        Modifies registry key
        
        PID:4972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XaYQgYgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        220⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        
        PID:64
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        
        PID:3828
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qcwIssUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        218⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        Modifies registry key
        
        PID:4040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        UAC bypass
        Modifies registry key
        
        PID:3704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wqksEgMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        216⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ccwwAsQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        214⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        Modifies registry key
        
        PID:4376
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        213⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nkIUYYMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        212⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        UAC bypass
        
        PID:4300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lMQskosY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        210⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        Modifies registry key
        
        PID:4336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jAsMkMwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        208⤵
        
        PID:536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AwYckQog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        206⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        Modifies registry key
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QMQksoYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        204⤵
        
        PID:3752
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        Modifies registry key
        
        PID:380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iOAskYEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        202⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        System Location Discovery: System Language Discovery
        
        PID:4124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        Modifies registry key
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MsgEYQks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        200⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:1744
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        UAC bypass
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NMoYokMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        198⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nqAoEMwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        196⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\togUsUQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        194⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        Modifies registry key
        
        PID:4348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        
        PID:412
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kOgYYksI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        192⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        Modifies registry key
        
        PID:4660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\agAsAYwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        190⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sMUMoEcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        188⤵
        System Location Discovery: System Language Discovery
        
        PID:3068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        System Location Discovery: System Language Discovery
        
        PID:2456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        Modifies registry key
        
        PID:796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xecsQMUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        186⤵
        
        PID:868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BGYIoswU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        184⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        Modifies registry key
        
        PID:4992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DAcQQkcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        182⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FKMswEEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        180⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        System Location Discovery: System Language Discovery
        
        PID:4920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        UAC bypass
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\emAgMAAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        178⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        UAC bypass
        
        PID:4300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iOIEMMYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        176⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        Modifies registry key
        
        PID:552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        UAC bypass
        
        PID:4584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WqAgYkIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        174⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        UAC bypass
        
        PID:4752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iYsQEkAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        172⤵
        
        PID:64
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        System Location Discovery: System Language Discovery
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bUYUMgwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        170⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        Modifies registry key
        
        PID:4556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        System Location Discovery: System Language Discovery
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rkAUYgwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        168⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dkwckscQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        166⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        System Location Discovery: System Language Discovery
        
        PID:2708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        UAC bypass
        
        PID:3732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WYsoQUYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        164⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        
        PID:380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YUkokUAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        162⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        
        PID:808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        Modifies registry key
        
        PID:3592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        
        PID:428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CGkAkEwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        160⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        Modifies registry key
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoEcMsAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        158⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        Modifies registry key
        
        PID:4184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        System Location Discovery: System Language Discovery
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XUUEIwwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        156⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        UAC bypass
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BSIAgwkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        154⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        UAC bypass
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GWUsQYsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        152⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        UAC bypass
        
        PID:3132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mEwkkwcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        150⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:3556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UmsgwQEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        148⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\myYEUQwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        146⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        System Location Discovery: System Language Discovery
        
        PID:4920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TcoUIEYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        144⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        Modifies registry key
        
        PID:3756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        
        PID:456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NOcccAQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        142⤵
        
        PID:748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        
        PID:716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        Modifies registry key
        
        PID:64
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        UAC bypass
        
        PID:4040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XCEQkUUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        140⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        Modifies registry key
        
        PID:4976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qEoQkogE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        138⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WIUUkAQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        136⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SKcwoksU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        134⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        UAC bypass
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iWMYQQYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        132⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JwgkMwMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        130⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        
        PID:3428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VoUgYYoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        128⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        
        PID:920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NwkcIwQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        126⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cakoAscE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        124⤵
        
        PID:64
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IWYwMokE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        122⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cOIEoYgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        120⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        
        PID:968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NIIkgUsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        118⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:4856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        System Location Discovery: System Language Discovery
        
        PID:2508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DeEMUoAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        116⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        
        PID:224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:4800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        
        PID:4072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HwcQAEAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        114⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\feIkYsww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        112⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        
        PID:1132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oyUMMcMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        110⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YyUUIkAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        108⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WCMwcUAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        106⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qUwYgsgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        104⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        
        PID:968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JcEEEYQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        102⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dOMoAcQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        100⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pQYssowY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        98⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OasscAcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:224
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UwIkcAMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        94⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        Modifies registry key
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AqQIscUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:3148
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MCEkcMQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        90⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:4856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rEMMgYYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        88⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:2416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies registry key
        
        PID:220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:1404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HgQcUkAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        86⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        Modifies registry key
        
        PID:2620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xoAggMEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        84⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eCMkQQcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:3944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wggsQkkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        80⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yaAYcwIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        78⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wUMsYwEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        76⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NMYAMYcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        74⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        Modifies registry key
        
        PID:3516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NCkAsgYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        72⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RqYIwwoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        70⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vuIgEMgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        68⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:3116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kggkMwUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        66⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        
        PID:452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        Modifies registry key
        
        PID:3124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KaIYcEck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        64⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:5100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cuoIsQAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        62⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        Modifies registry key
        
        PID:748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QIcUAUMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        60⤵
        System Location Discovery: System Language Discovery
        
        PID:4352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies registry key
        
        PID:2456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        Modifies registry key
        
        PID:564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        Modifies registry key
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pIEEokQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        58⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:3572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bqAIccgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        56⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:4020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\diAccIQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        54⤵
        
        PID:968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies registry key
        
        PID:3772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LYMkskMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        52⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        
        PID:536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        Modifies registry key
        
        PID:4452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        Modifies registry key
        
        PID:4048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wsgggQMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        50⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        Modifies registry key
        
        PID:1912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OiUkUwYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        48⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:4876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:3124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\myEUcoMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        46⤵
        
        PID:724
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        Modifies registry key
        
        PID:1408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\figAQIEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        44⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pcwYgkso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        42⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:4288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:3496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VOogEoMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        40⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:4876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DYkIcUkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        38⤵
        
        PID:440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        Modifies registry key
        
        PID:2708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        Modifies registry key
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CKgIwoMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        36⤵
        
        PID:968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:4640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YoYQQgYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        34⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        Modifies registry key
        
        PID:4448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        Modifies registry key
        
        PID:3588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CQoMUEEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        32⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies registry key
        
        PID:4520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xcwUookU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        30⤵
        
        PID:936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        Modifies registry key
        
        PID:3532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vKQgcMMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        28⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DIwoEoII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        26⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BSAYsEsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        24⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IecUAcoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        22⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SUkQEkks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        20⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies registry key
        
        PID:3924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uwYwgwQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        18⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:2636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\giMwAEQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        16⤵
        
        PID:716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pWYYgEEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        14⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vOMscccc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        12⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JMMIQQQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        10⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dOMggYwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        8⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4200
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:5072
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:4020
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4804
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\emEMgowY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
        6⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:428
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:4496
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2556
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:4672
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cMwMcskY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3932
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:2524
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:4388
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1656
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4332
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WWsMUUoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4468
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

Filesize
236KB

MD5
97865276996611f67729a4a81b899651

SHA1
58960345e5b259703e6ce890c566b1f2ec5c18bc

SHA256
0c71a73bb8c80328eb8fb561da7c844b61d549a399b2eb7d5bb8edee8ff8018e

SHA512
9aa961b701cebcb71ffeb05c05f44dba67f0f86118318654f5e2f031153d93652cdc65f733749e3961dc1615cd7827b5409bec6fb267dc46b8a3a509f31d42a3

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe

Filesize
771KB

MD5
fcd2edd16ef7b658fcc7aa314f81971d

SHA1
06da0509a2493936d7d63264c081166249abfd82

SHA256
d58d7a7d7cc2300a67346a99f4efffe62411a12cf9dfdb6272e399cef9fdc04d

SHA512
3ab3f57bad456968e337378163aa64b7bd4f8a4e68dbd4e5d28725bd20ef55fbed2b1b39005750ccac615ae1519b8306398f7cc952107921756ff5bf42d61b98

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

Filesize
653KB

MD5
ba7fbe550fc9e96fe0a905c794bffd5c

SHA1
6d87f0dd19f03c88a00accb887a34ad8a32eb177

SHA256
a5006b20aa4ccd7a74a8b74acff9cc267d32ad9040e3674f977aacf9f28a4f24

SHA512
0328403724638be666bd1200a58b6e840158449915d69d3bb74218dc418a8f987e9332888b9dad67b7a1970df2a4ed4e37fa994c4dd1b64554c70f216af27ee5

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
810KB

MD5
5a0a67d3e77b85305caf9655bf8e6b15

SHA1
600d3fdaf7bcafd62f0b5c439cc4d18b88b450e6

SHA256
6d972be49a33a71b5822ba44b61112c567a152473d76847a717ed39f16a5f310

SHA512
481938a2fa60791ed15d01f6ec7be18573d3e0ee275fb5ad603ab171496dea4b608a220404f047a950a809be16a6ac5f79272c986fda87df039a2126ee69562e

Download Submit
C:\ProgramData\dCkwkUgY\cSkYcoAo.exe

Filesize
188KB

MD5
c3d1ecd50f30e59de75ff56494563dae

SHA1
3d89dbd1f55fd8f9b857611f2fc16b740b4f33ee

SHA256
5983996947a57fccc04c76d82266586751ab0d2bdafbfdddfbec273923b400d0

SHA512
26f2021341e9b2197535273c4ce376686a5c4b0731578fda04d94ae0e573ad8e51819777975d0471e0d2d3584b9ad4c0edd9547e6a364ec00beb73dc8d0b21d5

Download Submit
C:\ProgramData\dCkwkUgY\cSkYcoAo.inf

Filesize
4B

MD5
be785a40aecac8ea861eb461c6673562

SHA1
9a62984ee58988ff3f9b3e7ee3303a73944843d7

SHA256
c0630c4ccb7bbaa5c491901749bfbaded6d3732b3b231053449608d57f7f8384

SHA512
52e2ff3d36ff160a7223130b8345f640b46094785d914ce07cac65e5ca3d485b090519bca693345bfe34061e1b942baa684d3213c113bfafa8d07a702eefc431

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\256.png.exe

Filesize
214KB

MD5
e4f689f23ed81502f8862ce49b43c4a2

SHA1
f8e3b11238a62393482eda23efc7191081bd2043

SHA256
26590d35633ecae625365b9c58b1fba5cbeaa5ab450efb28d525c54aa8a7f16c

SHA512
3f8f598977055016ce2ad9c49aa785509ebf1f97ebd6bb7a373721eac8a8b5566bb2f2e9b408e1ec42382c48aeb4d910b0fa9ce9eb64c2c5f67e9cd45e604eec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\96.png.exe

Filesize
191KB

MD5
959667b9cbf40abac79d673f6c44182b

SHA1
a494ccd4a1968e2bbd8d859484cdc89143f644b1

SHA256
3aa631fc237ae20bed8d29658b540f2f4df15eb9457f08891c078007bf7a7bf1

SHA512
64bb25e2a07aee9565466c2263ab056ebd99b39e928377dd918e72fe23dfb5ca2c2a9c91de9972d4a4905e58a35847f8df1dbeda5866ec27703da77957288dab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppBlue.png.exe

Filesize
194KB

MD5
7023b7d5a8fb19811b24f13015f311c4

SHA1
78c3c169d15c028b9f7efd17f823c8ca60ea453c

SHA256
66d0054a0c3fd87112a3119a6415aedc223fc4bf4ea90182f8e9be2e97c6688d

SHA512
8bbb921785b5b50ac050e793bae42d5a963c8d3636e3b341e41a2b77ed3dba02d24e5b19e3849c565b1c63805c0abbe2656d0e8f73a172a4e8b0e18a25b1f024

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorBlue.png.exe

Filesize
203KB

MD5
de1ad29c9c75e5d85e8d2f52e8ef65d4

SHA1
74613aaf7f4302a5bd46916c2d77ed774d9f1493

SHA256
eb43f20b7d51d6cdd51e2101666b76ccf6668954aaf01d1bc0031ab6a80d845e

SHA512
ec85d2e8a80485bbee1013ddb50145c02ffa8c0b8c2f726af726ffe447e8b421bf83f159ccc07294dad7844f7f7aab786aa4a64e93fa1f5a8656052582ccd8a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Warning.png.exe

Filesize
206KB

MD5
40df361caf024bd5917bb906494f3f18

SHA1
bb8db7fe642e9e00f65a3030c7545faadc5f3dd7

SHA256
deadaca3cb22f36de9365e79e8986bab5a7e53e52b5a7862d6a0ca807f2b2057

SHA512
05428ea3a938fcefc895faf05b33ba8d32e2c8aaf42145c12ac7b2bf763f6d101b3dce5c14b1a1e19b585230d63099e9d3ae718641e8a2d2678c6bc6e4207314

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png.exe

Filesize
185KB

MD5
a8e9a7ec305fad4881532d0b86a728fa

SHA1
4165f24197f4b1431e605854454628832c846b13

SHA256
017d0cd33707b6415c1cbc1bc768465bf89a5cd3299bebac85803798977628b3

SHA512
ec1221b6c61df38965aa4d7df02039d947c6bcb799f4914c0a42f51f341e08ff2de9b38ed96ef46b79385442b380dab8574367f01893f33f634484e7be7a53a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-13_bb58b8f9026bd66985f7ea212561022a_virlock

Filesize
4KB

MD5
ad2cc785963deb97306ebb612cb98b32

SHA1
5e8c674c83ff3f4797fc340929a15257d197d16b

SHA256
6f22bc1880ce64b725c378d9069b72a2eb8b59c1785f94d755803c43898a0e95

SHA512
4e207cbdb56fe733b9c8f7efcd246e295665b2d6cc8dffbfb49cd7bbdb62004bdbd8683c42b5fe5bdb68fd0b9b22c328b91df3d363167e00d960dfd2b12555c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAsI.exe

Filesize
205KB

MD5
85cba3ffe2aebe7a91f0e068bea55615

SHA1
0fdd1f9570191e6c812517e523f2b29d3fb9cda2

SHA256
d72d9c49b0f02c8a5be446d72f04217ba93cef5566336adef26580ad7cc61a05

SHA512
772f27dff7f85c43c38cb1aae7ee0a46977276f318375ad09ae33d8408d1409375aaaa0f970cc611faba9c889996f00de292293d1c4c0297acc7544be05e428f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIIe.exe

Filesize
197KB

MD5
fe84609baf333ed90f46b0a661d5e067

SHA1
53ec3aef14d043f3c32052f862b44085cefeefe2

SHA256
b03b945723613bd24f0ad4ddd83468f0f442ca19f05c9862666c1999fa3fec3c

SHA512
1dbecec53b4366b2c578c770041a8ed83b914e828b5bcb9ecb489659bc2faff35ed372eb570300a71aacd29ce86640fe864e2845de22b262e1b7d9ed9c4a7cf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\AkMk.exe

Filesize
348KB

MD5
57a5d0900049cf8cd69ad0ddaa5d3bb8

SHA1
19283124c130d8cfefb769501014c2e1648c9fad

SHA256
7b4409bb895052c322837a0ccc896913ae9e5dad6a45fc77ea4851c66fd96727

SHA512
cf889691580965a9f3640514d4fde6983a95821de03e147ff2b9b9c5a569c19c5e21222d1a0bf497a5894a829cd14ce20a1cf595cfc372fd91cf7e8a5318f5e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIgQ.exe

Filesize
595KB

MD5
17c9830271fef54aaa190d85d4ba1eec

SHA1
29b8ce7cd50528391bf052e0624d1f359b6f313f

SHA256
18e2693cf160e9fcd3397f9843a0c7e035f43d1dff4437278e195ba4807a5d75

SHA512
a63b111cb60b853f0509161a901ca7d490c101731410d59caf32b28ca6b37f902a020437c9f84b5ce6dc0c76175a70e1706ebed91f461c8206fd4fea8029cece

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMAG.exe

Filesize
204KB

MD5
b24984cfda763bf791fa81dae8ade249

SHA1
c95325b54d8767a41a82daba64bcee3c91b9df66

SHA256
58be039d0ee222387cd51c093a54f29de3160310c815b1999e65576ad10f0641

SHA512
b67ad467a41e0450df64b14c8f67675fe290a801a607b07cde2903debc62ff4e9e97d0987461958f483c1d0e69514dc9a51b3f68719643e135c601a1e7b92abe

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUEe.exe

Filesize
220KB

MD5
becbde50c6d49006993a1f8addfa1168

SHA1
6d5cb292ee13f8fce88fa92b9ecfebecab1e303c

SHA256
951fd26f82fa0d1dfc7757f21cabfb15c920fcaf878ea4b7206bdff0a5eec250

SHA512
48eb6b00cf526b2d3b56de1651051460f4e21d402754bb545d1f073401fb9548221dc27a3f6c2078343e368a13e417830fe70d55f50374f8a8300280af3383c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYsa.exe

Filesize
818KB

MD5
d56e738b97d17b21a950ea5398d4acde

SHA1
dd89a4b48945c8878b12c18a785ee82b20392663

SHA256
9f16f9935dcd00ccac0b6fa66adadadc9f27722f77741044577d0f7c02b16c9a

SHA512
24f03206cc7d978ff72c9d122a67fb181449ba61fd0d30ebe0a7bf78806cbfa9394a7db45f5148a1302e42cfc2459aa5b090bbd6e84d44bdcb68eeab7916c2a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CkYA.exe

Filesize
634KB

MD5
07dfebe57be8440899f7d4cc6b74637d

SHA1
cfa38351f2216c8b4c8bd8d894b18e7a4367d497

SHA256
8bf178b57df28e5c1054cdb5f4125178f747fa463a42266504b0078f5a594f63

SHA512
d2ea0cf5a431728d66a8ca97633471702e85649e8281b4c3680235fa65cd54497dd1d96a00dcb2d8ef5d33e42d1e945495a3ebb2435f54617a2106e6e7afd8b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\CwIm.exe

Filesize
181KB

MD5
1807df4e83dea8cc0d858c2200edb637

SHA1
87d493aebd87050d3cefec028e04b28696f69212

SHA256
c5a402703d17aabdd44b20220ffecbb6ab08eec25398273601d890e5759d23cf

SHA512
6a03a2a7887839e61818e5cecaf5d1324c2bd75510bd6faec51676d4c23d6adc65819bd6d7c6fd76d7482a42a9806a044f7efb8b05cca52ea1fa50ba03a4d4f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ekom.exe

Filesize
181KB

MD5
335cca18bdff9ebf748af526d56fadd6

SHA1
999c2c6fbe1f6842463ddbd020e39089339953cc

SHA256
fa5d30e96ea36d8c55ad399be42dbc0cc45b4a93ee480024ff9085d802b430cb

SHA512
c252cd0f9999f0c8f370918f8d4672d9b03786cdf6391fa857dab0288b00a65a03f7d9dd678126774c81bd70d5c166b02d09022df238918c6096b90455c4d6f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEAK.exe

Filesize
197KB

MD5
e5f5e3a9096bbf69d55940bf954f386d

SHA1
60dfdcc95f54fee985942ac5abec31503ed5047a

SHA256
a044d456142c4665fa95e6e6b5dead3c048266026ea337ea7512fd9cfe07bbef

SHA512
269a319a25b943bedd4b8564d3f76027e43c10ad5bf0269651a98c185ec5ea43dbc555a7ee2db25221fffbcd9daaf6cb4fcf4eae68e9cd99a2b4819ec727859e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GIEc.exe

Filesize
633KB

MD5
af6ed57348f70333a42b3f85ee623d7d

SHA1
cdd96bc8107a91d8141bc3d62ccefd6819aba48a

SHA256
ceae29549e820c24592b269e3b7801c10aadadc8827d537bf67fc007397babd2

SHA512
b87f2409dc710f4b5ffc0a71ed22bdcdc66256b6cfcf832cff3b17726de8bd267d5b95b1137cf9334138f708f4cffbaf045459c53660c1136efdc3aba853887a

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMC.exe

Filesize
197KB

MD5
249f4e95d02daef497f05aaf6ce3d59d

SHA1
00b1b532982fd2383db4d68524b10882ebb40938

SHA256
8eb42b5748128fbccaea5a6a0e3b9a6dbea3cb9c854601f3d07f808546c41c11

SHA512
cab7fd550350d80bc67f84803e8606b06f4e910471b2d826bbf62e06040dc17f17b07d0928520887d585e54dc3c5373e0e01a9a47e817f77b570a813544ab6e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUcc.exe

Filesize
523KB

MD5
ef01b40fb496f17c85838540d06f62d6

SHA1
42a2cafff84c69661e87e4ccfa998bbf334cef90

SHA256
891ede5a7bf3af8df9921a705e085865925944548645b6dbf1fa6992852733a2

SHA512
13ae01cd7fa6fc5addb1756f88bf0a93adb1a85c8d2e81d83f16c20c4220c14358641299875497088227790e9ae8a9764813d9f1a2d0f9f32ab87880411dfc38

Download Submit
C:\Users\Admin\AppData\Local\Temp\GYUQ.exe

Filesize
228KB

MD5
c0361864e03abe723b99d8626c842df8

SHA1
48313c538204f330e622dda6a69d8a7e2a783a57

SHA256
ce4529c473af9906012e34904df32cb3e2e36e58e49f23976de263bdc452222d

SHA512
48c0f7dd9d44fcaf227a31e4b9dcb29a93e4855abd5a61a9689965cb291c8e7ca6e40bec0c847477b360572b5fa3b77cbe2d4432e0dc890142e1b5a19aac657f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gccm.ico

Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYIm.exe

Filesize
202KB

MD5
0ebd30dfa3e22a6095880f68d7e77754

SHA1
05dc2445d957a39bca39d6fd62278a73f5ecfb0b

SHA256
7dba0cf3f0285a2d10d4d7f601956afff323aee21307483ed7f4e826990a3b32

SHA512
90305c88733bb787b0053bd734671105d8f0d74ed11a1cd4164114b4c8039b9af906c538ac803a8fc3ff68f8e86ab1701d2b970cdc78198a6534a2da72208859

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAQO.exe

Filesize
327KB

MD5
577322254a394ca6f76f33284acb51cf

SHA1
1978fe0fd2a16ff99b8cd1a0f3f5024b3a7fbe6b

SHA256
be88dc79e27b383b957c7d72aa83fa2b866beb975c089226bb069210be3e6a8e

SHA512
8ae0ff64ea4f6288c26816b6425ba0da293c7c56c2155d94a86662a1d959475dc3808cf652bada53809137f69832d23241f523e8c4a6c28d6ed71210d6a5e7f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\KoMW.exe

Filesize
190KB

MD5
5d9887dc90975a553102123ed3fc0cb6

SHA1
efac63133b38c1cd5afbfedd365751c1093af3cd

SHA256
b8f6b1e4a7391039c94106392908320e0e2a049f2befc7a87031ef92937f0257

SHA512
fb927b7d18dae02ccef45861ad828b108f53f740a77fc244e2698ab789012f49b56a3a7fdd49ab7222c1017d3724d873ac29ae50daef611351115f5b492686cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAwC.exe

Filesize
191KB

MD5
389f57198fad8ab31d5575b4a04743c4

SHA1
38c4234f6aa5e521dbe8b70dcaa3a26e68fce415

SHA256
54d5b8f9c8be04cc426069473a92c3ddd44545dc41a94ab459e0e406f09136b8

SHA512
02a15f308fe2344bcb29e13227c649bfc4991205cea4a81cd75829590e7752e46959068e3b516b34e051b14d19f57cfb5c26a1a4d028a899f9e3b1cd13355a52

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIQk.exe

Filesize
191KB

MD5
f54dc1a1b7f93d5feff6ee4c9aba2ddf

SHA1
df9c36a134729bff002286a94f77fda201b41a35

SHA256
c2e1934cf08abbf3ceb532163607bc4ffb0b7651d2d820d6ddc4237048f35cd5

SHA512
e2b01692efb5f14e503155e13c90ac33e08c428747037c42d6e78deac5753387032c5a5125b776459a91ae83426a83259a419e6e90668c0a347cdb8140cbf57a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MQMU.exe

Filesize
207KB

MD5
b52ab14ef967fa58cd28b5dd7a3f7073

SHA1
8245e9e5603c615c962aae418a3f31c4add01ba9

SHA256
cba268ab955c7cb6fd1215822d2cbb17aa5431998b47bab53791f83a0c809ff4

SHA512
abb4b749318e1ef07cfc7879a89cfb5799544505a92ffa0300b4b689b96c07349f1a900b315959e37aed71dad3934e24d4feed2e3b51251c9060e921a5036b6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYIc.exe

Filesize
560KB

MD5
4bdc60d2be0e31ec586a23e8c78d674e

SHA1
c9abc394e101c504fd6b89bc9cc7ddf0bfe3175e

SHA256
d83d52e3c6a815ba2cb8298440b413dcb3dd176f9d4b7502b8bf4214d5b93b1d

SHA512
4e803b8bec36162805042423261c2409dcab3d1a0df239477cef91b496751a5d360633556b8bb2f743ac2c1c56712d4571739cb19ef4f22367e8414a15b2df0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEgs.exe

Filesize
204KB

MD5
d07fc32d24d8c8f5a6255ef6f5c0e058

SHA1
5f9d4535aab5a2341b27c6216657d7b2ab884d4a

SHA256
c1559a86de1c84e73ea39a6a1df9e29377669c50a613ee0eb9210505311d74dd

SHA512
68ecded6ef144941d138e4eb828e8b7d9bd60cb74d707dc1874096907b97bb3dc11b006c4ff9d0a50ee03c0dbfe99fab913ee1e2b6b22ed668a66e82f79e1e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\OMgu.exe

Filesize
191KB

MD5
4ae5b6368ff70ca6c1c095c62e3fc1ab

SHA1
631ec5010ee6b7acaed3d3f9eded73e0a1195c0b

SHA256
c30cf0ff3740ae4d8e8d76c2e750f136ed7e68f5c1033a01f8f5b1c6e3635614

SHA512
1e72eb94b880fdf4715a2569fb296facf75465d46c7f6e3b74e1042c7ebacda9decafc2c559835e0eeab64407daba0d400e39d98264277ff3d5ec90228785eef

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQko.exe

Filesize
539KB

MD5
3df5686f4a5168d269e1518ae35e57ea

SHA1
fcfacebaab7462a6a7525bab836d61bbde2b8ac0

SHA256
8f54650b096866b464575b8da4d8f5ad1c52e78863560b8583a45fe5424cdc8f

SHA512
5f88c1790eb6ae909caded66889dd59cf016ea41841143c44d8d9ac51116b0baa3219a3abf0cffd899e87ad486d06ddd5c5fbeaa4369a885ae82e7907e19e500

Download Submit
C:\Users\Admin\AppData\Local\Temp\OYse.exe

Filesize
420KB

MD5
6fe81f782430f9c921563b93ba872863

SHA1
b69d6ca75331b8343a679873f533b16867a1f357

SHA256
c72ea737cb7bf6d3992db80bb8118a464ed2351f9d282468030178a7239fdc14

SHA512
b626aefc8b869a630d1a4c932e2ee79bccb2c8a6a99744e06399d1cba72eda4809e2e2dd18cc8c5cae09eaddf384b39a11639b1a57a95274ebcd54cb5fadbd21

Download Submit
C:\Users\Admin\AppData\Local\Temp\QAIa.exe

Filesize
197KB

MD5
2043a0c4f4305dd0539394673ab8c7c6

SHA1
2bfe50a76daa989215a6aecb2f87c0119e084921

SHA256
7c74b8a29d10d836d0c424a58948b723bb843097ff31fc64eb3716844e2e9894

SHA512
9f8b3a23965d24de3b61ea92c4aa5ae9611680443d1777b28c0295321dcab9538e3b26c254eb341bd7d60264bd1d9908e85f1fbca4fa128df06abe23ede949d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\QcUA.exe

Filesize
407KB

MD5
29f8d7ae18c97200f5f72fa55162c324

SHA1
81be1822329ea1684d59e50699a239740831c87c

SHA256
03659870367b41d53e313345c719601ce3dc3d95bdf9fbb170ca1506d0bdd155

SHA512
56c74940e9409a2127b1a891e63971867ca80b434065a25f9d0d73e3fe5391fb67934ca0123dee7082b207948a01ffec1d4ee14d5f969e76bd68da9d9544f694

Download Submit
C:\Users\Admin\AppData\Local\Temp\SEsa.exe

Filesize
200KB

MD5
ca00acf143fcb9d3521f97465e7f9872

SHA1
103c810908289df4ebb9276577912a1c764c01be

SHA256
d8a20fb8a0ba5adc30b6a479fdc15f61197c184daa09a0f633df20679ffb926a

SHA512
5e9235cf68d6a6d5c5d1ad1d1ffe70dd44a4d760979bb5d2bac75711c39f42a4cfd35ba0e3b93c4d33727ef6159805b0b65fffa6d518adf6096283d3a5f71ad1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMkA.exe

Filesize
202KB

MD5
74389236238e0ae21a41f160eae3f250

SHA1
657ac299fb5adfc8ab07809d01f480abbb5475ac

SHA256
2486853a5fd42ca9bfd4b88b56921a06b669875b7ad2d4c9fefce043e62ffcea

SHA512
9db7568ca04b2584e3b74dd3764f1b5b581292a01b88575f05e65eb82454820faf46f75803644b410b740fb95b0c47cdad9de8fde404875a5ec9ad87202dd5be

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYMg.exe

Filesize
222KB

MD5
41845f91450cac8237793333bfea1344

SHA1
880225b51cfdda19633b77a1be50e16c010e3f12

SHA256
2159797b05e62076f390b3a37da9d35b7b7c793939d823588a0330faf6fe8e58

SHA512
1a133436293f6f578566b7a29ae7a1b3490f74a3a566b988460c0d4b50328c4b4f41c63cd6a1e6382bd1fc2d815c582aa0e035f1d3778ca99ad0aad1d45b9173

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYsm.exe

Filesize
204KB

MD5
59e7fe4d97e91b80b48528885a395f92

SHA1
8ea9afb435b9999e4a8444b3801605d1c709cb78

SHA256
e81fa676e628f3bd7336966e2229448945f81257833a8b5d9d706eea6b60da42

SHA512
cf244bdc06240b7aafa49830ec85b14035a712bd759895f941f8029f863ced94947d689969221645ca467958ef16808b60ca3f9bd113ed087b053884d895a6d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sgkg.exe

Filesize
633KB

MD5
144bc472243a9611a346cbcb4b1863ec

SHA1
059bb60eca1459cee9ef9544e94e17ae94951f51

SHA256
083e2e3d3d0ce6b6d7d45c786c243c7eef62c0ff513434344ea83b177688553f

SHA512
9941bf79b6b85a3064fbb76be439a9fc7821aaaa945b7fb730d28ee82d58ff1d9a7463e392b585fbec9005bc6e1385fc0405626430255127cd31be5d967f9e06

Download Submit
C:\Users\Admin\AppData\Local\Temp\SkMy.exe

Filesize
230KB

MD5
92816c4cd06e72d293ebdcf4f04ea8b8

SHA1
a759e6f507d17a863638998f452d38f403d62e0f

SHA256
88d1d8389679b11fda2ea8abae58f6b2de39342816518491a081d1a461afd46c

SHA512
32e4b51a85ce2e5c24966867f18c44cfd28e1806764ecc7b5066f377a88d9f01944ec86de13b2cf78f700bb2fd69b40a53f796f33f3d12be30c2276f672a6711

Download Submit
C:\Users\Admin\AppData\Local\Temp\SkYW.exe

Filesize
192KB

MD5
90aa65d7de9f573618ff198c0c2ca666

SHA1
5fc0aec825890afb27dbb4f706429cbb121617bb

SHA256
b81f1f1accc59971978d4368ec37a24a9113e0174e736a242a3b349599d9d054

SHA512
f724f0e71ca5c35b118a3633fbcf6558d34ac2aecff2feb87d1a0eae699b87f88ae18d3871a287a95e7323275d1487fcdc6240a2bec0ca3b1605396bbad3cd69

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ucww.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\UsAu.exe

Filesize
190KB

MD5
800e87c2457a04d742360af5335df959

SHA1
998015c1c3fbbd1097db9c8f4479f1c7477ced03

SHA256
ca7481dda8a3e496e8864d2a3e3b1f08b8a263633341fb5a5ee0cf9ba5870a91

SHA512
6f6ca41c0f357873015befd0a15932f6133429e6d8ad14d15972147f7dc3b891dbdb153d0d0feb5a9723f73cefe26ad80b357a1aa3de26b83a680efb21cbbf53

Download Submit
C:\Users\Admin\AppData\Local\Temp\WMQK.exe

Filesize
213KB

MD5
fb94f38cc43d59c3c206079bf86eed60

SHA1
1874ec54472477c2f89d1cc9c4e7876a2a2b5150

SHA256
101dd17c3457fd529369a5988409d42fd62e021dc026e566e118c7ee0df748b2

SHA512
ade9b271b9077077b97c7054fafac611a656664da8b0a5b42ffc7412edfb229c3346038a23bcc08475a2a3c3a7780be0a929ca2e7a861531af9bb41b3c6d06f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\WMQQ.exe

Filesize
200KB

MD5
dfa97c32edd5c339c8773b222d2d24b1

SHA1
cdb93fe9401a333ea096d1c726c60d7ade431f72

SHA256
3c9fc41bc903cee8a7789ecdb61e6f46ca23a27b997a02f06a2987ad8f8e48cb

SHA512
9b7bde509af0c06508288155e410d276ec7dd37823333c7b204d09c45fa0555d62195920924406585f97515fd49758f0c6b1f07f3c2088d342a9c959006f0825

Download Submit
C:\Users\Admin\AppData\Local\Temp\WWsMUUoA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\YYww.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\Yccm.exe

Filesize
191KB

MD5
f6557a2c6e533789dde12a0a1c12605c

SHA1
849d78c8e48d8fa3a9f1196e84ccbb86a01f1d33

SHA256
745170a393146878524023c52d9156773471f534c4a95546ecb35aa27579dc1e

SHA512
fd3bc97fdf5c66ee50ef93f54f09445f27c4af138d7ee527b3ea99f0245bcdd3226bd6848ebbf3ec5f5b8243c43b759950712214e344cfa253a0e66dacfd8927

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ykgc.exe

Filesize
444KB

MD5
0e5a3f08a17da4e88ab886fc072105f4

SHA1
fcd65fcce155a8d38458ebc2275dd6a11c0a5b44

SHA256
37ea80a7e970238f1c0ea5f4195cf141c3cf46edf906f5c5c92a5f4783cb2b4b

SHA512
780d59a88453067c89e5d2ce1bf1b4794f8db6539ef16e47ae02d78f19d8c106eb463d76286b10ffa9a0264cc71c9f654273b4a1021d0d9ab398ef4c3c673fe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Yowc.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\YsYi.exe

Filesize
309KB

MD5
fa131fa7efab7a38fa1b45ad1a342c2e

SHA1
65787059fe88826dff07b1ae27c8110ee564e5c4

SHA256
e003a3f4cfbf208694c0ff0ecaed836c249f5e5f291ad50395813b97a10c54a2

SHA512
eb472bfdb969246354121d3813261f7ea9307c792f9a93fc4975a578e8a8cbeb873f77d78c6c585ef2bd1fe53cbaf4d188370b900b91f0a4cb76522fe4fd46d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\aEUQ.exe

Filesize
805KB

MD5
50dc7d498b5282fd68b120c754e95a75

SHA1
058cd9736d19727dd689db086f2c6ee5a1e26d4f

SHA256
a289fe607af6a5e18d4501e033fdd92197340ace8c76279d87830250a3ecc9bb

SHA512
24682cca7fe727e86f1be7290ecad90b0ed614a2c831fdcd94c648868dc5001d65a0d5cf77adde9b7971cf64205385d01ba221650f87240c93bbb1481e2bfa11

Download Submit
C:\Users\Admin\AppData\Local\Temp\aEca.exe

Filesize
203KB

MD5
3f8d3036951991da272c94571c746f35

SHA1
a339e2dcef913ddccc735f89f5d15e020a62f936

SHA256
40e31e17dea01f9db692a3b7bf78e2e00b8288b63f63772d3505ffc4f34ce73d

SHA512
f31a97bcdc1b8dce1c50306124a6627d7de85983ee4bc8dd6e7c191804dbb2cf7de7dc5a9ae759bf292e7061dbb3390281f7d6235d5d5792f5cc0f0d63ca907b

Download Submit
C:\Users\Admin\AppData\Local\Temp\aksk.exe

Filesize
1.8MB

MD5
70abdc81cc1ea085e5ab0f7eed21bafb

SHA1
998fd185262a24050d3e11c6c9646a4924e89fe8

SHA256
2da975c97d05193054f96a5d9a5d9b64c49f1fe3e6aca075f0c05cfcef54a63e

SHA512
fe7866ce710b92ef05b0b64fa44dd7991a60129f222de15a57a397858b160c67c0a73c1fbd988f569a002f5e206bd98ffa75040fece24b23eeecc3a281707af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\aoUo.exe

Filesize
315KB

MD5
9b7e57a8e273ab91e31ddd9cc8c4a0a9

SHA1
1daed2bb109ce752a88bf7f0bdf33664a47db5c4

SHA256
7b2b0a92964bcd716e956d4030ed4e00188312145fb3af86782285f287a39c99

SHA512
e9cec99efc2ff03d51f7103b3be6ec0a1c356981f44f6649c3494766dfc4a6f9ea4a1ac441aec4d796b9d56792d2bc5f0e97fbe129445979a346ca6c66e7b0d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\aoow.exe

Filesize
207KB

MD5
fda2e5bd61e7081ca39df4889751aa9f

SHA1
7b68883b4f0cfe230f6db29a0a59ece9e54a1132

SHA256
18112194c46940affe6f5ba2e228cb57ebee3cc4baae76a3a2572dc5b1822272

SHA512
2b280679e1ab633da29a441b17ce63fe5c38534f4a829f38b5a735688cbdeb04337e5dbb56d2a90eef3a154a9981e45b959ac8e0c1bdfb7b1b7d1077fc2b8c62

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAUw.exe

Filesize
327KB

MD5
db83d2eb49abaa911482f86336051d89

SHA1
ce654a6a77d60e266b40d0cff4980f0fbc216b25

SHA256
37eacb5c96e8abf919d73b45799e84f2f93276ef73367cc677e30d95e8cb007d

SHA512
23a107d6a104ebf41d8d133db04d16bf25e7a44b2f3ce2b177e1309743fbb82c0ff22cfdf2c1e3c790a521e8370e73e68222f95888717c13f709ffa9a3baeb48

Download Submit
C:\Users\Admin\AppData\Local\Temp\cEQO.exe

Filesize
613KB

MD5
3a7b8cf9cc59702c1bb5d61418b6343c

SHA1
bc56154ae2a10c9f829a963d4c95baba3d520cbb

SHA256
93db83c5e2674d7e08f768e647581956f03061a6d878b3463c461c3eeff1ff99

SHA512
707c4694c7021eb7ee36f9d03d04915ca71c2f0744e74765ca63034ebee98dd14335806f7987db936c0fbdbac85721ab717d6d0c9d1f21f0f9da965ac5e13014

Download Submit
C:\Users\Admin\AppData\Local\Temp\cMkQ.exe

Filesize
534KB

MD5
8d052515457b5ef8f68c39e593c343ec

SHA1
afade4149fd09480574dddb859300c8e10090686

SHA256
c42a25b24167854d85d16266c0582cb5945a8a632cb02ba723c9bf859e05aea6

SHA512
97ca90013f94c777a06300264db0eb4124f3a90961d852f96dd5ec691056344599ea0ab152efc73fa47ad9bfc590b12b986dfa7af3c3707d742199e74fccc73f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cUIS.exe

Filesize
188KB

MD5
d3c47aafe633d414089abed7f981d495

SHA1
af11372579b4b0ff33a5abc5744beceb92eac85e

SHA256
b6b819f45b700b448ce8f6bfbf1bfe9be0ae47e7e458e4d916d97a48a4c014a2

SHA512
606c6e1533b81859d39632ab4c500920ce3b15f1706cb85c6bbb2d1a1e459c08dcfd62e23cfa863c1d849c4605cb2cf3c1967305c4b29b1bc93d3e39d357b36b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cUgC.exe

Filesize
195KB

MD5
332d0d23fc48d6afe1b018097fe3e5d7

SHA1
63f76e1e3d671c372c2cc01cb180e3b572a4e50b

SHA256
be5326e02457e8b338d4be590475f8912736481d5c0e43021d379cd39bbedc3a

SHA512
e8d474c9a8834d1a40124244406b4eea3dee50cda6349ac6a7895ced2ee58d314337980061d0ddbc4476188956fc56043def397e6609538bea6b3795300156f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\cUoQ.exe

Filesize
430KB

MD5
732c4a9ab279d2948cbf7bc3e4707d78

SHA1
d0c1e9313c995106d504c9cda20f5b1fa11f24f0

SHA256
dfad5ec53701e140960e293eba1e09533aa9342a80d6e754e492bde899b6903c

SHA512
4f8829ce4bd19e561fc0f6cd3db68ddbd8f4191b7f1405bc38083ce28c731829664067b0e8b02c4505cf30bab91b70bbc85eb6964a9ad3997000bc7a25913f37

Download Submit
C:\Users\Admin\AppData\Local\Temp\cUww.exe

Filesize
190KB

MD5
48799c05bfa1b1e75b7df5d575216c59

SHA1
1ea49d3dd11bf8166fac780be5f67b6c69f2d79f

SHA256
338c5f4a188753cd05f5b04d7e35e59f707232c468c010eecc8ccc49d8f58215

SHA512
704f70793c6d05e75de3150cceee9d85150a541333fe3a6ca0bb9aead13e97b8f0e8a660a854503f2dc7bef877eaef5d4deaf2f518af8504bc7dd1d5a6033689

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccEE.exe

Filesize
205KB

MD5
225dee3c45179952d3579d8583c4e753

SHA1
b0ef28e9d9f7f93820a2d3af98585d875626960d

SHA256
4f670dcd1f09b67a1b4c65f2af3c5ab436a5314c0adc4d68e4b144d21c7de697

SHA512
4c3239536025e9003dd45b6ae4d6031fe1d726e0bc12c5eada168840d641d43a930267304a24453bc3153e5fa7363eba5980354ceec8e6664ab25063976a6eb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgEo.exe

Filesize
186KB

MD5
ecd4a8a1ef5e42c99b70702eaead3a64

SHA1
da30884ef14b4843bd08b11609cea36d16e42f64

SHA256
c2c868bd018bd1998ecee02c584169f0dea9c906c01b842cca0c9fea8d35298a

SHA512
8cff2befb8a6a147c2ab2d4403a345abbf3190b11191b3b4b4a479e264d66d45da56bb4b0d99bea0b33d7ee016f4cad9a2116351223a382d6f7b38e5f5a9e079

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwsQ.exe

Filesize
202KB

MD5
0fc38a3dcdd003fe2eed90b8620c19dd

SHA1
76a6a5b333393aa53e57320b354fd85bc6f9555e

SHA256
207d1ab782754e2a8eb8b32524f81461130e47f3809ade218eb9c3bb2c65672d

SHA512
95b7c826ea28703e59b0454ddd700049c92ee1570f92ed71ae56cd2115bfecff67ceae485c63e7371702376b7f160215db757b31447a79617d0cf9055b450896

Download Submit
C:\Users\Admin\AppData\Local\Temp\eUsw.exe

Filesize
211KB

MD5
9cc5f9f015b12c68d3126adbfd88501a

SHA1
329be47035ca4e782672b8492861602cc0eb8624

SHA256
cdb483ef0e9f2e16b7c9365d9327db1883f156f8a6ec09db5dc7b14c3a3bf84a

SHA512
1c916a25c3e075d6a08a883aa71dcb64d380ef399492fb8338fca158c14cecb556d669591e8f5c04a7445e06c6240b916eedf741e0e5a68ffe7592ca1be83b7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecEk.exe

Filesize
189KB

MD5
2a31eff356f527d72cb5b9142ca5450e

SHA1
0be489a83648b7742efa2c51cddbdeab31e7bdc0

SHA256
99f3d9fa690c6db07b2812d061a7cf61de94a9ee4f6a8e33034bd9389fabd30a

SHA512
f0604bc048303054954ef76e839cb3255164b8dba4c175c7356726a13dbaf31da009185bc61febf4d59555db046f9a20f029d502150f208a2e252b9979e1b75e

Download Submit
C:\Users\Admin\AppData\Local\Temp\esoU.exe

Filesize
699KB

MD5
5213b508568a843fcf4d210c18b54b49

SHA1
2560ba400c7329e397fc1f9be5b28b4ac571cc4a

SHA256
6512ea315fbcfa547e95b6d36d49b503d9320827820b6714f4641b64ee469156

SHA512
5a7694c248b53be6258b8df71014be8a807988bcbb6d1025d08392716a69c24ba64d6cd7809e892b2903d2760cc86f3c7f597c6260f7ccd09f87e25a3bf4a24c

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gUUq.exe

Filesize
185KB

MD5
b025cb0569b5b671f7ba2db96d634915

SHA1
31b8cada89282365097b9f7001027dde7b87c629

SHA256
b4edb9646a2414bda10fa1bd89665940eb6d84c51181048e7b5377275d5c215b

SHA512
ea017f8b0459c026cced51ff10f3f65ed49c3d6a1f5a517637c8fe8694eccf56008c4e18a948026d2f620c686dfcc9da841c08d40019cd180e9a043e7fd59767

Download Submit
C:\Users\Admin\AppData\Local\Temp\ggEg.exe

Filesize
203KB

MD5
cc1b0a445b6cda2218e85d3bb207514e

SHA1
26496f045ff00ecc75cb3b459b051aa2908c08b3

SHA256
fb15dd347b05d454d8088598676f6dcdb1af8bcadcb16b031aab7f776bad0935

SHA512
2fd6de199d2d4ccf2e08a1671cadc9fcebb44e6ebc50cbbdce80f94e159dda83e98b0d9088e4cbea167216f23594d4a7d673e551d0f82b27daf85385aacbf8aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\goMe.exe

Filesize
678KB

MD5
b42be9a00f940bb386b9bc7300885c06

SHA1
8a2e2875079a9b96696db9c3b7007b2bfdce20fa

SHA256
fc89d973ec176cdf49b21e2b5ebd74f7e7fc6e7bd92e4b85d2102f09253e6661

SHA512
df9d66a796bec6e6d9455cfc7b2a61c5f3db11e640d6ce2fac1640fadcdd92cba8490b4b91f4e823192982e4ab32504454a381737e6147f20d09a89a732172a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\iUES.exe

Filesize
200KB

MD5
22aefa2291c988f5abe80fb2956253b1

SHA1
7a485b4c0233900b7717b6bf02a2526cc7061ecf

SHA256
221bb9d29f5cb847ef38fee4e0de11bd381504352255acaed7f1b6bc92674280

SHA512
53b151117d0a63a3455d87eafcfeedb46e29c6c4e2797ea87a03ed18502a0cc4e3586907665992fb6934e898098dc99b6686b1f3beb1122f0d8ec12a30c8ff3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\isUe.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\kQIA.exe

Filesize
187KB

MD5
05f0ae90ac760ed4775c5c7ae5e225e5

SHA1
9c1ecc9ea57df66d2d280ebfdd7511823e511724

SHA256
53084b46a05b961dd786ed0ed4eed39f35af1c2b7901f576a6b1b39e5c94a368

SHA512
40e36cc7c6ed0f5d1f9236d7c0916212d6faa3f57c5fecedb44939a59fb24b5d7e4fe866ff3e724087179f94c0b020e351a29f3cda6bda754b13c387a8fb444e

Download Submit
C:\Users\Admin\AppData\Local\Temp\kUEA.exe

Filesize
202KB

MD5
53eb85346e3eced12018b6d44c04679a

SHA1
2383b5157dc1072336d1a65b58ce4b4d208d3534

SHA256
7c7f9cc8e3e36f90e20028db2ebf6f6d61d340e01851490cd780baf0ab7ee1bb

SHA512
34051323781fd412d8bde1c26cbb865a92ef939ecc55451e8ab6135ef222ed8a548d739e7cd574e1682aed07ced31e17d8d085ba32f2a0fd684b0c546b8e85dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\kccK.exe

Filesize
186KB

MD5
a6f3a2ea41edee77b0c80b6dff5711df

SHA1
bcaeffbe84fc7bf1423a8c340ce148addb2778ae

SHA256
0f28da8568d71a7cc397b313e6852f128a54128c19024735881355a68b554412

SHA512
8823608f224a0cb7d34837fc6c51c0918c6f763f06a8071b52ab428a66ab1d0252b6487ac78c10a0f297da2c42014687a9340203f28c4056e6ac3f0ccc64eca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkYk.exe

Filesize
200KB

MD5
3f94baf1b8e561da67d15db55e686e0d

SHA1
2c8d8b2182343613843fb085a12854fe78582e6e

SHA256
e10e87f4f3cf9fca443d24f3b8ea17b27f36ead34cbdbc9c81d274b92e484e52

SHA512
927d43e11750d68fe9b57d11f70358e473e55e81333c37e6d9d9f925348cd68408e622fd02a20926232abd84376f8981895bca09ee95b2827d734cd84e459efc

Download Submit
C:\Users\Admin\AppData\Local\Temp\kskW.exe

Filesize
783KB

MD5
3dc399df48b10314d4d1b6efe2de4800

SHA1
1debacf0fc3c52c56735a86b925abe640cf51cc3

SHA256
07ba548d409f7fba260062bcf9ab5192245034693cb4c32287e3f84014042f53

SHA512
226245ff828d6bd6f12843d4d85ef0f1848d326bf7188f4ca6a729e856044898efece4193f723007eb69392d073e3828727b29a1185391974cadc7939694faf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\mcUu.exe

Filesize
198KB

MD5
6dd8d61966237cf43d63a52f4aa458e2

SHA1
7a79b81a6104266d25c7683c45bfa2479860ed46

SHA256
be57557f7fb2086bcc5ddbdbf7991ffb35d43960ee0f8e2a794e47ff6a6d71b7

SHA512
b20dba1d61a7a0f1b7175b7a2bc5d437ed7d92a3f16c617a8423c984c42031c319e7f0767262cf599eba6d203c3b4c87c07a34f3aa4dd29f7a2e8209c0db7eeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgIm.exe

Filesize
198KB

MD5
072d9c9cdd27ee767f1839e9e6c09ba5

SHA1
43d836a5bca6a579efc8f86a5f566b25818851e7

SHA256
99714af60c8426e09fef44de05f900eaaea06b0f1f951a2dd6049a5101b8d964

SHA512
f49ca5843ee96d0120eae2c0c31d513bddbd47191181933e342a1c44bb678d6bb8573fb7143018de6c69e47aea3942a89ffdb9b1527027059be7bcd99366a6b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwwq.exe

Filesize
201KB

MD5
b502cc27a19690acb435e699525dc962

SHA1
13255990d6a62bed117b3e80713ecf3088781ffd

SHA256
d625ece0d343f8ee18fb0710cca89067962d9de533362d3cc617aafc9a0c9e2d

SHA512
448c98eca6a772e27e624ae78bfb43e3400f4ff7bbde8b2c8866fdfeeab59525d63a7e50b8a2b804c28847b36c7fbf0d3b1bf2f3f62cfbb1f2d782bfa52760fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUUm.exe

Filesize
459KB

MD5
2fb46021ca8a4d3faf354d6fd3f365b5

SHA1
858aa8c6815fb1d5293c26168b38bf4be4a879ca

SHA256
4a2cb54bb1d7174d407f2959eb462bc7c4b700a8f410814ffccb43ed43572341

SHA512
740832e83962560bd8a4b918f200f5fe1878ff099b6b528b9ef4edb0192aeaa218e09023cef0f8c76ff9aad9ee7cf30696a52cf9d32247f3bff1e2e8cc57afeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogAm.exe

Filesize
199KB

MD5
363a10e9480898069f8fdde87a6773ae

SHA1
148c19b4c046df7f1cf5b4b7c38b85ebf733943a

SHA256
60c4f270c8f040b72ad6249e926ad0263779d1f14217b8502861a4dc430fb5e2

SHA512
b3b4f84e0f046fe568481145bcd2eb0c9151ab9d6055e039adf4777294df860cc056903b41de7977c9cee4105d3795264ef6df2ef6807088ae9e4e657c783792

Download Submit
C:\Users\Admin\AppData\Local\Temp\oosw.exe

Filesize
192KB

MD5
708b61b642c5d5557bd14015333c3afd

SHA1
2f37f220cd42e8aeab735cfdd5224f4e39f8d37c

SHA256
505efdee9c87663c0110f12c648ab66fa2210652bac1b1b3333f05ab6b548e12

SHA512
a253226e62e0e86c4e6cc2575e7a69d9130bd645d0d7edb07a4f48639c5a497efd6ebf916418ab409062a7447154fce3b1010c63170120e1124f63fb80e5ff85

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUII.exe

Filesize
598KB

MD5
7895bfa8997bbfe3609606e261029f1e

SHA1
b3deb95c4935d35eace2e98e6f5880e653c3ace9

SHA256
d631ae7c365a9b83b9eb170e0e6ee3f33f47e603a2a05ec1b37d9e79ff327e70

SHA512
8a3bc9204189921987492325b2a87e03731810063bdfef270e904c626df10d436eb2744a6ddfe341a88e0a3bcf20bb7e82814f31f6dab6ed9903c49c026282a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\qkQi.exe

Filesize
198KB

MD5
cd6bd99332f9398e74f427e5fac0075b

SHA1
20eebcda930b74ccd87c0bda2365542175cd36ae

SHA256
9fe02fb36b43d59a7d436c052fb0abf14cc71dd6be1b6941ebd69c3a4d1ce338

SHA512
3d91b15a6361d7f6f8d7afc4333096f99684b1a236ba56155f68f56d6f2698272ebf855342b77bf9ed11d280b7d22408386356266edd62168f3d7b17d591f4af

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwYo.exe

Filesize
201KB

MD5
d000eec15d5e3cddea66619ddab6cbfa

SHA1
f7d6c058391170d4dd03902922d4bb133380c333

SHA256
768d0d649ea7c0aed54e0702bcc55eb757db91c1cc9dc5cc7a892d624ad61a2c

SHA512
6dfa9dce4d9debba666389475e3161238ed878454db7232d49c54cd3c43010c273efa33d33e9b28b7a2eec59ccea5de0c574cb77d51c36cd019c3fe57134ae48

Download Submit
C:\Users\Admin\AppData\Local\Temp\sMws.exe

Filesize
193KB

MD5
600e4d2ba10ec27b3face92330437530

SHA1
925f92eb0266b9b23868daf90ba58c8fa1ba33c9

SHA256
dc33aef6e9781901f877caa7f9f064c9b7ed7f22c0ba974aaabc2c3ebf0bf08f

SHA512
e6f07215410fb759e1d1ef44b5ff82d8b7475ff64eac745505313099be356bcc1e6981f4521e77b3021dfb4e029bc523b825061cec8dc178b23e9b4975bdf628

Download Submit
C:\Users\Admin\AppData\Local\Temp\sYsu.exe

Filesize
645KB

MD5
266927824b815dd6db59c72a5961cf40

SHA1
1c17e63b335ef1960ce8815454701266e5e81f07

SHA256
0036110f732fb88574ca5980a8000de9966766714e5b315c6b05d40b4acf9543

SHA512
15b83a498ac76c69a77e34ad000616abfe588f4d2ad7db41d71a87875db0e9523788c09520fd552c8d603757729a1fcf7d49955846efdcac7fbc77b2b5b66bcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\soEg.exe

Filesize
640KB

MD5
c804bb5780a3712a89451722ed5bfba1

SHA1
24dd3978625b71a59c6443e8da45afe256d34471

SHA256
2511e8931e4bd3fa9ad6168781dd4ca3ea28bcce844ebe57606a73ac083d230b

SHA512
9161b2bc560cf70b8601db3e97bec23736d885f789c7de29b5738a16ec60e8fc7515d28330cfd0c2ce2bba875041d59eb3cb76636f4907f2411eda36aca83d70

Download Submit
C:\Users\Admin\AppData\Local\Temp\soYG.exe

Filesize
824KB

MD5
1c3f385a9dea00fb7cac9f42d3a9dba2

SHA1
cc232e1c2c4ad51c1a42f0b5cc0cda1d5161e7f6

SHA256
829b1b8a2c708da7c48c09d592cae922aecff1fb705dbe4ec46a501b4cf1a9ec

SHA512
4df94cd372273ccf9a49613ae4b923d7ea9090e94300dcfd057ecf17b909466a1b5f359352caf4942ccdad3da93146eccc39c3f9e043cf88535d262feb8c4266

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssEY.exe

Filesize
199KB

MD5
cb1625d5088ed94764f11cae10baea21

SHA1
a554f7d759fe933731cb95a9574801f508d2ee2a

SHA256
d155b6026f16ba525adc99bec2539e7e1e831ff585d9923166fb9d6bcf14f748

SHA512
858c529bd715073782cbed709b4def311f4511158931e7acd713cd4eef9b6968712358f5183c8812b2964a19ab2e066cca94bb2ec3ee0566262107dc44edf81b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssEa.exe

Filesize
500KB

MD5
9282b5896391795d3699acaf5b06db6d

SHA1
9221f3e83d9f5de3e7c43bcf696564b941834313

SHA256
d88b47f7cd3ad603f8b8bae556e07355e48dfe8b3ac2a15ecd0e9e23117c9cbc

SHA512
650b739ede6e377c443cc62395c8c80aa4e14dbf00a3191f89ff70dfa54ce01fa7477e7a99590aed1110cdfb91a501bbe2298e00e376afe2de96475dddf26093

Download Submit
C:\Users\Admin\AppData\Local\Temp\sswG.exe

Filesize
550KB

MD5
c21751de5da9fc1af94ed0a31a633fcf

SHA1
5499f2ce08c8f0982dcb39fcdcf32b00499daca4

SHA256
ccc1a4af048be422d4402e5bb4487424b39078d5a05cbdc15ffa15308ef29fd9

SHA512
2b20319d204f5191ee4ffd6999ac24321069604944d66f15bd568fb3c65c50343376c405f73de78637faafb8f8f4b3eaa6a474d7d734a8013766eb7d531476c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\swMC.exe

Filesize
256KB

MD5
66bf4dd88b629ddcd69f3235a3cf36a9

SHA1
b611400f7254583a032b7c50365616c8ca10ce2e

SHA256
729da0377ef6270705f300c36fd2c1263a50868e077d8ca3a4df5ea499b0c788

SHA512
ec66d3cebba8351a68cd26029ba97a2062a6fed365a5f74cff6cfc0dc037ab0c5d9fe3127aa5cf76277f4f1e029af03a0d06de7c6136740cc8661cb474e6a77e

Download Submit
C:\Users\Admin\AppData\Local\Temp\uAYa.exe

Filesize
200KB

MD5
94d029c71d7ecc2b5cfd85c9f7501219

SHA1
9a80d410e4bf2667b88379ba2969142383296777

SHA256
217cd3b7cced4e615967217c98c3a45d5dfe8288998d24a227d259ed60699cf8

SHA512
b1145fd2ed90c061853b607e4c691c9581f5844214784fc90db0ad0cb1fb1fe37726db9329549780c6033abec40658443d989d5695c8f7ec1f59a6c5c6e73047

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEwi.exe

Filesize
807KB

MD5
a1d22607532a8f8b0e44e18430d0bcb2

SHA1
44c14fdef53e6f474cf1ffafb95b61472bcdf04a

SHA256
6a0889c24d686eb511b054d8b1c7bd8319a23b7f9e7cd2e07af473f343d0da4e

SHA512
2287324f9a806a89d6a078845ca63e3f280f33c4e90a0c2dca34bb0c4856f208f748971f9988ab5d9270750fa26130a4d004bdf95f8ab7bab305606453e4eee8

Download Submit
C:\Users\Admin\AppData\Local\Temp\uUEg.exe

Filesize
207KB

MD5
346e94ba4bd9484368a4a6e1c2d6f685

SHA1
f17b5ad001a33ed17bd18e7a9b27b93df1c051a1

SHA256
15c4040d374607a6f7dfae45c86257970becc0f3d5e17d3ec7e5ba16262e23ca

SHA512
2317dd1578b09242d432ce5821578568523f658293d2c6bb53b24f21d81216155b8609ab86591da6a1d51733023334ee2dc77d0bad7f97932828f064eea690aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\uYsQ.exe

Filesize
209KB

MD5
a4230b256a37d7cd724f516443f0351d

SHA1
9b3a96873c9f4c4de8722def0706ffe6b6829297

SHA256
efb9eae4cbdfe7c92d68505b653cc8b8884b935afaee61b899ad486ebc0d1f47

SHA512
96460020e870c7fe63e1a96e08bd8adc2e441683fed18c6d609f900e3079d07b8eac1dfe73ff343797fd31fa50f3a257377372fbf8608eed8b8ed8e8c3154387

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucMi.exe

Filesize
1.8MB

MD5
9beb5206a73b3361a84a4cb784ac5e5c

SHA1
c05010bb832a82bf3e2433e883e444ff62561ab3

SHA256
30ab3f9e4757ee6d681d3899d9b6b9343a77b7ba6d7c588540903eacaa45fbaf

SHA512
69bc48ca3c552f59e8d5c479539aed0fbe09d29917c993987199399511b4c69d6496a3662f3c8ef79ccbb323a4d17ea4f659b56482724d56962346e3aac6cb28

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukMK.exe

Filesize
183KB

MD5
bfbfb930a8fa623e2e6123be80c9fbbd

SHA1
71def92b3948c311a657c50108ae828189ce15cd

SHA256
bc7907cd96bc70455c21eaf9bff110886461cfaec5c1ae6db9985f68503fb3b9

SHA512
750db8fb1566577fcefdb5be341abf1b19040a1a57d6e3e809cec756713b94b3382a43535a58d597e5cbc2783968726cc62f74906f2a2f10bda1b929ee09421a

Download Submit
C:\Users\Admin\AppData\Local\Temp\usAC.exe

Filesize
223KB

MD5
563c2de45218c26d78a2875d7d15b94e

SHA1
0666d4d29667f64e36fb41357091b6093aece0d1

SHA256
00226ee4c2ab37ba1f22dbb2f4cb2f9b8379e183eea740d85f04ef94df01c678

SHA512
31b8bc21274233b873dbb02fa22c7c1fe1983ad45a4855b6805a0b3e85b43769d89eb375fef7619ff507e0d6df5ed1cf9807c4f6a8dbbbc426442e9ff7e9cebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\wQsi.exe

Filesize
558KB

MD5
7fd2acca53cd75d48dd931da950d6179

SHA1
8b6401884adc63bf6f8fd3437f9a90bc6de1cdd7

SHA256
d8f88f6be1bdcf4ab69867279bc3bc7f453d65a52b1f0e666dca1255ad90c674

SHA512
87fd4aba4fa49ed9e27c0c7fa3a5f3ce2d6db9a8516b63fc789105cd86d0638479624442a2ed63cf4f09e115683c0a751332b9f2314d3c28348d55b4eef0140b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wwAy.exe

Filesize
190KB

MD5
8afd04a8dd7d880879e67a4310a8a93b

SHA1
d97fb5c5b5ed9322a4c709708fc64895fe19f39c

SHA256
c7f754a1cf017ea892890a47afbf8f07b295de5b29caa08024a84118d219c1f7

SHA512
34bed262c78dc4e93ccddcfbce8c38e9422e5a5b07826ee22bae32150f5b86c122feaac0e9758aef22886fd0190ed77043478867b66171f0de84af65411f8a3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\yIoW.exe

Filesize
189KB

MD5
f90649f7aed175c7a7abd597a45874cf

SHA1
8a97b786f004092b88dc047a0f9b14f4b6f67a72

SHA256
39d06c12590d7257b0318515f1dd40fbc6959f9e1c935a82061099fe1e0e2fab

SHA512
ffe4bcad31c3435572ac7c0cd964d18e27dba78ea234dba37d4ce2f34f8f4112afd204f4751ab4035d459df5b91c4aa61eb1a2a097ceff7501b439ce7f71950c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ygQC.exe

Filesize
225KB

MD5
d63b733b2b09b6b2a687967187067a3f

SHA1
2b098127c2c828c8caa8d20184831ce9d46e07b5

SHA256
87da43063ed5f759e04ff5a2b034df60d3f7a642f3b76bc8fccc9ba8711042a4

SHA512
80c3da41151d3552cd36b66036417631f2b016efaf48ce3fa68e1a3c3287026c85ac404bc74b2c8b5aa7bd2370b4617b797c86e269ee6f491ef530842e98fa52

Download Submit
C:\Users\Admin\Music\ExitJoin.doc.exe

Filesize
512KB

MD5
5ddf25909beac1be1bfab2aba8a4b840

SHA1
b3a9b6f690e81b64453d2e5aa7475a8ac196d118

SHA256
f79d882217ccb08363e633a0cbdd7927435f846f55a7055acb21cf6b087eb654

SHA512
c78dfa80ac8e071839904facc2af5411c31590fbd96e83e309cac65791bc6d015b0db267dc8b4d75df81da4a2035840413cb1ca067077cdd03ae1737d0ce9fe6

Download Submit
C:\Users\Admin\gWYwYEAU\iYsEMcUM.exe

Filesize
193KB

MD5
d844ed0b8b7269f4b744e646f80ab74a

SHA1
4a3c23da3eedb0dedc18735ea9ca98d5b8877b49

SHA256
e4f07fd41c9ec8c47b0c8192f6017c80ee3bfa7ec3bf8c8a098992faca002861

SHA512
d90417ac3e433b39b3aca50fad78ea5d84633b7e85729be6155cfd542a4eca36576cea089fb53d733de3faf768bf85b38e906ab4140185a091319b80bbff8437

Download Submit
memory/220-289-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/428-509-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/428-516-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/440-888-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/440-923-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/464-342-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/552-700-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/800-446-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/800-436-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/808-90-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/860-182-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/860-400-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/940-242-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/952-392-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1068-324-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1280-559-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1348-171-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1360-569-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1360-558-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1408-79-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1416-884-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1416-820-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1448-271-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1448-259-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1484-193-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1604-263-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1660-281-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1684-66-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1736-534-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1984-632-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2052-114-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2108-585-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2152-55-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2240-101-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2384-15-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2420-733-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2456-497-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2456-658-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2468-290-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2468-298-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2544-136-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2660-358-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2684-350-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2724-410-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2788-624-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2788-614-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2788-769-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2916-604-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2980-708-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3032-577-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3044-674-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3128-435-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3276-5-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3428-473-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3428-463-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3464-596-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3464-586-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3556-550-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3660-481-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3660-125-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3672-307-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3744-427-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3744-415-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3744-316-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3772-419-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3876-682-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4012-376-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4020-489-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4124-507-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4244-640-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4276-254-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4276-243-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4360-454-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4404-666-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4516-384-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4528-613-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4528-605-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4588-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4588-19-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4796-160-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4800-366-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4804-524-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4812-218-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4812-332-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4812-542-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4868-692-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4876-819-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4972-147-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5004-20-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5004-33-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5012-462-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5024-44-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5052-229-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5064-648-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5076-194-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5076-207-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download