764042b36c584f75bbf43a5e4a8a22013cf3b7c6bf571056cfc648f99514d8b9

Analysis

max time kernel
150s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
15/09/2024, 06:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
Size

262KB
MD5

06f86b3751be57a687683a0ef218e1d6
SHA1

e681eb1e555aaca0b855038aea0acbb321dac0e2
SHA256

764042b36c584f75bbf43a5e4a8a22013cf3b7c6bf571056cfc648f99514d8b9
SHA512

dfd640bf3ca90ed4d5d40c2ee747b7bdd003547c633a10bfa88f17bc32e90a3251f4987d6cb12e29d1704e908bb002467e96e73d8eae8c32a9737657aef2de42
SSDEEP

6144:HnGJvGd5dNTrDJvRhz13mBQvqt8fzvkOpqcGQ4SFbq75eLoe42F:HcydNTrDBz13Lqt2vkOpkBmq7EoJ2F

Score

10^/10

discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (84) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	kckIwMYg.exe

Executes dropped EXE 2 IoCs

pid	Process
5112	kckIwMYg.exe
4240	NeIwQgko.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kckIwMYg.exe = "C:\\Users\\Admin\\UGYYsEII\\kckIwMYg.exe"	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NeIwQgko.exe = "C:\\ProgramData\\bUwEcEAU\\NeIwQgko.exe"	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kckIwMYg.exe = "C:\\Users\\Admin\\UGYYsEII\\kckIwMYg.exe"	kckIwMYg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NeIwQgko.exe = "C:\\ProgramData\\bUwEcEAU\\NeIwQgko.exe"	NeIwQgko.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
4592	reg.exe
3120	reg.exe
2948	reg.exe
3544	Process not Found
4112	reg.exe
2428	reg.exe
4480	Process not Found
3052	reg.exe
744	reg.exe
3656	reg.exe
2544	Process not Found
1300	Process not Found
220	reg.exe
1140	reg.exe
2144	reg.exe
2104	reg.exe
4628	reg.exe
2132	reg.exe
3660	reg.exe
3296	reg.exe
2268	reg.exe
4104	reg.exe
3292	reg.exe
1140	reg.exe
1908	reg.exe
1180	reg.exe
3656	Process not Found
928	reg.exe
5024	Process not Found
1648	reg.exe
4288	reg.exe
2492	reg.exe
2588	reg.exe
4364	reg.exe
456	reg.exe
1040	reg.exe
4520	reg.exe
1328	reg.exe
1164	reg.exe
2784	reg.exe
4484	reg.exe
3796	reg.exe
388	reg.exe
708	reg.exe
1108	reg.exe
2760	reg.exe
624	Process not Found
3156	reg.exe
3688	reg.exe
1112	reg.exe
1584	reg.exe
4752	reg.exe
3608	Process not Found
1432	reg.exe
320	reg.exe
2088	reg.exe
4524	reg.exe
880	reg.exe
2516	reg.exe
3128	reg.exe
4428	reg.exe
1648	reg.exe
4712	reg.exe
2524	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4488	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
4488	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
4488	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
4488	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
244	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
244	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
244	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
244	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
4404	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
4404	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
4404	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
4404	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
4428	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
4428	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
4428	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
4428	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
2084	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
2084	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
2084	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
2084	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
3932	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
3932	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
3932	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
3932	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
4768	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
4768	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
4768	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
4768	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
1040	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
1040	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
1040	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
1040	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
1496	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
1496	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
1496	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
1496	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
3148	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
3148	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
3148	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
3148	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
1240	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
1240	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
1240	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
1240	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
1512	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
1512	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
1512	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
1512	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
2724	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
2724	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
2724	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
2724	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
1604	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
1604	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
1604	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
1604	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
1628	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
1628	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
1628	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
1628	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
1640	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
1640	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
1640	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
1640	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5112	kckIwMYg.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5112	kckIwMYg.exe
5112	kckIwMYg.exe
5112	kckIwMYg.exe
5112	kckIwMYg.exe
5112	kckIwMYg.exe
5112	kckIwMYg.exe
5112	kckIwMYg.exe
5112	kckIwMYg.exe
5112	kckIwMYg.exe
5112	kckIwMYg.exe
5112	kckIwMYg.exe
5112	kckIwMYg.exe
5112	kckIwMYg.exe
5112	kckIwMYg.exe
5112	kckIwMYg.exe
5112	kckIwMYg.exe
5112	kckIwMYg.exe
5112	kckIwMYg.exe
5112	kckIwMYg.exe
5112	kckIwMYg.exe
5112	kckIwMYg.exe
5112	kckIwMYg.exe
5112	kckIwMYg.exe
5112	kckIwMYg.exe
5112	kckIwMYg.exe
5112	kckIwMYg.exe
5112	kckIwMYg.exe
5112	kckIwMYg.exe
5112	kckIwMYg.exe
5112	kckIwMYg.exe
5112	kckIwMYg.exe
5112	kckIwMYg.exe
5112	kckIwMYg.exe
5112	kckIwMYg.exe
5112	kckIwMYg.exe
5112	kckIwMYg.exe
5112	kckIwMYg.exe
5112	kckIwMYg.exe
5112	kckIwMYg.exe
5112	kckIwMYg.exe
5112	kckIwMYg.exe
5112	kckIwMYg.exe
5112	kckIwMYg.exe
5112	kckIwMYg.exe
5112	kckIwMYg.exe
5112	kckIwMYg.exe
5112	kckIwMYg.exe
5112	kckIwMYg.exe
5112	kckIwMYg.exe
5112	kckIwMYg.exe
5112	kckIwMYg.exe
5112	kckIwMYg.exe
5112	kckIwMYg.exe
5112	kckIwMYg.exe
5112	kckIwMYg.exe
5112	kckIwMYg.exe
5112	kckIwMYg.exe
5112	kckIwMYg.exe
5112	kckIwMYg.exe
5112	kckIwMYg.exe
5112	kckIwMYg.exe
5112	kckIwMYg.exe
5112	kckIwMYg.exe
5112	kckIwMYg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4488 wrote to memory of 5112	4488	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe	86
PID 4488 wrote to memory of 5112	4488	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe	86
PID 4488 wrote to memory of 5112	4488	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe	86
PID 4488 wrote to memory of 4240	4488	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe	87
PID 4488 wrote to memory of 4240	4488	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe	87
PID 4488 wrote to memory of 4240	4488	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe	87
PID 4488 wrote to memory of 2688	4488	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe	88
PID 4488 wrote to memory of 2688	4488	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe	88
PID 4488 wrote to memory of 2688	4488	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe	88
PID 4488 wrote to memory of 1908	4488	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe	90
PID 4488 wrote to memory of 1908	4488	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe	90
PID 4488 wrote to memory of 1908	4488	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe	90
PID 4488 wrote to memory of 928	4488	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe	91
PID 4488 wrote to memory of 928	4488	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe	91
PID 4488 wrote to memory of 928	4488	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe	91
PID 4488 wrote to memory of 2912	4488	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe	92
PID 4488 wrote to memory of 2912	4488	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe	92
PID 4488 wrote to memory of 2912	4488	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe	92
PID 4488 wrote to memory of 3028	4488	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe	93
PID 4488 wrote to memory of 3028	4488	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe	93
PID 4488 wrote to memory of 3028	4488	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe	93
PID 2688 wrote to memory of 244	2688	cmd.exe	98
PID 2688 wrote to memory of 244	2688	cmd.exe	98
PID 2688 wrote to memory of 244	2688	cmd.exe	98
PID 3028 wrote to memory of 916	3028	cmd.exe	99
PID 3028 wrote to memory of 916	3028	cmd.exe	99
PID 3028 wrote to memory of 916	3028	cmd.exe	99
PID 244 wrote to memory of 2352	244	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe	100
PID 244 wrote to memory of 2352	244	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe	100
PID 244 wrote to memory of 2352	244	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe	100
PID 2352 wrote to memory of 4404	2352	cmd.exe	102
PID 2352 wrote to memory of 4404	2352	cmd.exe	102
PID 2352 wrote to memory of 4404	2352	cmd.exe	102
PID 244 wrote to memory of 1040	244	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe	103
PID 244 wrote to memory of 1040	244	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe	103
PID 244 wrote to memory of 1040	244	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe	103
PID 244 wrote to memory of 5064	244	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe	104
PID 244 wrote to memory of 5064	244	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe	104
PID 244 wrote to memory of 5064	244	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe	104
PID 244 wrote to memory of 3076	244	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe	105
PID 244 wrote to memory of 3076	244	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe	105
PID 244 wrote to memory of 3076	244	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe	105
PID 244 wrote to memory of 4692	244	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe	106
PID 244 wrote to memory of 4692	244	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe	106
PID 244 wrote to memory of 4692	244	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe	106
PID 4692 wrote to memory of 804	4692	cmd.exe	111
PID 4692 wrote to memory of 804	4692	cmd.exe	111
PID 4692 wrote to memory of 804	4692	cmd.exe	111
PID 4404 wrote to memory of 3012	4404	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe	112
PID 4404 wrote to memory of 3012	4404	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe	112
PID 4404 wrote to memory of 3012	4404	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe	112
PID 3012 wrote to memory of 4428	3012	cmd.exe	114
PID 3012 wrote to memory of 4428	3012	cmd.exe	114
PID 3012 wrote to memory of 4428	3012	cmd.exe	114
PID 4404 wrote to memory of 2104	4404	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe	115
PID 4404 wrote to memory of 2104	4404	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe	115
PID 4404 wrote to memory of 2104	4404	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe	115
PID 4404 wrote to memory of 2488	4404	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe	116
PID 4404 wrote to memory of 2488	4404	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe	116
PID 4404 wrote to memory of 2488	4404	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe	116
PID 4404 wrote to memory of 4596	4404	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe	117
PID 4404 wrote to memory of 4596	4404	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe	117
PID 4404 wrote to memory of 4596	4404	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe	117
PID 4404 wrote to memory of 1656	4404	2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe	118

C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4488
- C:\Users\Admin\UGYYsEII\kckIwMYg.exe
  "C:\Users\Admin\UGYYsEII\kckIwMYg.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:5112
- C:\ProgramData\bUwEcEAU\NeIwQgko.exe
  "C:\ProgramData\bUwEcEAU\NeIwQgko.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4240
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:244
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2352
    - - C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4404
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        8⤵
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        10⤵
        
        PID:3128
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        12⤵
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        14⤵
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:3256
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        18⤵
        
        PID:4148
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        20⤵
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        22⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        24⤵
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        26⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        28⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        30⤵
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        32⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        33⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        34⤵
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        35⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        36⤵
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        37⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        38⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        39⤵
        
        PID:100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        40⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        41⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        43⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        44⤵
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        45⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        46⤵
        
        PID:208
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        47⤵
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        48⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        49⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        50⤵
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        51⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        52⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        53⤵
        
        PID:212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        54⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        55⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        56⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        57⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        58⤵
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        59⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        60⤵
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        61⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        62⤵
        
        PID:3664
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        63⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        64⤵
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        65⤵
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        66⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:3848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        68⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        69⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        70⤵
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        71⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        72⤵
        
        PID:3148
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        73⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        74⤵
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        75⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        76⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        77⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        78⤵
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        79⤵
        
        PID:716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        80⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        81⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        82⤵
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        83⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        84⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        85⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        86⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        87⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        88⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        89⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        90⤵
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        91⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        92⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        95⤵
        
        PID:760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        96⤵
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        98⤵
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        99⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        100⤵
        
        PID:3256
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        101⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        102⤵
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        103⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        104⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        105⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        106⤵
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        107⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        108⤵
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        109⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        110⤵
        
        PID:4212
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        111⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        112⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        113⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        114⤵
        
        PID:224
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        115⤵
        
        PID:264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        116⤵
        
        PID:720
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        117⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        118⤵
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        119⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        120⤵
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        121⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        122⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        123⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        124⤵
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        125⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        126⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        127⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        128⤵
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        129⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        130⤵
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        131⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        132⤵
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        133⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        134⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        135⤵
        
        PID:224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        136⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        137⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        138⤵
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        139⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        140⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        141⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        142⤵
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        143⤵
        System Location Discovery: System Language Discovery
        
        PID:1120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        144⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        145⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        146⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        147⤵
        System Location Discovery: System Language Discovery
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        148⤵
        
        PID:428
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        149⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        150⤵
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        151⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        152⤵
        System Location Discovery: System Language Discovery
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        153⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        154⤵
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        155⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        156⤵
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        157⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        158⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        159⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        160⤵
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        161⤵
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        162⤵
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        163⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        164⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        165⤵
        System Location Discovery: System Language Discovery
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        166⤵
        
        PID:2524
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        167⤵
        
        PID:712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        168⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        169⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        170⤵
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        171⤵
        
        PID:960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        172⤵
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        173⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        174⤵
        
        PID:1072
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        175⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        176⤵
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        177⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        178⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        179⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        180⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        181⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        182⤵
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        183⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        184⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        185⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        186⤵
        
        PID:844
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        187⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        188⤵
        
        PID:3132
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        189⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        190⤵
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        191⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        192⤵
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        193⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        194⤵
        
        PID:3076
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        195⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        196⤵
        
        PID:1124
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        197⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        198⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        199⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        200⤵
        
        PID:4364
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        201⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        202⤵
        
        PID:4132
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        203⤵
        
        PID:220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        204⤵
        
        PID:3504
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        205⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        206⤵
        System Location Discovery: System Language Discovery
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        207⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        208⤵
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        209⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        210⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        211⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        212⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        213⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        214⤵
        
        PID:4732
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        215⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        216⤵
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        217⤵
        
        PID:512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        218⤵
        
        PID:4448
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:4132
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        219⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        220⤵
        
        PID:3052
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        221⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        221⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        222⤵
        
        PID:708
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        223⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        224⤵
        
        PID:4404
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        225⤵
        
        PID:3148
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        225⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        226⤵
        
        PID:3180
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        227⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        228⤵
        System Location Discovery: System Language Discovery
        
        PID:904
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        229⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        230⤵
        
        PID:4276
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        231⤵
        
        PID:8
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        232⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        233⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        234⤵
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        235⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        236⤵
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        237⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        238⤵
        
        PID:4712
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        239⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        240⤵
        
        PID:3148
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        241⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        242⤵
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        243⤵
        System Location Discovery: System Language Discovery
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        244⤵
        System Location Discovery: System Language Discovery
        
        PID:5032
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        245⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        245⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        246⤵
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        247⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        248⤵
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        249⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        250⤵
        
        PID:3608
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        251⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        252⤵
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        253⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        254⤵
        
        PID:3052
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        255⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        255⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        256⤵
        
        PID:3256
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        257⤵
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        257⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        258⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        259⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        260⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        261⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        262⤵
        
        PID:4592
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        263⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        263⤵
        System Location Discovery: System Language Discovery
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        264⤵
        
        PID:828
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        265⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        265⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        266⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        267⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        268⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        269⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        270⤵
        System Location Discovery: System Language Discovery
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        271⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        272⤵
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock
        273⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock"
        274⤵
        
        PID:1848
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        275⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        274⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        274⤵
        
        PID:208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        272⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4692
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        273⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        272⤵
        
        PID:4492
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        273⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        272⤵
        UAC bypass
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iAMAkUYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        272⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        273⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        270⤵
        
        PID:4136
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        271⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        270⤵
        System Location Discovery: System Language Discovery
        
        PID:720
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        271⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        270⤵
        
        PID:4388
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        271⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DUcwYYEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        270⤵
        
        PID:3512
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        271⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        271⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        268⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        268⤵
        
        PID:2816
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        269⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        268⤵
        UAC bypass
        
        PID:1076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FiIQkEAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        268⤵
        
        PID:4528
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        269⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        269⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        266⤵
        Modifies registry key
        
        PID:3660
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        267⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        266⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        266⤵
        UAC bypass
        
        PID:1936
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        267⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZqUcIMwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        266⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        267⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        264⤵
        
        PID:2088
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        265⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        264⤵
        Modifies registry key
        
        PID:3292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        264⤵
        UAC bypass
        
        PID:4492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZssEosoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        264⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        265⤵
        System Location Discovery: System Language Discovery
        
        PID:712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        262⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        262⤵
        Modifies registry key
        
        PID:3796
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        263⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        262⤵
        
        PID:4752
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        263⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qikIQosk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        262⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        263⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        260⤵
        Modifies registry key
        
        PID:4104
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        261⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        260⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        260⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WIcQIoMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        260⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        261⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        258⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        258⤵
        Modifies registry key
        
        PID:4520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        258⤵
        
        PID:3840
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        259⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SsokMYsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        258⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        259⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        256⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        256⤵
        
        PID:4252
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        257⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        256⤵
        
        PID:1436
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        257⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yKgQsEYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        256⤵
        System Location Discovery: System Language Discovery
        
        PID:4980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        257⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        254⤵
        
        PID:3852
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        255⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        254⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        254⤵
        
        PID:2284
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        255⤵
        
        PID:708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pcoEYYsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        254⤵
        
        PID:3272
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        255⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        255⤵
        System Location Discovery: System Language Discovery
        
        PID:960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        252⤵
        Modifies visibility of file extensions in Explorer
        
        PID:428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        252⤵
        
        PID:628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        252⤵
        UAC bypass
        
        PID:1428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BOYkwMIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        252⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        253⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        250⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        250⤵
        
        PID:456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        250⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\juwYIgUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        250⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        251⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        248⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        248⤵
        
        PID:1112
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        249⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        248⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AmYcUMQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        248⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        249⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        246⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1432
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        247⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        246⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        246⤵
        UAC bypass
        
        PID:4712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uCwgUQkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        246⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        247⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        244⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        244⤵
        
        PID:4340
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        245⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        244⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iUksUcQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        244⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        245⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SwcEcgEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        242⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        243⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        
        PID:2144
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        UAC bypass
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bkgogkYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        240⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        241⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        UAC bypass
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pYoMQsUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        238⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        239⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        Modifies registry key
        
        PID:3656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        UAC bypass
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DEAEcQYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        236⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        237⤵
        
        PID:464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        Modifies registry key
        
        PID:2268
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        235⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        UAC bypass
        
        PID:3292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tgYwYEgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        234⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        System Location Discovery: System Language Discovery
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        UAC bypass
        
        PID:2484
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        233⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UYkEAMwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        232⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        
        PID:264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        UAC bypass
        Modifies registry key
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\meUIUQkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        230⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        Modifies registry key
        
        PID:1040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        UAC bypass
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eGMUYkYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        228⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        Modifies registry key
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vwsAEUAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        226⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        
        PID:4848
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        225⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        
        PID:4692
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        225⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XogQMsYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        224⤵
        
        PID:2672
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        225⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        
        PID:4488
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        223⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xoAgUIAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        222⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XwkgsYIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        220⤵
        System Location Discovery: System Language Discovery
        
        PID:3936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        
        PID:1404
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vokAgooQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        218⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        Modifies visibility of file extensions in Explorer
        
        PID:828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        UAC bypass
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ayIIEoAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        216⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        System Location Discovery: System Language Discovery
        
        PID:4712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2088
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        215⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        UAC bypass
        
        PID:3156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Aqgosgcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        214⤵
        
        PID:1336
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        215⤵
        
        PID:220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        Modifies registry key
        
        PID:2948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QOYIEQcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        212⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        
        PID:880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        Modifies registry key
        
        PID:1108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        UAC bypass
        
        PID:1164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rSEQQYAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        210⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        UAC bypass
        
        PID:4676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\laooMccI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        208⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JyowYAkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        206⤵
        System Location Discovery: System Language Discovery
        
        PID:4404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        Modifies registry key
        
        PID:880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        System Location Discovery: System Language Discovery
        
        PID:2216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UUUokUUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        204⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        UAC bypass
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\skskcsMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        202⤵
        
        PID:2588
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        
        PID:2004
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wQogcUAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        200⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        Modifies registry key
        
        PID:3688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kmMUIAMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        198⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        
        PID:4804
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XeMcwswo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        196⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        Modifies registry key
        
        PID:4524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:3180
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NqwwwQQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        194⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:4692
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        UAC bypass
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zWEkkEgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        192⤵
        
        PID:916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        System Location Discovery: System Language Discovery
        
        PID:2580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        System Location Discovery: System Language Discovery
        
        PID:3124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XWgcYwUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        190⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        
        PID:3156
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uEMAEEQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        188⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qycYcUcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        186⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        System Location Discovery: System Language Discovery
        
        PID:2784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qykgoAQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        184⤵
        
        PID:1056
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        Modifies registry key
        
        PID:3156
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        Modifies registry key
        
        PID:4288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HUsoEkIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        182⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        UAC bypass
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DkkkAMkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        180⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        System Location Discovery: System Language Discovery
        
        PID:3604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        Modifies registry key
        
        PID:456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        UAC bypass
        
        PID:4564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lsIgIokM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        178⤵
        
        PID:428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        System Location Discovery: System Language Discovery
        
        PID:1496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        System Location Discovery: System Language Discovery
        
        PID:3840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DkUEgEkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        176⤵
        
        PID:1336
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        UAC bypass
        
        PID:3688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uukIAgoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        174⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        UAC bypass
        
        PID:1244
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WagcEMgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        172⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        Modifies registry key
        
        PID:3052
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mQUoIsYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        170⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        Modifies registry key
        
        PID:2088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ASwoYoAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        168⤵
        
        PID:3504
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3780
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        Modifies registry key
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PgkUEYcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        166⤵
        
        PID:2620
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        System Location Discovery: System Language Discovery
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fKYsIUgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        164⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        Modifies visibility of file extensions in Explorer
        
        PID:428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fosEUIEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        162⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bSkUQUkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        160⤵
        System Location Discovery: System Language Discovery
        
        PID:2132
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        System Location Discovery: System Language Discovery
        
        PID:2580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ASEQQQoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        158⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mKEoMMgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        156⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        
        PID:844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        UAC bypass
        
        PID:3124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kAEIgwkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        154⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        Modifies registry key
        
        PID:4484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QsgAwggE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        152⤵
        
        PID:436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        UAC bypass
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nUoUQEgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        150⤵
        
        PID:904
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\baEowEIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        148⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        UAC bypass
        Modifies registry key
        
        PID:4752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tIkkcsog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        146⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BYkwUsQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        144⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        Modifies registry key
        
        PID:4628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        UAC bypass
        
        PID:4596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cAsYsAIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        142⤵
        
        PID:116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        System Location Discovery: System Language Discovery
        
        PID:1756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        
        PID:220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AaEwcEQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        140⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QWYAwgIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        138⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies visibility of file extensions in Explorer
        
        PID:904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        Modifies registry key
        
        PID:2104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        UAC bypass
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nCgUMAQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        136⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        Modifies registry key
        
        PID:1180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jWkMgsoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        134⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        UAC bypass
        
        PID:1008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zWksIooQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        132⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        Modifies registry key
        
        PID:2784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PqMkAUMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        130⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yKYAIQIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        128⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        
        PID:708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        
        PID:4780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OKUYEMkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        126⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        Modifies registry key
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QUkoAoMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:1512
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        Modifies registry key
        
        PID:928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gQckMIEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:4968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rksAcMcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        120⤵
        
        PID:624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        
        PID:4288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HYwEswYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        118⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        
        PID:1120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZWkYAkww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        116⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        Modifies registry key
        
        PID:320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vuUEgIQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        114⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:3604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OKUAsgwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        112⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MmEksUUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        110⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        
        PID:844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        Modifies registry key
        
        PID:744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WygMYQMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:2760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:3272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uCgsIEIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        106⤵
        
        PID:388
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rWkwckAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        104⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        Modifies registry key
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoIUgkcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        102⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        
        PID:456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dqcQocEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        100⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RsEwMgIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        98⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mgssoYMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        96⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:3936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uYgsgAgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        94⤵
        
        PID:8
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies registry key
        
        PID:4592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:1124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YwMoAkAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        92⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        Modifies registry key
        
        PID:4364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CaocYwYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        90⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        
        PID:908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LqQUowwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        88⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        Modifies registry key
        
        PID:1164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vmQwwsEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        86⤵
        
        PID:880
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZGEIYcsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        84⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        Modifies registry key
        
        PID:708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\egoYUwUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OsMwAcQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        80⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies registry key
        
        PID:1648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        Modifies registry key
        
        PID:2492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qsgUwsME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        78⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        
        PID:224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oUAosQYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        76⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        Modifies registry key
        
        PID:4712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LkcAQEso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:1512
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\luYAkcck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        72⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zqwEwsAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        70⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        Modifies registry key
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NgQAcgIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        68⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SSMsUAMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        66⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        System Location Discovery: System Language Discovery
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iucwQkQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        64⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:4764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ciQYIUoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        62⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        Modifies registry key
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TwYoskYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        60⤵
        
        PID:428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LIMgYIks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        58⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        System Location Discovery: System Language Discovery
        
        PID:1636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fycIkosI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        56⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EsoQgEUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        54⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mmwEcgMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        52⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:4788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aOIsoEQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:3336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ISYYgMQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        48⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:4496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JwEkYYoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        46⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:3600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:1124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XAYIcocU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        44⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\POgooAMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:512
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:3504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:4924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eOMcMwMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        40⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        Modifies registry key
        
        PID:2144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OAoQAEEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        38⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        
        PID:3600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sEMEoEEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        36⤵
        
        PID:464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:4804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZKIwQYQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        34⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FAQAkcMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        32⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:1136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VUYQUMkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        30⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:4856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        Modifies registry key
        
        PID:220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hAscUQEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        28⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ggswIQEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        26⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gAAokEAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        24⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        Modifies registry key
        
        PID:2524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QKkQEAMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        22⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        Modifies registry key
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cKccQEEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        20⤵
        
        PID:776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CYYYosko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        18⤵
        
        PID:744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FwYIMMAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        16⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\roMcUQIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        14⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LukkYwcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        12⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TuQMQsAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        10⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wKwwgYkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        8⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:2344
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:2104
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:2488
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:4596
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wOIwYYEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
        6⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:4780
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:1040
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:5064
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:3076
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GYAsYkEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4692
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:804
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1908
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:928
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2912
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eIcwIQgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:916

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv PZiiYlbg50W+klZu+0VpBg.0.2
1⤵
PID:880

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:4448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe

Filesize
775KB

MD5
819db98ebd9b2cb612af9556b7f7846c

SHA1
dc260e68aa0bbce014fdf8fd51f7b8d156b053b9

SHA256
43d833caa006a0a430aa705dcd40fa9381434bff1ceb146df4a7e96391970b6b

SHA512
166318fa8ba147f7c0516d55fa7f48e7d31bb51c35ec383762115bcf9f7967dc90f951f826614f946b83b1705ebdef9408372bc173e437d51baa70d088e7b128

Download Submit
C:\ProgramData\bUwEcEAU\NeIwQgko.exe

Filesize
187KB

MD5
5a27336f6e72e149be2e947d622b078e

SHA1
970db2bbd3c33efb55a1c561826ebf2252a9cf46

SHA256
1b7bd3dbc37db8aa14d091575df5053c7653dc898c51c07dd26bc999fa4e254d

SHA512
0b6691dd35e482649383efaba7c6e939f1b351d1896c791df0056a5be2be61846da85bb8e59e72451fbaefac7aadcc96bdfe2d653c1e235c335429ea03a7ad1b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\64.png.exe

Filesize
203KB

MD5
2b5fff4ee74083649993a07aa982c185

SHA1
04395e44e1f3c2066da2929eeaa5a6acca7d57b3

SHA256
18c2b22c4df3d900354d0a366384b7ca9ecdbbfbbdf20b82a5f69afcd0f8b64d

SHA512
913dd678f9016c1b6734f81b72bd2f045e6518bf1e41503481ad7335012f50b6785dc7f0d32b9cc2aafc7d3763c2e28558bc601d914a42c775eed09252e37e6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\96.png.exe

Filesize
193KB

MD5
89036e8adc676fc90f68a6f4296c16c5

SHA1
dfd184d2740abe351e3a71ad766f8d72e7c15cc3

SHA256
7382c36d4a9cb7e8db135f630edba2ef8fb956a935e77115a07f97f3c83c2927

SHA512
0ce7f20a70fd1fd5e4ccf8fa8c9e755aab0de2d02a3f6d4b951d092f38018d63a9b2d030ac3441b269aa8c81955dbe843660eff305259b893ea6423b04129915

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\96.png.exe

Filesize
201KB

MD5
f79201f6e27f55818031d604c34985ae

SHA1
758949c6060ba63db4b4e2bada2de8f3500fc4de

SHA256
17bc6daa26254336a2638dfcee0320b3852073e2b98167494b7a0d4167a0e41e

SHA512
56ae4fd72c7dd78decc50a08bb66fe4ce68e66a0adf3c8604a083a27678c34906d3a076dc9f04e198f354efb1e2ab4fe47e29188d8f9e38e2c69839f23d3ed0b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\256.png.exe

Filesize
202KB

MD5
d265658bf168dc47900a3e7b736131fd

SHA1
84b08f2541c246139d24f5fabacd4ea699d74cc1

SHA256
88340020c955484da8aa41e992892e5b7129afabaeb1d30e3e6d6be9a01638f9

SHA512
aa5d9a515be85316aa8fb807193efbc32b25dc2161c56dac4e497ba37277205902317ccaa0a61f9b95eb6c48119227e40e2aa95fce8ca65a1f1125aa3844703f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\32.png.exe

Filesize
201KB

MD5
ae3652a3de86c0e1d722572df24646f9

SHA1
def78a15391683cc3834e3879b4e00be649ca99d

SHA256
a0701eb02c203ef2d54ced2e41704607dfa1b5671dcdb7920ee869ef12e60c48

SHA512
5fc51cfb8573a5c41c5a4c28b08ad035ecece450cd9e334266c795282dcadc96ada5ee848fd490b6612126786d762bbe7a80c3c6e39abebcd6508c923e5e729a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppBlue.png.exe

Filesize
197KB

MD5
f3a7248fa24f1d2e7ab6619f677b0d66

SHA1
b9adca035a84de0455c6ae1c1996d1c6915b25f1

SHA256
e1e98c656331b7681444066d5b7d111a30372fc0121d0ab5b9bd2909377583c1

SHA512
2bbd0003b223a6f51d8e5b06074ec658f65694e684bd91aba8e3da6448817f0149b396df95aa961805faa8c74646ccfcae772976858a0a7d346e2c31f1ccd76e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-15_06f86b3751be57a687683a0ef218e1d6_virlock

Filesize
81KB

MD5
070cf6787aa56fbdaa1b2fd98708c34c

SHA1
fb662cbd45033e03f65e0f278f44f4206a3c4293

SHA256
e073f22bff5d22fdbf3665855d2f979d300c4e28421a7edf5d616dd92c71580f

SHA512
93adca8cd47db7fd07d1bb0834c92ef0460d86975ee17276573223eb378d3cc7bc8324c0cd62c024664159b0320501d37bbc97d266a40ed2a51fb3e8e163ba52

Download Submit
C:\Users\Admin\AppData\Local\Temp\AEQK.exe

Filesize
313KB

MD5
173fd14afb3d4158434cbdce5cb9bbc7

SHA1
f3ca1f211c3981f8d393fd4b5f4df77a25328b79

SHA256
b9e26a57c66ed41159d2ef46044066d07832419d50e4ed4311ef3a0585da0f67

SHA512
46b03a3e6884232048508b4772478186618889857b8ba186bb2e7e5e3831e3197c04da3bf6cfdf54ce1620d5ec65b068c9f8f8dde6db0e6ad55b729dce8a3809

Download Submit
C:\Users\Admin\AppData\Local\Temp\AEkQ.exe

Filesize
218KB

MD5
b3c7bb5e8288f63e83a23f08601b3915

SHA1
b436b838523f77c826c890acf188266bf7590b5d

SHA256
0230fb15f0f3f82b05063b1e163defa66dd11b7ec72c49e367c34dcd0c68be68

SHA512
4cfc9eb770d6e8468f6c1d0853c5b7586d959e4e62987d3137f3d3077ca6e970ca2bfd66b626c61dfe9937a2f4120cac8283732646e87f945f98692577b9bf4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMkI.exe

Filesize
185KB

MD5
7d496f90d02158f5174bf864e3245ba9

SHA1
a8e061206bb2ab41ff75e9aaaa1fb8f2c530ac41

SHA256
77e9b0a3ed5c7800d2baeea8827fa90ccf0e18af2bfc15eebd5c3edc477871c5

SHA512
b296e591a644e71938e6df98477b37d057d88c7af6d18e6e7f671fc3133afc10f8b4762d7e8050c712831cbec2b9733c9df1940b204b7a77f4a77df2c65c2792

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUAs.exe

Filesize
208KB

MD5
b85c18fc1f60e47cbd1923221c6e5214

SHA1
f69e12237fc8ef6890f16e4462681d44086ead0b

SHA256
0e88543d63d8b0a1c5ca6bab1d8856a8e932f6240c240a8cee2e529ce06e1e0d

SHA512
04f6294a909ceb25be219054693d55b5e7169eab13595b5818ab0b199741f45c896f9397cb454b844fac474eef5abf8fc267b8e17d0f08c91b55f1c2480d8ae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\AggU.ico

Filesize
4KB

MD5
7c132d99dba688b1140f4fc32383b6f4

SHA1
10e032edd1fdaf75133584bd874ab94f9e3708f4

SHA256
991cf545088a00dd8a9710a6825444a4b045f3c1bf75822aeff058f2f37d9191

SHA512
4d00fa636f0e8218a3b590180d33d71587b4683b0b26cd98600dcb39261e87946e2d7bdcfbcd5d2a5f4c50a4c05cd8cf8ac90071ecd80e5e0f3230674320d71c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CscY.exe

Filesize
833KB

MD5
62e773d12c71c228a0c78dac944522e0

SHA1
54de7d1df0c7cd4f6eec88314ca723ca7f24c122

SHA256
972b871f9a3ec948c9dd9450a8c0039a16affa823d53642781b13a88f040d2a3

SHA512
6e1eae2aace7bbcb25948a33d3ba0c96abc11e5d3f0de55d1dfb71bd424edbcea46812e2def3128de2dd3d8c4cadecc83233c97fe5b39fd4c53a18d6a807c497

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAIw.exe

Filesize
200KB

MD5
b8bfb5c59bab366851aa82efbbbf7ece

SHA1
51b2cd97f418bcc2d6b60a3d72ccd299f24a4b9e

SHA256
95f90989f0daec9996d728f9cb5a35eb359ac8a28ac2a65db50527d1f6713136

SHA512
06dd3ae150292ad9366f61bdda6caee08bd0f74ae70eaf94613709beefbe20ff89815432b33d447e38ced6869dba2de02464aa4c9945f0a4bf37ad55e6b05191

Download Submit
C:\Users\Admin\AppData\Local\Temp\EYYW.exe

Filesize
714KB

MD5
026bcd058bfc7034b7e2f70409794104

SHA1
a7cbb8fd5c5d7bc10d8b10b3c59dc3d64669b2d0

SHA256
c658ac40774eec223980d56136e6cecd0ecbe292a1cd298f19e5f9ac2644b18a

SHA512
064e8d089fd809ba4a3132e2ac7bd8fcd106a1ad49c9e85b2d3deda22886d693aa1a2cca04e4dd8ae653e27f8d9199a9b2dccbacbbe5d65e1f608e862e5db4d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\GAwS.exe

Filesize
228KB

MD5
760741aa353cc709a402d73279306b90

SHA1
4759af03fc12e68edb1a69333b8714854f2c6fc0

SHA256
afc6d7de6ab093ef64893b6c1a7ec9af104201776cfd26e6f040d6c9a96c2760

SHA512
9b3aa5def7ed4615bea3e808bfb9bead574fdcb2eba9031c43ba4562f3e606fe6815d2bc4431f75d3b3522e8086602cef4fcc4ad8ac5a34ab14664db04d93920

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEcq.exe

Filesize
645KB

MD5
a8902c839e89862dbf565bdcc67da13c

SHA1
4899974b7fb65f97bf714a17df146e9b395966ad

SHA256
24e805145a10fc54909afa2f1e15f6a80152b057c590e3ac5bf3b6d72e936856

SHA512
526f5b0a07791a42b452a76892851b902b2ae3bc2f43aa87e887729d24043ac566818409d79136768153fe3a98084b449eb4403a95245d8ebd77edd934c44084

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUQC.exe

Filesize
205KB

MD5
96b2722324dde11089a428a9c67b368d

SHA1
69020b948387da16511b13f9c6af9ad31a57ee86

SHA256
f0c57612d53ba72ef9b8c867ecd771d94a7f8236bef1d9cd6d65195df1fa7ca5

SHA512
c21b76a4073ec5dc986fac6df9313cab03c03fad1b62230e58e41fe795003f863a7a76ca0bc7efe7c17c7fcce53b210104a70100d8ceb337288a098e30c9f25e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUkO.exe

Filesize
798KB

MD5
0f3143fd2e607d5c2f9bc9dc41c14061

SHA1
321cf3dd11d8aef6bad528f7445a812e8f844ef8

SHA256
ce1ecce515c75266b5e5bc74b1f28bc370f76d7aec3a4b8fd1e3410db6d1287e

SHA512
9211a702328d1f787adfc2b3effc26f31383e9103edfac61cfbf4714f054d4649493af91e3566c5403f10b3dbb1bf19ec5bfbd0efabb2caf3e5618101a8f8716

Download Submit
C:\Users\Admin\AppData\Local\Temp\Goow.exe

Filesize
835KB

MD5
832a4d1f0c437f6bc9054990d719859c

SHA1
72f554fd7f45b7e13b14cc865dfcdd1a4ca38885

SHA256
48e4657d508f92c1a95041111bf925e7fc7eee48f54c25e54d46eeb8f0cacaf2

SHA512
1ef970ef41819aeab3fd55f6bbc5782cced4229c7eeda8914a1cae8e2fba3e200936c3821229b36c8a7c67a4eb3de4938d5529342de2c0dacefa6ed06789f7e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IAUW.exe

Filesize
198KB

MD5
cabf6ed108aaa8d9a04f36ab325e23d0

SHA1
39038392e6ea2a061b9fab4b386a6bcd529bfc50

SHA256
0bdc7c291f40f385d9b3af28798e3786cb27be166cba7fb712e6b15a885ecfc1

SHA512
12ceb37497de7451fc313f39a3ab2d2e41a65ff148d8e45cda76b00c778daf551de5416a4644e8fbb51e2c9a747f17a5a39281924b96f5fec3249e2ea9afa88b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IUUq.exe

Filesize
646KB

MD5
97238e029ba7870d29ea0edce5623434

SHA1
5beeed25f04f0018192b82495dc470de475c7550

SHA256
4958590468cd173c84b4e30561331c00297dd5d11d85394402955ffaf12ed262

SHA512
3f14614f01e83c19efc447ad8a22ffa9d1392bc43b82f4d7cc0cf1aea4e35ceca7824a4d41fb645e8f206ae539f9c2d1b820870a021eb6c51312e2cdd647984c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYkq.exe

Filesize
194KB

MD5
506daca44d9162fc06e0a7c2765b4270

SHA1
492a68ce4108f91441fb8500aeb45a6fdb924132

SHA256
707bfc203e3c1fedb5eb4c8ca2fa897aa4afc1153df249367ed98613997364d3

SHA512
c8005d0c04d6a3eb860dcf66bca922d1b9e7353dee3c1ede2a7df22e744e14fcce6abe82d82e1e50c835ce64161ac7ca501ee9e061a21a73415cb7e0b5a09495

Download Submit
C:\Users\Admin\AppData\Local\Temp\Issi.exe

Filesize
194KB

MD5
294ac435d0d4faa15a9f76d58611f9b8

SHA1
0601689196b26488c1970858fe4d127fb5efab04

SHA256
1b8f66daf80933059e8dd96acfdc94f198b0e387f36370ad46776b4ecc41dc7b

SHA512
6a3c4ec69eef84f9ae2ffdd96122d9060f19dc94eb6be3c18508ec0d8cd818de8182e62f1c2ac55ecb19a5f3957b00df661a63272912bb36531fa883d2fbbe51

Download Submit
C:\Users\Admin\AppData\Local\Temp\IwoC.exe

Filesize
229KB

MD5
6be927e070755d8fac7b8abcce52caa9

SHA1
f9567333c3a04bd4296f01ba5cb9b4bdde622648

SHA256
fbddcde44d04c6dd4293e8f30f7c67a4e2b9ebee2a92651721ac6497051cde7f

SHA512
577dfa784546242006a8d1137affbfa7ef03d0b6503d7116def4e30d9eba1aad39e99aca8cba53679972e71cf6dd2f5a29e57e099da7afa4f12bc49c25bc921b

Download Submit
C:\Users\Admin\AppData\Local\Temp\KYEI.exe

Filesize
615KB

MD5
b91307302b56c3c3aeabb35df3074f36

SHA1
85e827470ca4e8640117e1fa099bf646fbf11670

SHA256
71c5eb4a72875c447cd6cb008b1a5ed0fe434b99870e74d7e387c1797fbe9e4c

SHA512
f4982df4aa5792d71b00e6ed38d14f2527348964dd8302a154876eadcde4d41afe3b1c840f4c9f989eae7ba3a8fd3b1cbf7966755538a13c7eacc4eb0a3c688c

Download Submit
C:\Users\Admin\AppData\Local\Temp\KgoG.ico

Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEUk.exe

Filesize
529KB

MD5
59863685ef0162e7cc5b7a9777d31693

SHA1
f8d8ec7305440ee54e39fecc5d0476db1e707983

SHA256
cb015f0a61e6cf56b98d5168a277f95910bdd4dcec176b62ac605550fbc0f66c

SHA512
7fbc8263853aa582bf569c1ef8d5c827bf405ebeaa7200c9a667f108a6dfa5d6655ceea31c2b1c18e96fafb9dfff4854a24bad28d1730fb8f800824484a8f1fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEcQ.exe

Filesize
196KB

MD5
03f17c009d5793f19be4a2ef9d016370

SHA1
5e05d185347384adfe316f228c1d5ad42691cdbb

SHA256
25197126d0f30e6183f1ff8e4621e8ab3c80e4a162d8cc156a0fba086c7b7257

SHA512
e64187c348e176f9c36dc0a28458e19ea4fd7a22b8dbdfc7dcf549333ebaf7c868a50ca02726302617ff940b43979335c9e4994fdc9ae9360faf601c354a136f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYUc.exe

Filesize
193KB

MD5
6d89537c7cdf7e73dcb0abb67e2dcd2a

SHA1
a8cdba86c2896a9ca319b3ddfd7cb756bd1d284f

SHA256
a6220c274bfe58931190e11b6e5cef3b573ba8d43bf8cef3e39268ea929f84ab

SHA512
8cacd36311deb55a262d30b55aafb3098f119f4728ed7c02c637a85b0fbfb669db694729bb08f739e3bddd14e13010ecda842d4bf3ebefc4cdb80f5069867964

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYcm.exe

Filesize
203KB

MD5
98a29e61ccb5f503ee792b1a50e36a2e

SHA1
85a2d27ca60ea89d575bceb9633111a022bd68ce

SHA256
c1e383956b547a79c95e67d1ea33b1c00b506f71152013b8d97338660ee037cf

SHA512
042bbec79d1c75bd5a0a08b7adc458976c6d3cd4df4b2b9d7a1e99e1c973ffef453099e3adbd2b3645bc72112c01c51a76257e1b206b4bb6b8380d9808b6c706

Download Submit
C:\Users\Admin\AppData\Local\Temp\McYu.exe

Filesize
637KB

MD5
4919ac51e6128d238aff723409f48fec

SHA1
4c5f53cc32716113ab7058c340b875faf5111fc8

SHA256
d7c6916c8e11fc1b33d57dcc08b93ac4ffbafd45e2245dd64ce221aaba700cef

SHA512
ae840f7ecae6c00b1a5b1d565bbb20138fc3583796bb66b675beec6517b7487e2ede906735f7829e9c612c5638705c69a16c4cc1d46481e090a19e97318f1b69

Download Submit
C:\Users\Admin\AppData\Local\Temp\McsM.exe

Filesize
224KB

MD5
8a2c237490698e7624be91846eb6058b

SHA1
804abe2db9a50dcd40c78459ecd78d22048e34e6

SHA256
6c8fba8ee9b01112df8f711d8d76a03d7fd5ef2e1129af32e51c4742c44ca49e

SHA512
8320461fce40da2fe2aca89da56ebc9daba42fcb51216c4fdfd22ab255331a4eed0d83a29c13342e3443a6cbeb847c5fa8213d500e84a5612c7df63c05c4d126

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mkou.exe

Filesize
212KB

MD5
13728b040af7280bcf32e0a8f4293472

SHA1
79f4fc2a245a0fdab75d5eabc231a3b5155fcce6

SHA256
9e891ad30680a32f844d3bee54a8ffca717307c1c2dff43fea671d6a0e7fc0c0

SHA512
7ebcd09a476784fe9564ff54874cc0339d55337fec30138312a9c4d961f3c4105a06db4f95d1cfdd194153203f75feccad6ce21f642ab578d77f6247c6398b1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\OYkE.exe

Filesize
671KB

MD5
369777104c1f12637b50362dd4367f1d

SHA1
b3273c29fb083ddedcf5376cdd13ffb963fedbf4

SHA256
9faa114021c1dd5121fbd3d831bf0a8643db2e70701a8146d769c5568a076150

SHA512
1268fb3a93c0f730d5844a58666c1f63f4d0bf4ef978aae53a89f933f342aea0f2fc14326d119cf46f4bf7faefae2397f6be4e7ff518dfbb4c767846da508013

Download Submit
C:\Users\Admin\AppData\Local\Temp\OcEC.exe

Filesize
541KB

MD5
beb9bc5dcd7ec7fceddf077032248a61

SHA1
d0fec56cd666e40246eb6b62413b3e3d7d86715b

SHA256
27649ff9f9ecefd0be599c8e05b34b4af559c2f6af00f5c6be15810c92bbaecd

SHA512
9873e137c3c35f31d7c68291410827e9e706260f12ab7beed639cd36ccdc69b158ecd6ba87510adb847a8735cffab3ea999c97a1fd046148f6e0007934e5f842

Download Submit
C:\Users\Admin\AppData\Local\Temp\Oogs.exe

Filesize
317KB

MD5
c398800f5251c39908c0a595ded1edd6

SHA1
1d64ba0a88c7dea1824e2dabcecc5e0a363954a1

SHA256
ce043e2a9973d06c91d1d0ba571c8034f7b8b7b3e076a33e08a20bb1c6bed56c

SHA512
f24492a3999e9809c1de0d0a02106e4d810fa93c530ef2803fdcd5e491e3a2759e825fac4ddf909abb83b2c3a48a7c274dc6c77883eb15bf1c8187df3be8f4a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\QMUW.exe

Filesize
195KB

MD5
3a903ce522bb1cf44fc8a7a64fdf9c79

SHA1
8a4cf3efd1abfde39f77d702d8df9ae3fab9ec67

SHA256
78c8aa612b48763dfacf0a66ccadc5bd779e3bf21612af72dd7b9a3f1812da8c

SHA512
04fe1c96fce1695a4020525d8622c2f2cd385d55ea0842f655c31df28adcfefa870c192633ffe33f00c963a71bf533a6321afd4d19c366d9cda27a04a0b39f17

Download Submit
C:\Users\Admin\AppData\Local\Temp\QcMC.exe

Filesize
307KB

MD5
bf050d55ecfe59cabb90832d0045a2b2

SHA1
248d48294804092900385062a10d9b5206919ba4

SHA256
9fb8029d0b36f1ec6c005b9bc57850543dfae190d4830dcb47226836a49edcd8

SHA512
96698930f4def250383e3f8d2d176b9efe69bed8560224dbeef29544e34dbd3d52b47db12608b20e6d4ef2e173bd4b0c161c32510c6a4043fedb138dc28d963a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAYY.exe

Filesize
249KB

MD5
2eb008bccb75382bd0a29b287dc9ed5d

SHA1
5adfd03adcb037e3b1085186bd41ad3c176065c0

SHA256
3f73092856ac83a5eae35e542ef72a3cd331b1cdadfe96d858fb0e1ab7f8b566

SHA512
07587aa1254000cb99b833e3ff3038c5dee6ec2efe3f2f1f53e84119ce625c86a945af52b24a5f72194c7166da056116098f1b7b98e182b04aaf0a878f74e473

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQsG.exe

Filesize
245KB

MD5
bda89b941f7339f614c48bea39e2e630

SHA1
7f1dbe29407acf97baa6318268162beca6a8aa85

SHA256
d8fc1b2197866a962ca786444e5131bfef69b8bc9919368532998fe39614bb9f

SHA512
01a3964df6dff84b6273c34450073135c600fb49aaaab4ca6c30cc1a7fb0a73796965355cb1d23e5d3e82e57ab6909ad3eff94b71d42449b46a309eb60a6c063

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYIM.exe

Filesize
724KB

MD5
4b00109dc2b515673785f2978beb7475

SHA1
acb4cda2ab9f4f7ad83645341e8d10a60f4ce515

SHA256
0edf2aa67dc479932656650241040cea1b3407d243339691b5f8adc943253520

SHA512
6dfbb4fb867b2f889a7e971f5d189e13d7541a8e8fc2d66f0d294dad742f5d4446525a8339917230676536dbfdfc926b51b83e8c879c23773f1dfdb516fdb3f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\SwUy.exe

Filesize
200KB

MD5
0f89974521e6684c437611134575f904

SHA1
9fb14a8eb147ad6de40b8ade7a284b91c4cf0ede

SHA256
9510e6cb523577ced0c02bb98a0c138e9cfdf1e986a28ec07e72c6fbc9792ba4

SHA512
5fe761a65526820fc0c98ce7770390a4a1aee8d51079649cd9be677c96600ababe776ebef859e4f4fb9ef1f8ce7b5a8b9365f34d31542ef058fab565a65ec444

Download Submit
C:\Users\Admin\AppData\Local\Temp\UYoA.exe

Filesize
897KB

MD5
677011c8292ea99acc3e84e473b51077

SHA1
3b56027f711b1f7f081929093b6b3b089f8c231c

SHA256
bc81767e9a8d18ac0309cca6a769a000d7d0c2f17ee35b6397c5b55927036d26

SHA512
eff7e62dcdce19246e99173737b9b413cd952d0c252f7ea5bef44dcba9ec9a865039f2d5cf033ad83ac44b4b3380f81b35a4898f1083c7fe9d800e0276f5f354

Download Submit
C:\Users\Admin\AppData\Local\Temp\UsQw.exe

Filesize
181KB

MD5
e28fa2cb9746037314cd3e9fbc2a9d72

SHA1
ac30b9d0d23928ee8ce561243441f69c417e9512

SHA256
f1f5f9e2fb70158ac2d9a931d0a214bfd0d90fcde998fca15d83d1369cf03592

SHA512
43a74a911c0d3f3c3252e898d7e8c4f5975440d0244be5f852c2477e5424b3dd840236977e687e90feb56395c42813394140162c5453aff66560ab812cadc86a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WAAs.exe

Filesize
227KB

MD5
9e5b0e25d1a6a91a4789017a9e2be607

SHA1
2876326a48ba3a5c8c2e42978a780b0ee4070cd0

SHA256
3bff14e0cf5decaf976e04712401f6d05c8bca23f95a225e4aebb15c9b4549c2

SHA512
1d7d6e94d09670ada725026f6b49260c4ca406db42e03a8d192eece8568dce7fa680a5d686c8a911891de222c32559b9aa81c22be63c38056c8acbb382504317

Download Submit
C:\Users\Admin\AppData\Local\Temp\WIgy.exe

Filesize
204KB

MD5
fbb5359bad69bfe4fcc8ddd2788954b5

SHA1
835c56f0415c3c14480b05944375871d9570d70d

SHA256
aebff3f2c81591cd2d669a32f361ca2461cf43bebc6fae2c708ce583fa185b22

SHA512
00defccb77dfc062d72bc9443bcc309e3cd26b63939a38c980ce03707dd92ec65d65524601009ec5d41d4b9ba71c2f07cb47ad5cf390a3c3fde9e9c36fbde645

Download Submit
C:\Users\Admin\AppData\Local\Temp\WQUE.exe

Filesize
810KB

MD5
014c01d58c6c5c112a6e30854fc05d8c

SHA1
19d4182c575ed3e45a19fd1896c937e0e47203da

SHA256
4f1cd1774f7d861ff82f04d09419740c165fa40740d18793f0d248a5f76fbeb3

SHA512
4697d9f1dd1c920305f238192f48f45016a548cc3a57608e44fe1db3a011c0fa5c8a838b2c1de4ebda8509f9ef332cbf8f6a30b16a529a863ae79d10770fe4bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\WsgA.exe

Filesize
214KB

MD5
a521462642099a1be89d5836b8fdf663

SHA1
fdf7b9f0a1241d904659eae50de349bafb262c96

SHA256
86fd47bc5b523a0cae0df416162dce7778f4991e88b27b5141c8be5fbc9e7808

SHA512
86ae0e70ab329f18f1770b771c55b769971a8e0a39720fcf81c7dd9992ce6bfa0e8623fc696fc0e4a0cb673082b088a28ff3eb4beb67c114e114ef37f0438e62

Download Submit
C:\Users\Admin\AppData\Local\Temp\YMAO.exe

Filesize
850KB

MD5
c995dde822566be9d33804284c194eba

SHA1
081f4cb66a7fc7b3f4f2c7371b31e6b9ac60e7f3

SHA256
adedaf6d2c3cdba4966f420a5b7d7c6483e00d751baca80311e4f883b1f0caef

SHA512
55e5bf667432db33ac9a6de1aca964e90d7780a595e8f73c633812801a4043c885255ef8b06a0deb2c22620a9fda1170a9dae092528cf798a484ca063ebbc5fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\YMcS.exe

Filesize
212KB

MD5
d64062ea2ed3b68a0dee07cb88b5f998

SHA1
4d99938629e7b8455b5dad9c9921968bfd3231f3

SHA256
94062fc25dba800f4307fcafcbcd37415bbc34d1bae8883f11acd5c669e85c8c

SHA512
01f4c7ed704319b5bc6b6e9ca3c20195aa7fea47bb8c276122fb98278a48b8db46e74e6d324c823f4eaf680c9f36701c721e3ff9f5459a9a4b79c72a02d68ae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\YkAk.exe

Filesize
799KB

MD5
dbd196e64800613d6217da5ebbff490c

SHA1
53b3d6ca9b648e169e9dbc309b326342bd7d4ac4

SHA256
209a6582630800868d8bbc07de6f941c398362bf1d12cbe0f280f7f61d2f4da3

SHA512
a9a427cf38c66db73e674c293a95ea9d689aee2b7b20e81fc1f6b8980017f07c4994b9f0e400aafa3cbe8c0cd9af64ce7a4e5cca7a3166be174a63233a6d34b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\acgi.exe

Filesize
423KB

MD5
3b4dcc4e7f662b4a7fad9a158eb440df

SHA1
a051462c1181dd368926f2443c0b1f52c5a03008

SHA256
a605b83d5df69c8b9c22f9f2f95247ca5a86ccdb5f386f6f77eaeb648e206059

SHA512
e05f8a1535eafc7786cd9f7c0a8005afea104798ca292762f83e878445927230f252feb8c67d03faa49b7b2543a7d62f1a981d8651ba1b814db3589f2741ad1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\agoO.exe

Filesize
195KB

MD5
0779ccd32ffa141539103c1871fe666f

SHA1
3a5563f46168f4179099e8aab5f7285d93dc0688

SHA256
3f7775aa42d5c1f4a5017bdf3f0846853f14f7c29a6568a03ef473f84b258953

SHA512
ffffdcada5fcefa130a8039bfa18e165fe23c86197eb8646215e9fbed59bac8cbc38ca66df0fa5b3569070a85e811a2f98906d81bbff9b3accf7dd25932f6689

Download Submit
C:\Users\Admin\AppData\Local\Temp\awYc.exe

Filesize
201KB

MD5
b52ef6061052834584c3cf6ffe33ff24

SHA1
1abf8f1910e46ef8eba70dda5a9f241c4f34900d

SHA256
d1062241113de1ac50e5094eccf1f3f0dd0a05c5d7eef48bb9a901db6f611dfb

SHA512
0eeb74880905ce8a97844f0014015c39068f864f6eda0c01ec451e2a9a20da47475aa75b6a8a178e4cad57e2292fc7623438b8512b6dab899fa3577522e2065c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cMQi.exe

Filesize
207KB

MD5
ca6a3fe1fc13b7e1efeb1f88edce3114

SHA1
c6d126f900c327361aeb60f3f8e58f14d3cf36c0

SHA256
4f7ecb937a8f341d630ac453588a9fff176ce2e136058205aa516d071aae4fbc

SHA512
9de6d70b842fda67a9a29ea21fb8513d87e6885e9cd8ee5eafb2f4f89b3dcc0a06ce650beadd3f1d94dce49240ae0112fcc044a1cadfe908e72ca3a99f4f7053

Download Submit
C:\Users\Admin\AppData\Local\Temp\cYMi.exe

Filesize
205KB

MD5
786d92a1a0809cb2c78883334941c2ad

SHA1
444f7eae37852bae9dcc5fe164461bc7f34fa0de

SHA256
3e77f8155a33bc2d17414e3769b888e10cc38e287d9284cbfbba16342c57b37a

SHA512
c65c1511ed2e61e7c48c2fd9b81205fbeb199aa93f30103773c77c22143f34d20f33e4da2ed7ed48ba93ea3db021fdbab8e4185d7001ccc8ea95b2330530ad94

Download Submit
C:\Users\Admin\AppData\Local\Temp\cYoA.exe

Filesize
212KB

MD5
4315717a263d98391705dee7abc49b6d

SHA1
796a95ebf01800cc8df2ee2e59c821a816175284

SHA256
ecebdb95ec2ac0b5c523fff0b8e725968372626adb2d8a00bf520b65b536272e

SHA512
c8ff7f48da88c5fdb704b91dedc430f691791c327e12f04a37aed25799c80fb0b4708d6254f9236c34bff76d56dd5558f757610ef039b19204080bc2963b3fdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckEK.exe

Filesize
197KB

MD5
f8c643c24adf69f61228c15bd5c17b48

SHA1
e48a7f82e27fc00c690d91dfe10331bd8d158228

SHA256
0d5c546cd564f947c6e8382518a3439f03a19b089b6db13153ba25b091e9b2f7

SHA512
2ab77dd676a5902e7b2282a34938e028dbd4dcdd63854cc3eb15dc9ed6cdc74868229365ca1eb2dd5794833b5fca482674dede2328284838b9a782372f17ef61

Download Submit
C:\Users\Admin\AppData\Local\Temp\cssA.exe

Filesize
180KB

MD5
449e7bf90ece594955a6f9a6e99d254a

SHA1
357bc09315fe520d71794e01aa6e75bbd0ed26d0

SHA256
fad71c1af87681c00fd0c92eb2d4a209391074ca21ce8b5dd0f3d3e9afa91470

SHA512
8affe0c677397ae12fe56c8e6bf02b2149db5ac66b79da4a064cace8656244d02a8fd5def3a4b1d38adc214b6899d83ea06ad31f2c4f071ce8421af8a8476357

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwoK.exe

Filesize
650KB

MD5
236e1813c3de065b83c1cb919b637a46

SHA1
dabeb7299e656bed076a5bc169c6b10b2edb2f38

SHA256
cd4cb765ec6cd85d15faa5e7e27e8469dd13564f917dced68eb4db1bc7d6da28

SHA512
83ea537a0a1c976aa90214d8f9e8b2b53ee47af3f24c213447237808ea4ed96fb3e34216abc1c89c315a2e766d342e0cad6c4ae677ff49c8d316a3a8a19a5a4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\eAkk.exe

Filesize
197KB

MD5
52a668b18006fe7429cb5be897e7c452

SHA1
b4ebe561b38f4334b77392a7f1e7e47d88cfd6f9

SHA256
8868fb708ad219dcd0329fe71e8b0f80edb8e1a7b8ffcf996776378a1580e740

SHA512
a6621c149bad0f5ecf4ee574d4dbaf206efbab6e26c6868e4ca96790d35bf675e621b2259ec4dd79035424f1d25a1f9f80a6c203c066e0d4d37decf2979df2ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIcwIQgY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQEo.exe

Filesize
193KB

MD5
cca4ce39258deb3028c60dd0941667a6

SHA1
0e6e127e094281a2003bff1ec6de01c99b0c0fcf

SHA256
e7286c4dbd9e31ad661fa307ce69c9802f4e37f02120a0d39a2de3862ba5bf46

SHA512
4cfa10f56f2b9af6d5a76dc77d288a2a31c9a61f527b42d993eaf31214a2d0ccf66fa9fbc779c28e5d9304ca0b4bf6799d028a2a160893c341a7ebdc776505e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\eYIw.exe

Filesize
576KB

MD5
c8453e8695c012b24be9c8d42fbbc536

SHA1
c148c22d9bf76f22c15cd048b6c4512779b11656

SHA256
916dde8cb8c9c5ddbb02b1effd9120d9d123609405bf93d7935ba443000d2fa9

SHA512
4f4aa0cb2cf2709608cb7c3de585b6a8bab609d0506f2e092c32b673ca237894f824df04b865b3727cbd55f94b195f6b3e36cf1ca3e654f7a9364be9a7ff1e3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\eYUc.exe

Filesize
422KB

MD5
4cfe5cdc72c2abf95a8029b444c7c496

SHA1
3ed66d86a92888ce20a1cd21d79f411a4b26dd71

SHA256
3d8593d41355187b82d156b5faa6ef9cdefd635a7eb3f7e6d129c16d0fb8fb1c

SHA512
6fa6d8c584b2c87274dfeb003e6a62dc0ba2f767aa25d90bd17a67d94ab6a359a29296f306a01b457b16c740b0911d1d3ada47b8fb201f92aca28e994101e5ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekUe.exe

Filesize
1.8MB

MD5
309295fb9826b3f17900f9a219147a15

SHA1
43d064526534c738021fbb093ae128f9bfa0c526

SHA256
13c1c84c241fa835ebd7e2e902c6aab5a368e2f37f96a4cdbf25d752c1c36ca6

SHA512
95f87edda398fd58ec4087ab632a5d5eb6d7f63f7793c3c7422fc81cb7a9e9ba3f484c3c6385864bf5bd44973ba58c211b03dc0d64ba58a918f8977eaf3e0270

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gUoS.exe

Filesize
203KB

MD5
157733a7652ee7a1f31aefc3a3560f01

SHA1
955e970317e873d15d9c22794874add3279e84ef

SHA256
24eb0d757cf2ef31d19e1863f2e3cf386cbd58100793c4907d70731791e90902

SHA512
7cce7d572b5628b55196c8efc790bd64f66ede76a9f4fe84c6a8a3c8891f0ffd646d2a9222fa638624ca73ae794680eddb26e4ea4f52f892914a22f7c8511d37

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAYK.exe

Filesize
329KB

MD5
723cada92dc7150896f081f3c13377c4

SHA1
b8c7b9e6dab2414d2ee2a222090b794b0c3bc0e9

SHA256
330ce7f3708ab4f77d14e045874c1fb4c9e0ccd9d82e5991958265eaf2320e93

SHA512
f132dc2598dff1df257bc6bfb915f0f4c40fdc3db1796fe394d212e07544092d7d2cf3c8a07de221d32cf30a2ca13caa56f9118e9534c674ff27ed67eecb2c66

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAsO.exe

Filesize
652KB

MD5
70832e4df9ca52c572bd128f86ce2120

SHA1
883b9afd64bc31b9e2f6235e89fdd60eeced5120

SHA256
a583f6c90cd194c525fb860e0444c2f96d11a34873f986a6fc882d44d77c29ed

SHA512
d9db0fd128aa22c5faa27b92fb4a33377148cf0bd6b3f23bab4e9b470b691f4898450d3ea6450af847804edfe29bdb90d837bfbd226f1c5765f28a421af4f628

Download Submit
C:\Users\Admin\AppData\Local\Temp\iEYE.exe

Filesize
784KB

MD5
6d9669d17093fe39171a79aa867977e7

SHA1
03051d54350379df7c1f3979b784ed9365a3e6d8

SHA256
3ca1867d524fa26d7f7d71d1941a967772f103d821db6c7d56182c407f9cfffe

SHA512
f0048650adbfd98055acfc740680ba6df74b1f5680a2ff0cb4a108faed09173aa1bcaaf41f38bed13d7e7ef10ba780f8a4e917749f4767cf89e2580ba17ec348

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIQO.exe

Filesize
212KB

MD5
7d1fa87bd908f4b71fd50924ef66e37f

SHA1
a9870d27ccec43ed7cb6c4793fed1d51893a49b7

SHA256
eec38b7f51416e1fa49353de2d347b4bfa446c84a88c0d0811e65dabbd4ad26a

SHA512
0f6f57f2ef34d3e4f4890d2401caaf2a0cc2ec3bf3033af9ff26d73d4a6f3cc1adf8228879d806c3effa804ced87919ca4ec6d5daa29eab39819dde32116fb31

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIkS.exe

Filesize
206KB

MD5
002325d20b75406b635cfbf33b22fd0e

SHA1
6f5dfc6828917a4b4225403bb36b04983668664c

SHA256
71d29f3d5464394c82280eddb279dc2ee0a9650871b8eebb49e85fe0d8bf7297

SHA512
9bfa3a044b081deea8c907ac75c83897069ea0d58df79aaad55f7e87d3d55014529ef97e0ef8f4615013b82f5d6579624e8c31b95fa4ace58d6e5173d71d4808

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIwK.exe

Filesize
180KB

MD5
98b6dae2c1ba9fa8e78ee36058ecdf60

SHA1
9bf81e3afee719adf6c9b1b29025f9c2c3278d4f

SHA256
04eab0545c4c5b1d44845638b22edc25da9444b1d1a27ec287253cf9be40c944

SHA512
0c099c09995492add8fbe8f3ad1c2bcca2cdcb9305ea383d560e95f608880da6f870235e86b53115eddbc02c7a89f4b1e54ed547b4c4561318a35d0bffc96528

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikkQ.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\ioYm.exe

Filesize
747KB

MD5
3a1c0b0b69bb11f0f0bfe416c91b8204

SHA1
7701a20a9472ee850d4970a049df8f760a7ffb6c

SHA256
e051b5743d140bff8209662edac3ae27532802f0a94455be19940c535f03a6d6

SHA512
984e86d28cf9172a46ecc72bfe4bdcf6dbc39fce42fb87a6677fc9f8bd16b9d80fde0141d89ff8d04babf990e5d3b7e840c63dcd2c7199cf6977bb826dbb75d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\iosC.exe

Filesize
205KB

MD5
894b94bfe5634563297f79eb3cddc438

SHA1
5958acb2b804cd103e6ddd6e7b5b482f7eb3a950

SHA256
c33a3d9bb319ef005f812eedbc4eef8921781419dc764bde8de945a7d27f3c8a

SHA512
5df2b65cf65c5c76995c0f9b91ac5895d46aa9fd675a1993c111decba92f7cca72d67f1b2e9a9c2a51341732d90e2ab57e5ab8058b2eab50df161ab05dd99854

Download Submit
C:\Users\Admin\AppData\Local\Temp\kIMa.exe

Filesize
217KB

MD5
5d7ce0f6b1cb854739cfa66f52db6bc2

SHA1
1da68dd4a785be30a4975bcefc14200cb86bbd23

SHA256
3296e6231aa34d7dbd255f6ba2f322e0bcbadbe113769f32f5151807c840e6dc

SHA512
e597a00dd12b1a7406c9ecfec2637ce0271a44193dbf5df2e2c0e2a83319e9f100d5ae253ace424d41be5e7b650d2360aebd0b4bd4a220a9192d7bfdd37fa4e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\kQUG.exe

Filesize
702KB

MD5
3120d00915d03cba97e68e93950e7dda

SHA1
323cb06c5b3ff68ae0b5df8bb7d719438005ae72

SHA256
fc3e2be5902f118e9c0e51ab243c0fca8fa26f98db376c0d7046b70c07a08dbe

SHA512
1c209fcd421530b728e7911d7b145f49c68398a492185702a0d13f6059e99ed84505e12736f5c8656708c89287586befbbb7042ddc0488a9bc3163a3663ab305

Download Submit
C:\Users\Admin\AppData\Local\Temp\kYMu.exe

Filesize
776KB

MD5
7a3f022b1f0425f39447cbac8eb0d40f

SHA1
ea5d11fa198b69e39fecda8bcc055e260baceed2

SHA256
64ac0d2ec2658a20bc142da650448022a4d632f23e04cb934f3aed48f74de5cb

SHA512
9fd90a8ef58408011ebcadb9f9492b651841e3d41284e935c098c0c372ea1505031ac39cd30011a9ad18c340a89e268185278169ca6f7da52ebd51aa6a54d56a

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcII.exe

Filesize
190KB

MD5
f4668d2351a07600f28402ccb80ad52e

SHA1
59540b2c387f39ee57a5e93dd327d78082dad6b3

SHA256
7d38a3bcaaf88ac7103b0502d99fd8b6e068ae7d2b040248aff760b2a5ab18be

SHA512
d5630a5c4211396ba3611de05eaa5d4835788d8aae1406c2a12b105e8c19176b81be152bf50abace563c4c206a043094373557d611a26b5221c3d577b4f201ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQwA.exe

Filesize
207KB

MD5
c570144fab395370729dbb6c8510960a

SHA1
43660ad9e7db15d269f6476e20d1e776e6df4d40

SHA256
448a6ac5b9409e2fb1eb0f409e0c44bb379a0043290da1ecb9cfdb662249fa01

SHA512
04a97d4c9da9e88efab76d83c0e6dcb589df25f72e112ae6c2e87b2b12e51e7938308aa6751a388a0b22f634278b4893ed5f7bdaee000404753d6f5d27145e8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQwo.ico

Filesize
4KB

MD5
383646cca62e4fe9e6ab638e6dea9b9e

SHA1
b91b3cbb9bcf486bb7dc28dc89301464659bb95b

SHA256
9a233711400b52fc399d16bb7e3937772c44d7841a24a685467e19dfa57769d5

SHA512
03b41da2751fdefdf8eaced0bbb752b320ecbc5a6dbf69b9429f92031459390fe6d6dc4665eebe3ee36f9c448a4f582ac488571a21acc6bba82436d292f36ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYgg.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\msoc.exe

Filesize
196KB

MD5
5b34ea8f24af56c57ad83db8988409a2

SHA1
c8efa272b5feeeec708cd6f072335b2cce7985c4

SHA256
82ed50eb6a2cff46fefe431776d905c9b41bad425277c6a7c07c279688386d82

SHA512
aa6a10b8b5e9bc990ec15dfed6e4508229310533add57f5abe0b76fc71d4dc50047db3e504eab3032d2b3081cf330d0ba244361562a443f767d1e14d84eb7d5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\oEwQ.exe

Filesize
206KB

MD5
ffa223fd24116a4971d804bfd0755316

SHA1
f4811d28ab782a3cd650436b84fc66ac90abdc6c

SHA256
88e2cf821cbe5e26135215eecdb2274f98368fb40799dbe20f6e85e5e8d6b1da

SHA512
2f433b1d94fdf64bb863d57fddb7e9ba498f202c491ac0f813e8a1cf737df8441a5311770801e10ca8a6fd7bc672b4dd4f01dbe5082c47e840d6896e4c0a1df5

Download Submit
C:\Users\Admin\AppData\Local\Temp\oMcO.exe

Filesize
731KB

MD5
9f9fa3960f756adf7c96ee1dbb058ba6

SHA1
906031afaade9beefc6f11da2b6044165da00585

SHA256
6e576e0d9d8d7ef8b7257ff1b7bc67a5f132e330b1123ae8839e3050985819c0

SHA512
d7b434035b7e1a9e51f00ac7cb447e39344d06239d373db44a5a4e2019a4550111fdc807a952c1d69b55f4a25063c5b3ed23178600a8f32c84de6b094794dc31

Download Submit
C:\Users\Admin\AppData\Local\Temp\oQkM.exe

Filesize
192KB

MD5
dbbf5ca074c1b8549556b1d770ecc8ee

SHA1
4e4f3eca2dbf0a7c4f94b2263f5816b695015829

SHA256
a025deacd6a849466b44db82871ee7f520ccd1ba4c77f6352894b381e5c15ed0

SHA512
5a75491974dcb50efa6024af5b0826e351bbb5f606d60834f67db09df33a39c316f8b194ef408986eaa8b972dabbca1d85a3be2e4a7a92a81ee145561b2a84f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYIc.exe

Filesize
654KB

MD5
9c90a8caa98e1c2c050157f1bc3e6d57

SHA1
f8a2b52ba58f33c559121b6767997d663c4d9ebe

SHA256
75552d590769b2b35506f1f2c40dbbe9e4c4ee996cafa3b570bc14878c7736eb

SHA512
04e19e496eb628ca8d62628272fc597ac9b47f8704d2dc4140c69cdae90aa1b677fade85de636b568c2e88a1da8c551a34add2e9a45d0b3470f39bc9862df155

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMYQ.exe

Filesize
519KB

MD5
f9a7b65af318efa42306f54316fc46a7

SHA1
67af26bfa46f7dcbf82a2e8d24f248bcc1e3e96a

SHA256
0b1766c6cec74b8ded105f7898ad90842048f4099c5f7ebe8eaf33320118a9bb

SHA512
5247959ea87a6843ec5884f39779bfd882e3ae6d7fc27b16bfac058f241fc460df235a3212b18cf60b60b103ac8cfbf4cdbb4c1b6c55e47a013f2b470e5e0e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQUC.exe

Filesize
852KB

MD5
60fb96faf1f410eda431a19d57c83d25

SHA1
4b164376c620c1187b38c37a93c8c017772c8665

SHA256
10510cb532a23c98f344746efb2751965238063a9deab0a6fa62b0b73fc452c0

SHA512
84d403a40884819e0614a6ea2452c707c15d26ff1fd6bf26d3291230bb2ba9f69b2530b71b601de21aeb5de4c738f787c11038ee44da37b121e1b46c3f9dfeb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUQy.ico

Filesize
4KB

MD5
7ebb1c3b3f5ee39434e36aeb4c07ee8b

SHA1
7b4e7562e3a12b37862e0d5ecf94581ec130658f

SHA256
be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742

SHA512
2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUYc.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\qYsK.exe

Filesize
808KB

MD5
f60ba1fca50aad4fbcb8025e67098ba2

SHA1
fcfb9a85a14a86846340c28b30f3d109e73639af

SHA256
835681cab9c02bf4c67e2c317820854ccb955f5cbe803743eb7b73b68afeee0b

SHA512
b3577ee010c47ffe97570cd828f04f59a599fb2e42e28a5425100d0c64a2dd6aaf81354210cda172d5881bcc498451dcd97d2c668a949a72ac92413809a6bed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgcm.exe

Filesize
655KB

MD5
1799b7853a8d8a85bbe6ebe5f5a4404c

SHA1
1af29bc3afec23bfab58fbf5b0998097733fb649

SHA256
55566e861353549664bc5305e0d983be695de78a522c0a6b4afe0ee7206f4c3d

SHA512
bb79b729a0ae70484dbae5e08d97e7c8d9e26f1b5fef429ac2ecac02d06e3aba39ef9c10e86ddfebd8751fec1b5cfcbe2f342066b9246c4b43679da7219e2ac2

Download Submit
C:\Users\Admin\AppData\Local\Temp\sMYe.exe

Filesize
196KB

MD5
1b4d36ba45d6c4bb028f00003d15e49e

SHA1
8ab5662ec5d8daa551632f572ad43edc3d6aca41

SHA256
22c9672c2123f0bac1eb40736c75ede93528c865746b91bff1ff5274f0bf30ee

SHA512
3425e332ad1d2a6347ac045baebfbc914638648a24fc26d44e74253c10bc82d1078b6c2479039a4a2ed0f0065f22e5eabd291c460897fa9ae5ece2fa808ed865

Download Submit
C:\Users\Admin\AppData\Local\Temp\sYAk.exe

Filesize
225KB

MD5
f2163476ef1487a043e8f3beded933d4

SHA1
03259cdfa7619e12971ebca65aed7cd740d47325

SHA256
0ffd2bda85f48078f9e00ab6ba0b039014d1b78f0182134558c4865728464ba5

SHA512
3b21d536080d8a8d5f6706104068f6f425ee54ed026c79283d7f63453144e0fc965c89243052f0e1ded7e7d375eadf98b767c55cb65ef2faa9d12fb2ada82173

Download Submit
C:\Users\Admin\AppData\Local\Temp\soYa.exe

Filesize
201KB

MD5
e07b228d66a43667a2b7505f4efb8e78

SHA1
d252423f57187d19d5b4f488a537478defcdc7f0

SHA256
3d7bec8136e90fc61ddb0216f26e79d25692dd015082c10d4ecc8170cb68cb84

SHA512
c00320989ff56ede365d6bdb9bfdb265909c1c697d8eaf3501a7e899e442d55975fb5707fe826a4b268fbf4a32b8bb94358f55e812b857e8065ef79a3c0c5bda

Download Submit
C:\Users\Admin\AppData\Local\Temp\sokE.exe

Filesize
190KB

MD5
6a5200353b5cee1f322eb228a201dc3f

SHA1
8412e5d6d48a999571f89d2577a914836c60d4bf

SHA256
7145e33d72ea7557a0750ac97f253ae0c56a59304307ea43b7af2b415100cdc2

SHA512
d10d53f28ec97531712443382d5c56962896e78d37142cb00b13ecc28b859f52280158ed850d9fcc5826bfd875851b00e6c9b79ed233e20a2f786b38d1419632

Download Submit
C:\Users\Admin\AppData\Local\Temp\swMe.exe

Filesize
198KB

MD5
1edc280dcc7c34b71c549d5e16627d8a

SHA1
9a692950625c7f0e7f69ad5c518e45d54796fe76

SHA256
8cf9852b5764e039e376ec6d78f85b7d5ae9e5ab6e138522ad35b8c3861740a0

SHA512
b7bd2b918803c0e8748e4e20308ab4d78747cad6552d14f9c3957cf213651af0cd605ea532c085ba9c57e07ed4e4809605e711f89e214fe3eacead7a67082c49

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEcg.exe

Filesize
193KB

MD5
090419ef54d337d7026b25d1931cf486

SHA1
a0a751f13e67680a58e69fd319cf778147977c42

SHA256
e05278fd273278d5b8297b4ade4bae815431f49cbd0704bfcea0627827f31dcf

SHA512
a0521a55317aa15a31f46f9f4f4adcb32729a3a3bb456d279057a2522ce8711e2d1675e01359013d30b0ab4c42d86f94557531465304d641fbad45138c544586

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMgi.exe

Filesize
202KB

MD5
d62521e66de89edfc10e058ce9ca7ded

SHA1
82a735657a82ff90b94e56da47fba7aa5802f0bc

SHA256
5f2768105abeebd863f255fff4050e20b9608d920ec7d184fb22d870bf0a90ac

SHA512
49fc86cf8a25085e82502b410a67245b1efc22c3b1f4a86106a8a812ba188a956aa3c0bff1c9baacd31405eb1a20485f5f657d858b581dba5df1d4c750c0a05f

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQwE.exe

Filesize
219KB

MD5
ec0d916b42df18f9e5a5d60992bd29ee

SHA1
1270dd0f262c1e52cd06925a77b898b44fbd7119

SHA256
d0446fb843eabd2de8d4eb2f3029e3c22885dcc5658b3fd217e2f0f92c05ba28

SHA512
72eae24329628225344fc433b7570e5781b07358abe3c41698c2f7993d75d9f9a9d2ceacd847e0a8e4c5d0920d6b97f3914ad43353242af19ce9fc99751a4c34

Download Submit
C:\Users\Admin\AppData\Local\Temp\uccQ.exe

Filesize
189KB

MD5
3d71e9c9cfcbaa863e3d58deddfba776

SHA1
68d8bba9ba8553d3ea6110c840579d1f39783036

SHA256
5a607828881bb60d8ae79730ec9426068b58e5225554c5b25c912f8c29ba9e58

SHA512
0a62e999c35925b6c55967689b7fa3166432b39262662e4d8413438818adca497b173b1273dbbf44345db28286fa2dfb2a8cb3bbea274994fbe3545b448e7cac

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugYw.exe

Filesize
193KB

MD5
32a46dc55248a80c837958eb6ca07259

SHA1
c81c13aaed79bec7a5286ff6db578c5786f40152

SHA256
182ba59aa280e525594a2c551b0aa7f974f4467524799d4103f8b144039a0910

SHA512
e04f40893331cd1e70fd1f42d30249f4382f116cb5d1e5a7270772212f1b36e70c3328386e9219d731589562b88447514abdc3ee1ce5a54e963ad13afbef4db7

Download Submit
C:\Users\Admin\AppData\Local\Temp\wEcE.exe

Filesize
194KB

MD5
3accb5572d8f2e4e0efc9a0103d6ec00

SHA1
16f75fe0cf38c0fea33990c2e9589d463265d04e

SHA256
36a0744fc1c75f78f59a89bc06687aa94f4391e6079ca4c9ef5c0beb441027c2

SHA512
ab17e153a907eae3aa11fe1d857c984d5dbea7986b0f3e12de36d9fbb6400fa388d51dea722310a06b5d570366d1e40aba0559333460e5e8e0ff41fe7a1eee46

Download Submit
C:\Users\Admin\AppData\Local\Temp\wgsc.exe

Filesize
802KB

MD5
30305d15e45c70219e85f1d0aa8a90b3

SHA1
d1ba54465a7a96fb8aa8f555d1ed88343f868d4f

SHA256
b19d127a74244909d72f0a9437a0ddab4b8feba86f509190a1e706109db931c9

SHA512
9050d01ab887f16591c9047f7b1866fa38cb2089457c0348ea758055aaee5d3aabcf751527a27ec3d35c71ea4085a865247633ac7d8294fe64ffff1964763562

Download Submit
C:\Users\Admin\AppData\Local\Temp\wkUA.exe

Filesize
219KB

MD5
b765cf3442d39470d6c628d91b6c3679

SHA1
1945f2d46e967d3305e1f5856e2b3652c062afc6

SHA256
213bb4beebf800762a1b54eb877d30d7d5d085879d5681db899ab0710781ef9a

SHA512
6385692203ad7797f55491007c28b3780438a4715dfb0f9fa154336788f2bc4171a1a5a50d84607a68e7c97a1658f0910318c80e803298cfb857b9d0fb4d170c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wkcw.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\yEMq.exe

Filesize
191KB

MD5
24c89433a7e2d886e0214e09dc936d0a

SHA1
f93a69464716eed2bdac4d80686bcda560c32b34

SHA256
7d341ee6105a4b53d944a1e0079111a5be706fcad10d0b111dd1dc8db8244099

SHA512
80f2d90091619787ddc524129ea1d29376b68508f4b8505bb20ffba1466627bd58134907ad9a387beff151f7a979de48c9fb3960fed5268de014ca7c2f36761b

Download Submit
C:\Users\Admin\AppData\Local\Temp\yIUe.exe

Filesize
202KB

MD5
e3e8f1052cb3ef9dab6ece5df90b05e0

SHA1
23efc7b59c3f1f32ba74ed767984900b18272bd3

SHA256
35c6ceb447d9b9e010fb74021775cd4c0db90e3ed78894c28b9b1f9fba6a0b82

SHA512
4811ade6b2bf2f1e624fd4d2f86f728c1fc15bdfd4d58000722824e04791ecf865c0081f7c2bd1e6b374362e5ca81d1141faa16454b84edd8234d27c945adbd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\yIsy.exe

Filesize
192KB

MD5
588e638ba55c5c6c9f4e48305922c3ad

SHA1
97db096d3cdaa985cc5775ed45a8f4845d58bf75

SHA256
8b0bdec4e87817218fcbc469eb664b262a5eeef348e8e5f53e9230ab3c1aee28

SHA512
45ea00d9ea4908100eb91e740d0c44fb5ce5c0df5c65c22d236990062f1fb2946f90a6a2f42019200244846f82fb2d76888af905e7efb961c53d8b5d1054903f

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUkY.exe

Filesize
196KB

MD5
a687692f3e5ec03ee9d725d610731ad8

SHA1
7165c1915a9c813a65ba98838a4d61f85af8a236

SHA256
0847a51ff54ebf2073f737172e2657ba722a12089c3ebf818974c59bfff03aa9

SHA512
faae120b409aa1a2c7173e98fd8686a8036a7ca1c0ee494b7f87b7ab1129d7a93865d242333458ab9da6361e2439712fa818c2f9a4084dc29db2a0e692cedf4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUoy.exe

Filesize
208KB

MD5
00a9e2b8b48c2044d6e733fc5b064b1d

SHA1
b95845e29eef4553d1a04c062b66842827aba49b

SHA256
4d4a0ab9177924803e6a3608ac9aee38d201389af54bb4b5c1476b63bc374207

SHA512
0331d83a8ab149add0bfc01fa1a4761038f53b4eac8969861c3f8d8ab2a80960c7875db7a0e3b1be55430c35c856fa1201377937802db6c06482d81f1cd9e114

Download Submit
C:\Users\Admin\AppData\Local\Temp\yggQ.exe

Filesize
185KB

MD5
b1e0af848b76785e723ee946237864a1

SHA1
a6f0fc275059510a81bac5d6d41d017b59654803

SHA256
4ce672cc2627373f1bef59b350e6364fcb3972fdd906c46cd9a8f61659ae12ac

SHA512
715a26aade352822225fdbb88868fd6a06b120eac61972be95d61119e3f8099a20eba0accd47f453be210a2410faa6fb2e754f82b97f51dcf1a27ed425d59661

Download Submit
C:\Users\Admin\AppData\Local\Temp\yoYM.exe

Filesize
216KB

MD5
9bcdce13a0a0a8c9e6c344edee46cb86

SHA1
6ce2bf6c192b8e134dca36c176dd6329ea91feae

SHA256
70c2d75c564b53bb8e0c0ac79a044692d6f60e87fe2a88d3d4286948e65f5200

SHA512
14b2fb25434c802cdc79d6a740bccaba836d7127581cf0e2dd993bc4fea34d379ba7a48ced5c2ba468b3cb4c9669101079e6b434b56038d7d4322b0da23154a1

Download Submit
C:\Users\Admin\UGYYsEII\kckIwMYg.exe

Filesize
180KB

MD5
c7a3e5d4b41c860d6eea31731abaccbb

SHA1
358598d46c79b271424f5f148619f5fe7bd822a1

SHA256
e8aef2f97ddbafdf021613689b0b5325f54b01ce281d8531b99bcfd87d56f91f

SHA512
d6942098b50d6f587b220123c4b151fad27dffd364da6a1518d82febc88b082a1dd5665b813c6adf12bbf32843f7fc93e5f387c30a21d6af22dfa637ad124baf

Download Submit
memory/100-242-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/212-307-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/224-663-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/244-32-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/264-580-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/624-503-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/624-360-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/716-415-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/716-423-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/752-279-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/760-493-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/844-485-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/844-478-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1000-681-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1016-318-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1016-308-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1040-102-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1044-519-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1120-715-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1124-673-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1240-137-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1244-622-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1336-725-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1352-206-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1496-113-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1512-148-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1584-414-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1584-405-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1592-271-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1604-159-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1604-173-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1628-184-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1636-588-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1640-195-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1652-904-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1784-442-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1784-432-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1848-655-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1872-431-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1908-955-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2020-344-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2084-66-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2216-450-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2232-630-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2236-527-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2360-720-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2360-788-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2392-352-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2492-562-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2580-231-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2580-220-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2628-326-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2688-253-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2688-1004-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2724-160-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2884-596-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2948-334-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3044-263-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3112-403-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3128-546-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3132-291-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3132-299-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3148-126-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3600-387-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3656-572-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3848-361-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3848-369-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3852-614-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3932-62-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3932-80-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3980-852-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4004-476-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4084-467-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4104-395-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4240-15-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4388-219-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4404-43-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4428-458-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4428-54-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4448-647-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4484-690-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4484-683-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4488-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4488-19-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4492-511-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4520-554-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4768-76-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4768-91-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4804-379-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4864-280-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4864-290-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4980-606-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5028-538-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5028-528-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5112-1050-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5112-7-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download