c4826c9f70993ccd192b0f66c30a1f37f579f88efa3b3c9ff719ddae69b07a10

Analysis

max time kernel
150s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-09-2024 20:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
Size

194KB
MD5

dec5fb1994d3579b05ee221e5a0d5410
SHA1

a61241d9f6162fd2ab9e2263267c7629d8327865
SHA256

c4826c9f70993ccd192b0f66c30a1f37f579f88efa3b3c9ff719ddae69b07a10
SHA512

b26d406a5eaa60392cf9f6ae6e2a85fbd3333c56a99f45274b221c802f8a7c6a4791d03f3cde6c47d2c34533bb72e713edb69a67d32cf75daa3e596b782236c1
SSDEEP

3072:5W5IeUtoX7UK453E9/hgSlWFwZoK0x55yU5mqwfK:wWtoX7K532J+FwZJUgU5mF

Score

10^/10

discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (81) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	YkQkMccU.exe

Executes dropped EXE 2 IoCs

pid	Process
2216	YkQkMccU.exe
3128	wUMMMogU.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YkQkMccU.exe = "C:\\Users\\Admin\\gwwoYEQk\\YkQkMccU.exe"	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wUMMMogU.exe = "C:\\ProgramData\\sqYYYcYk\\wUMMMogU.exe"	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YkQkMccU.exe = "C:\\Users\\Admin\\gwwoYEQk\\YkQkMccU.exe"	YkQkMccU.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wUMMMogU.exe = "C:\\ProgramData\\sqYYYcYk\\wUMMMogU.exe"	wUMMMogU.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell32.dll.exe	YkQkMccU.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	YkQkMccU.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
5924	reg.exe
2336	reg.exe
5040	reg.exe
6132	reg.exe
872	reg.exe
3312	reg.exe
5288	reg.exe
5172	Process not Found
4956	reg.exe
3540	reg.exe
3600	reg.exe
832	Process not Found
4836	reg.exe
552	Process not Found
4876	Process not Found
2936	reg.exe
2912	reg.exe
5428	reg.exe
5536	reg.exe
2336	reg.exe
3528	reg.exe
5384	reg.exe
2608	Process not Found
4280	reg.exe
4700	reg.exe
3012	reg.exe
3772	reg.exe
1320	reg.exe
2844	Process not Found
5812	reg.exe
1660	reg.exe
2276	reg.exe
1444	reg.exe
2532	reg.exe
5760	reg.exe
4076	reg.exe
4064	reg.exe
4408	reg.exe
4388	reg.exe
1652	reg.exe
5732	reg.exe
5420	reg.exe
4024	reg.exe
4844	reg.exe
3236	reg.exe
1576	reg.exe
5480	reg.exe
3800	reg.exe
1180	reg.exe
4348	reg.exe
1672	reg.exe
5292	reg.exe
4488	Process not Found
4444	reg.exe
5728	reg.exe
984	reg.exe
5324	reg.exe
5932	reg.exe
4548	Process not Found
3528	reg.exe
4872	reg.exe
6104	reg.exe
2504	reg.exe
640	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4284	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
4284	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
4284	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
4284	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
5284	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
5284	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
5284	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
5284	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
5728	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
5728	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
5728	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
5728	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
3800	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
3800	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
3800	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
3800	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
468	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
468	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
468	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
468	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
1756	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
1756	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
1756	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
1756	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
976	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
976	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
976	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
976	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
2596	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
2596	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
2596	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
2596	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
576	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
576	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
576	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
576	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
1032	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
1032	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
1032	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
1032	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
2456	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
2456	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
2456	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
2456	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
396	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
396	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
396	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
396	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
2900	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
2900	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
2900	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
2900	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
3300	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
3300	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
3300	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
3300	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
5496	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
5496	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
5496	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
5496	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
4720	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
4720	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
4720	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
4720	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2216	YkQkMccU.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2216	YkQkMccU.exe
2216	YkQkMccU.exe
2216	YkQkMccU.exe
2216	YkQkMccU.exe
2216	YkQkMccU.exe
2216	YkQkMccU.exe
2216	YkQkMccU.exe
2216	YkQkMccU.exe
2216	YkQkMccU.exe
2216	YkQkMccU.exe
2216	YkQkMccU.exe
2216	YkQkMccU.exe
2216	YkQkMccU.exe
2216	YkQkMccU.exe
2216	YkQkMccU.exe
2216	YkQkMccU.exe
2216	YkQkMccU.exe
2216	YkQkMccU.exe
2216	YkQkMccU.exe
2216	YkQkMccU.exe
2216	YkQkMccU.exe
2216	YkQkMccU.exe
2216	YkQkMccU.exe
2216	YkQkMccU.exe
2216	YkQkMccU.exe
2216	YkQkMccU.exe
2216	YkQkMccU.exe
2216	YkQkMccU.exe
2216	YkQkMccU.exe
2216	YkQkMccU.exe
2216	YkQkMccU.exe
2216	YkQkMccU.exe
2216	YkQkMccU.exe
2216	YkQkMccU.exe
2216	YkQkMccU.exe
2216	YkQkMccU.exe
2216	YkQkMccU.exe
2216	YkQkMccU.exe
2216	YkQkMccU.exe
2216	YkQkMccU.exe
2216	YkQkMccU.exe
2216	YkQkMccU.exe
2216	YkQkMccU.exe
2216	YkQkMccU.exe
2216	YkQkMccU.exe
2216	YkQkMccU.exe
2216	YkQkMccU.exe
2216	YkQkMccU.exe
2216	YkQkMccU.exe
2216	YkQkMccU.exe
2216	YkQkMccU.exe
2216	YkQkMccU.exe
2216	YkQkMccU.exe
2216	YkQkMccU.exe
2216	YkQkMccU.exe
2216	YkQkMccU.exe
2216	YkQkMccU.exe
2216	YkQkMccU.exe
2216	YkQkMccU.exe
2216	YkQkMccU.exe
2216	YkQkMccU.exe
2216	YkQkMccU.exe
2216	YkQkMccU.exe
2216	YkQkMccU.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4284 wrote to memory of 2216	4284	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	82
PID 4284 wrote to memory of 2216	4284	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	82
PID 4284 wrote to memory of 2216	4284	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	82
PID 4284 wrote to memory of 3128	4284	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	83
PID 4284 wrote to memory of 3128	4284	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	83
PID 4284 wrote to memory of 3128	4284	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	83
PID 4284 wrote to memory of 4168	4284	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	84
PID 4284 wrote to memory of 4168	4284	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	84
PID 4284 wrote to memory of 4168	4284	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	84
PID 4168 wrote to memory of 5284	4168	cmd.exe	86
PID 4168 wrote to memory of 5284	4168	cmd.exe	86
PID 4168 wrote to memory of 5284	4168	cmd.exe	86
PID 4284 wrote to memory of 5612	4284	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	87
PID 4284 wrote to memory of 5612	4284	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	87
PID 4284 wrote to memory of 5612	4284	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	87
PID 4284 wrote to memory of 840	4284	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	88
PID 4284 wrote to memory of 840	4284	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	88
PID 4284 wrote to memory of 840	4284	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	88
PID 4284 wrote to memory of 5128	4284	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	89
PID 4284 wrote to memory of 5128	4284	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	89
PID 4284 wrote to memory of 5128	4284	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	89
PID 4284 wrote to memory of 4876	4284	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	90
PID 4284 wrote to memory of 4876	4284	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	90
PID 4284 wrote to memory of 4876	4284	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	90
PID 4876 wrote to memory of 1884	4876	cmd.exe	95
PID 4876 wrote to memory of 1884	4876	cmd.exe	95
PID 4876 wrote to memory of 1884	4876	cmd.exe	95
PID 5284 wrote to memory of 3272	5284	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	96
PID 5284 wrote to memory of 3272	5284	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	96
PID 5284 wrote to memory of 3272	5284	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	96
PID 3272 wrote to memory of 5728	3272	cmd.exe	98
PID 3272 wrote to memory of 5728	3272	cmd.exe	98
PID 3272 wrote to memory of 5728	3272	cmd.exe	98
PID 5284 wrote to memory of 3972	5284	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	99
PID 5284 wrote to memory of 3972	5284	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	99
PID 5284 wrote to memory of 3972	5284	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	99
PID 5284 wrote to memory of 4188	5284	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	100
PID 5284 wrote to memory of 4188	5284	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	100
PID 5284 wrote to memory of 4188	5284	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	100
PID 5284 wrote to memory of 4264	5284	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	101
PID 5284 wrote to memory of 4264	5284	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	101
PID 5284 wrote to memory of 4264	5284	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	101
PID 5284 wrote to memory of 1160	5284	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	102
PID 5284 wrote to memory of 1160	5284	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	102
PID 5284 wrote to memory of 1160	5284	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	102
PID 1160 wrote to memory of 3992	1160	cmd.exe	107
PID 1160 wrote to memory of 3992	1160	cmd.exe	107
PID 1160 wrote to memory of 3992	1160	cmd.exe	107
PID 5728 wrote to memory of 4476	5728	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	108
PID 5728 wrote to memory of 4476	5728	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	108
PID 5728 wrote to memory of 4476	5728	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	108
PID 4476 wrote to memory of 3800	4476	cmd.exe	110
PID 4476 wrote to memory of 3800	4476	cmd.exe	110
PID 4476 wrote to memory of 3800	4476	cmd.exe	110
PID 5728 wrote to memory of 3528	5728	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	111
PID 5728 wrote to memory of 3528	5728	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	111
PID 5728 wrote to memory of 3528	5728	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	111
PID 5728 wrote to memory of 3676	5728	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	112
PID 5728 wrote to memory of 3676	5728	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	112
PID 5728 wrote to memory of 3676	5728	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	112
PID 5728 wrote to memory of 4912	5728	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	113
PID 5728 wrote to memory of 4912	5728	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	113
PID 5728 wrote to memory of 4912	5728	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	113
PID 5728 wrote to memory of 1584	5728	2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe	114

C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4284
- C:\Users\Admin\gwwoYEQk\YkQkMccU.exe
  "C:\Users\Admin\gwwoYEQk\YkQkMccU.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2216
- C:\ProgramData\sqYYYcYk\wUMMMogU.exe
  "C:\ProgramData\sqYYYcYk\wUMMMogU.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3128
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4168
- - C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:5284
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3272
    - - C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:5728
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        8⤵
        
        PID:5808
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        10⤵
        
        PID:5628
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        11⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        12⤵
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        16⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        18⤵
        
        PID:5388
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        20⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        22⤵
        
        PID:780
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        24⤵
        
        PID:460
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        26⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        28⤵
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        30⤵
        
        PID:3880
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        32⤵
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        33⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        34⤵
        
        PID:3152
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        35⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        36⤵
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        37⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        38⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        39⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        40⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        41⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        42⤵
        
        PID:5524
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        43⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        44⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        45⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        46⤵
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        47⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        48⤵
        
        PID:5192
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        49⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        51⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        52⤵
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        53⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        54⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        55⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        56⤵
        
        PID:5632
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        57⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        58⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        59⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        60⤵
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        61⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        62⤵
        
        PID:5624
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        63⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        64⤵
        
        PID:64
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        65⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        66⤵
        
        PID:4016
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        67⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        68⤵
        
        PID:4004
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        69⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        70⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        71⤵
        
        PID:336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        72⤵
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        73⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        74⤵
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        75⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        76⤵
        
        PID:2280
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:5480
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        77⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        78⤵
        
        PID:5156
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        80⤵
        
        PID:5972
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:3604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        82⤵
        
        PID:6000
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        83⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        84⤵
        
        PID:4016
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:5452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        86⤵
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        87⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        88⤵
        
        PID:4356
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:5304
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        89⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        90⤵
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        91⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        92⤵
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        93⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        94⤵
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        95⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        96⤵
        
        PID:5156
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        97⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        98⤵
        
        PID:5624
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        99⤵
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        99⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        100⤵
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        101⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        102⤵
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        104⤵
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        105⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        106⤵
        
        PID:3528
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        107⤵
        
        PID:5732
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        107⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        108⤵
        
        PID:1324
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        109⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        110⤵
        
        PID:3148
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        111⤵
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        112⤵
        
        PID:4248
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        113⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        114⤵
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        115⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        116⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        117⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        118⤵
        
        PID:4024
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        119⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        120⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        121⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        122⤵
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        123⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        124⤵
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        125⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        126⤵
        
        PID:5600
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        127⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        128⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        129⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        130⤵
        
        PID:5932
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        131⤵
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        132⤵
        
        PID:5440
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        133⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        134⤵
        
        PID:3340
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:6136
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        135⤵
        System Location Discovery: System Language Discovery
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        136⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        137⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        138⤵
        System Location Discovery: System Language Discovery
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        139⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        140⤵
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        141⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        142⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        143⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        144⤵
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        145⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        146⤵
        System Location Discovery: System Language Discovery
        
        PID:4188
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        147⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        148⤵
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        149⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        150⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        151⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        152⤵
        
        PID:6116
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        153⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        154⤵
        
        PID:3396
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        155⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        156⤵
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        157⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        158⤵
        
        PID:976
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:4240
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        159⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        160⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        161⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        162⤵
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        163⤵
        
        PID:552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        164⤵
        
        PID:5776
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        165⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        166⤵
        
        PID:348
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        167⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        168⤵
        
        PID:4448
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        169⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        170⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        171⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        172⤵
        
        PID:5208
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        173⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        174⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        175⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        176⤵
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        177⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        178⤵
        
        PID:5876
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        179⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        180⤵
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        181⤵
        
        PID:552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        182⤵
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        183⤵
        System Location Discovery: System Language Discovery
        
        PID:5600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        184⤵
        
        PID:684
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:5800
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        185⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        186⤵
        System Location Discovery: System Language Discovery
        
        PID:5284
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        187⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        188⤵
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        189⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        190⤵
        
        PID:4192
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        191⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        192⤵
        
        PID:6068
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        193⤵
        System Location Discovery: System Language Discovery
        
        PID:4284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        194⤵
        
        PID:348
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:700
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        195⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        196⤵
        
        PID:5680
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        197⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        198⤵
        
        PID:5884
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        199⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        200⤵
        
        PID:1144
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:6108
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        201⤵
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        202⤵
        
        PID:3276
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        203⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        204⤵
        
        PID:832
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        205⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        206⤵
        
        PID:4248
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        207⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        208⤵
        System Location Discovery: System Language Discovery
        
        PID:3608
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        209⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        210⤵
        
        PID:684
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        211⤵
        
        PID:5284
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        211⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        212⤵
        
        PID:1624
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        213⤵
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        213⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        214⤵
        
        PID:984
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        215⤵
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        215⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        216⤵
        
        PID:3880
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        217⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        218⤵
        
        PID:6080
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        219⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        220⤵
        
        PID:5332
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        221⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        222⤵
        
        PID:5576
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        223⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        224⤵
        
        PID:3152
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        225⤵
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        226⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        227⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        228⤵
        
        PID:1624
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        229⤵
        
        PID:4328
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        229⤵
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        230⤵
        System Location Discovery: System Language Discovery
        
        PID:5756
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        231⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        232⤵
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        233⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        234⤵
        
        PID:5432
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        235⤵
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        235⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        236⤵
        System Location Discovery: System Language Discovery
        
        PID:5592
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:3236
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        237⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        238⤵
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        239⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        240⤵
        
        PID:5624
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        241⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        242⤵
        
        PID:4380
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        243⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        244⤵
        
        PID:5212
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        245⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        246⤵
        System Location Discovery: System Language Discovery
        
        PID:6052
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        247⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        248⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        249⤵
        System Location Discovery: System Language Discovery
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        250⤵
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        251⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        252⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        253⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        254⤵
        
        PID:6068
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        255⤵
        
        PID:748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        256⤵
        System Location Discovery: System Language Discovery
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        257⤵
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        258⤵
        
        PID:2056
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        259⤵
        
        PID:4216
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        259⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        260⤵
        System Location Discovery: System Language Discovery
        
        PID:4540
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        261⤵
        
        PID:5776
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock
        261⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock"
        262⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        260⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        260⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        260⤵
        UAC bypass
        
        PID:3720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zCwsYsEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        260⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        261⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        258⤵
        
        PID:2236
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        259⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        258⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        258⤵
        
        PID:4380
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        259⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NMkUUUgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        258⤵
        
        PID:3076
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        259⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        259⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        256⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        256⤵
        System Location Discovery: System Language Discovery
        
        PID:5680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        256⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jeIskwcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        256⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        257⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        254⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        254⤵
        
        PID:1036
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        255⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        254⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KWEkssUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        254⤵
        
        PID:5760
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        255⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        255⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        252⤵
        Modifies registry key
        
        PID:6132
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        253⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        252⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        252⤵
        Modifies registry key
        
        PID:1444
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        253⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IYcAYMMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        252⤵
        
        PID:968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        253⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        250⤵
        Modifies registry key
        
        PID:2276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        250⤵
        Modifies registry key
        
        PID:5932
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        251⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        250⤵
        
        PID:6060
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        251⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yGcQUooY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        250⤵
        
        PID:1624
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        251⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        251⤵
        
        PID:640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        248⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        248⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        248⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JuokQwog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        248⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        249⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        246⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        246⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        246⤵
        UAC bypass
        
        PID:3124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dQUsQQos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        246⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        247⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        244⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        244⤵
        
        PID:4488
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        245⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        244⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dqwQQsQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        244⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        245⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        
        PID:5916
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        243⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hUcAokQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        242⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        243⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        
        PID:404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        UAC bypass
        
        PID:3584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aQIwgsEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        240⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        241⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        Modifies registry key
        
        PID:5292
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        239⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\osEYEYMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        238⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        239⤵
        
        PID:352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        
        PID:2440
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        
        PID:4916
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        UAC bypass
        
        PID:3172
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FigEUcIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        236⤵
        
        PID:5632
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        237⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bWwsAAgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        234⤵
        
        PID:5424
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        235⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        Modifies visibility of file extensions in Explorer
        
        PID:748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        
        PID:576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fggIooUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        232⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        Modifies visibility of file extensions in Explorer
        
        PID:976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        Modifies registry key
        
        PID:5728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        
        PID:2380
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\icEkYwkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        230⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ocEYkUAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        228⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        Modifies registry key
        
        PID:2504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        UAC bypass
        
        PID:4712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sKIAUcQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        226⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        
        PID:2296
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        225⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        UAC bypass
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BUsQQYsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        224⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        UAC bypass
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dccwoEcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        222⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        System Location Discovery: System Language Discovery
        
        PID:1672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        Modifies registry key
        
        PID:5384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        System Location Discovery: System Language Discovery
        
        PID:5280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JkoQwcok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        220⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        
        PID:4288
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JkoQUAMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        218⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        UAC bypass
        
        PID:4844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QUYsUskY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        216⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        System Location Discovery: System Language Discovery
        
        PID:5684
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        215⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\usUAgcIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        214⤵
        
        PID:1324
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        215⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:5088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        System Location Discovery: System Language Discovery
        
        PID:3272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        UAC bypass
        
        PID:2704
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        213⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\woUwMUEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        212⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FuEUMYcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        210⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        Modifies registry key
        
        PID:5288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        Modifies registry key
        
        PID:6104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tOcUgYUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        208⤵
        
        PID:1036
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:6096
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        
        PID:692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xekwMIIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        206⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        
        PID:5436
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        UAC bypass
        
        PID:972
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zQwAAgcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        204⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        Modifies registry key
        
        PID:3528
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IGkkIskU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        202⤵
        
        PID:2540
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        
        PID:628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YqIMAkcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        200⤵
        
        PID:5040
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:5304
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        UAC bypass
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WmUAMwgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        198⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:5332
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        UAC bypass
        
        PID:1036
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KIEwMoYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        196⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        
        PID:468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        Modifies registry key
        
        PID:2336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PWMkcEUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        194⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        System Location Discovery: System Language Discovery
        
        PID:5192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XgsYwUkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        192⤵
        
        PID:5620
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        
        PID:2528
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hkEwkUcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        190⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IAcsMQgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        188⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        UAC bypass
        
        PID:4080
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\giIYcIIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        186⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        Modifies registry key
        
        PID:3800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CwAIsYEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        184⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        System Location Discovery: System Language Discovery
        
        PID:4268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        UAC bypass
        Modifies registry key
        
        PID:1320
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KMIcwksw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        182⤵
        
        PID:352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:5024
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        UAC bypass
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nEIcUoAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        180⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        Modifies registry key
        
        PID:1672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VMwcUAIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        178⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        
        PID:396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\neswwMEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        176⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        UAC bypass
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAUkoooE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        174⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        
        PID:3992
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SaMEsksU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        172⤵
        
        PID:888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        UAC bypass
        
        PID:4360
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EUkIkYsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        170⤵
        
        PID:5664
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        UAC bypass
        
        PID:5680
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qoEoQQsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        168⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:1812
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\euMgkIAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        166⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        Modifies registry key
        
        PID:3236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        
        PID:5244
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hqAQYYso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        164⤵
        System Location Discovery: System Language Discovery
        
        PID:5804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        Modifies visibility of file extensions in Explorer
        
        PID:6108
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        System Location Discovery: System Language Discovery
        
        PID:3592
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nosUEcgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        162⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        UAC bypass
        
        PID:3176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fIwcwIgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        160⤵
        System Location Discovery: System Language Discovery
        
        PID:3016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uIsYccQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        158⤵
        System Location Discovery: System Language Discovery
        
        PID:5580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        
        PID:1356
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\isosEUsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        156⤵
        System Location Discovery: System Language Discovery
        
        PID:1584
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        Modifies registry key
        
        PID:5480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        
        PID:912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SIQEUAoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        154⤵
        
        PID:5064
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        System Location Discovery: System Language Discovery
        
        PID:1492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        UAC bypass
        
        PID:1032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pAckEIgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        152⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        Modifies registry key
        
        PID:4444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        Modifies registry key
        
        PID:4388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hcAoEooM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        150⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        Modifies registry key
        
        PID:5324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        UAC bypass
        
        PID:5384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fscAYsgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        148⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        
        PID:5664
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        Modifies registry key
        
        PID:4836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        UAC bypass
        
        PID:2160
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rGkwcUAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        146⤵
        
        PID:3240
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oUQYAsEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        144⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        
        PID:444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wEcgcYUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        142⤵
        
        PID:700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        
        PID:5436
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eKkIUMcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        140⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YqAEUUgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        138⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        Modifies registry key
        
        PID:4024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TSUogAIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        136⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lQoocAMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        134⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        Modifies registry key
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        Modifies registry key
        
        PID:3772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JyskAAEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        132⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        
        PID:5224
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        UAC bypass
        Modifies registry key
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VUsoQogs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        130⤵
        
        PID:4336
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        
        PID:5788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mawcAUQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        128⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        
        PID:736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wsggQkMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        126⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:832
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        
        PID:3756
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\csQsYAgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        124⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        Modifies registry key
        
        PID:1180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\duYIkocQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        122⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        
        PID:5180
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dkEgQwgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:4700
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        Modifies registry key
        
        PID:3600
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jocEgEwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:5252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        
        PID:776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:4548
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        
        PID:5324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nMEMkEIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        116⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        Modifies registry key
        
        PID:3540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\swAIQAgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        114⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        Modifies registry key
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uwUsQIIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        112⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UeIcgMsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        110⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:5628
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        
        PID:5196
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UOYMIMMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        108⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:3616
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        107⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lSwEwMss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        106⤵
        
        PID:912
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        107⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:1576
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        
        PID:3084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lksMEkgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        104⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        
        PID:5520
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:5536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        
        PID:4876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dacIAMkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        102⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:5364
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        
        PID:4280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YygcgAoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        100⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:3748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gskIsgYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        98⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        
        PID:1320
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kkAowQMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        96⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        
        PID:2544
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VckMIQYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        94⤵
        
        PID:888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        Modifies registry key
        
        PID:4076
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FMcsUoYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        92⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:5732
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DsEQQUcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        90⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        Modifies registry key
        
        PID:1576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        
        PID:4900
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AwkkwQws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        88⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EmEwYEoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        86⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:4380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:6136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        Modifies registry key
        
        PID:5420
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        85⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:1032
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        85⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WIkEIYUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        84⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qwYkIEQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        82⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\twskcsgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        80⤵
        
        PID:808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BKcAAggs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        78⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        Modifies registry key
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmcMcoks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        76⤵
        
        PID:352
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        Modifies registry key
        
        PID:4700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RecYAIoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        74⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies registry key
        
        PID:5428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        Modifies registry key
        
        PID:5760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:2504
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        73⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SmkwgIUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        72⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:6108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:5024
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:5520
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YCkYkccQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        70⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:4836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cgQcMUwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        68⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aEEkYcAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        66⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tewgMUEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        64⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies registry key
        
        PID:2532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:3096
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZEksosEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        62⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        
        PID:3756
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bwcEAkYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        60⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        Modifies registry key
        
        PID:5732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        
        PID:1144
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LwoQogks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        58⤵
        
        PID:676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies registry key
        
        PID:1660
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jWwYIQkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        56⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lGgwscAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        54⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies registry key
        
        PID:4280
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:5540
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:6136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EIIEkQcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        52⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SyUsQokU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        50⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        Modifies registry key
        
        PID:640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        Modifies registry key
        
        PID:5812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CuAwIIYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        48⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        
        PID:212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XscMUIsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        46⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DCEwosEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        44⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:2500
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VQQIsccw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        42⤵
        
        PID:560
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        Modifies registry key
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LCIgkUso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        40⤵
        
        PID:1356
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        41⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:3124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GAoEsswc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        38⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        
        PID:4908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MeEcckwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        36⤵
        
        PID:848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UMYYAoQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        34⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JAssYYQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:1676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        
        PID:628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:4068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RAwIkUss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        30⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:1452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        Modifies registry key
        
        PID:4064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BmsgoIgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        28⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bQcUIgoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:1416
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wwAAAYgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        24⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        Modifies registry key
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aQYIIwEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        22⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies registry key
        
        PID:5924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:5304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KCAAoEUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        20⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vqIIAQUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        18⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jMcUQcIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        16⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        
        PID:220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        
        PID:208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tggMMkwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        14⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XOIgMgQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SAAMQIkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        10⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies registry key
        
        PID:872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YIkUsgso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        8⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:2736
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies registry key
        
        PID:3528
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:3676
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:4912
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eAUIEQcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
        6⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:2900
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:3972
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4188
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:4264
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QywUIwUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1160
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:3992
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:5612
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:840
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:5128
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FYkwEYEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4876
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

Filesize
220KB

MD5
c64480997484b64c33298cd646e5afae

SHA1
7730b895f60c4831da1993b077b8f252e55bbed0

SHA256
6be2fd2ba741da6377ab053491c0022ca8f9617cef8a97a57074aa01b5924c63

SHA512
686b40177d978e2925bb60b58306ac9bdde45f079cdb3f01e1d9f1cce97053e1d4ddf562855cf3264dc44ab2f389f1b693707e2b185947759a91922aca87e903

Download Submit
C:\ProgramData\sqYYYcYk\wUMMMogU.exe

Filesize
190KB

MD5
ce3011ce3d8b87dac09269322f89fe79

SHA1
891d4f55535c4a20abad06f2b781b27b32e6ad01

SHA256
be401d35ff79e2a20f142610e4e688f4cb6037ff6186b3bf59d5f5d0b3309301

SHA512
944c521ffefa01577bb52c440e4664ad833e5d24b9ed0ce3052f605a52baf1d7903a68aa44dc584217ab652b9013fe80454581bcf6c273c947325cbf505bebab

Download Submit
C:\ProgramData\sqYYYcYk\wUMMMogU.inf

Filesize
4B

MD5
e129cf97910b51dd56c2ce0f2d831cc0

SHA1
848d7e913908b26cd6f071ae00c9d144ac6e4385

SHA256
df9b8d598a8d577f87e8b91df9129d39ac6e261aca60dd3fc278a517acbe4376

SHA512
8ba54397dcd02aff006799376b284b407953a588776aabf9f671dc37262571ffbbeaeeea8e62cbdcac1f22b8988e7958519534f08f11fa0adaf4096b9c972e07

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\128.png.exe

Filesize
193KB

MD5
26caf5729d3c6f7145ffed9aaa484838

SHA1
1645156b9d07977e88440fca76aa2dbc4e35ba6c

SHA256
9d2e3fed60738920a6f7785071d0a2c394d5f7ae5bd0a0ea1598bc689bfdca53

SHA512
28d79a4a5fcc692fda7f55e14e2a544feda540fb125152991c004b20b27a4e177716555027763d43b58b35ccd0cda6e23fb24f287a91dd2b7efac2f13fe5f701

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\64.png.exe

Filesize
191KB

MD5
97758b50b51bc3f54ff438b1b62100a6

SHA1
2242e7ea434a2469a1d2d5a18dbd76303d206b92

SHA256
ae4b298c759608b48b9483ec6721107efa68df31ecd248ea76121b80d476334f

SHA512
f1b099c1b2fc40a9fe019d69587d7b78add271e7e706f4161af10f786b9b9f1fe061857185157f53077dedc914d9483195287e2cf75518c2ebe9f4990fcbd3b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\192.png.exe

Filesize
198KB

MD5
d71705695b4f66288f05f90be7945d7c

SHA1
416189c8df4b11aa78d7d36793c918eba4fdc22a

SHA256
49e5b01521501ccd25da083c0e1e772ccc4ad82598735eca79e2344525fe8063

SHA512
60d26cf98f7d0bc7ed28a8290ab7ea96a070b02cc4176e434af77934d30a94ec462cc9bfca4321cb5bada479bd071d82243bfd7695b4534ae2f47d112c0fab12

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\32.png.exe

Filesize
189KB

MD5
91b0dae31ae2ed807afd32ea7d0f4949

SHA1
cf558e0650a97630e3ece2883f01b6cc56ec649a

SHA256
52d378e20ba4029def35a902d66ab48c14c28395cd10b94d22d0529694efc14d

SHA512
7a8044be7ae78a8f8b61be900bd1a1e475fed1bcd3d7b22aaf80a1164f82829cc9677aa53185d917aaa40b8068d624e906f9f59a863592d770f5e5ed11005ff3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaCritical.png.exe

Filesize
199KB

MD5
b2eb942193a81af5ab04c167b59a399e

SHA1
122c8763df4c4d1cafc7ce54210868530165fdf4

SHA256
dc751ffabdcbedddff06facfb16fb1df937be131f2fcc10a26d6b68624189885

SHA512
ef74f6e181f37be213119c56f3673612bec536001f5d87743bba49bbe04a499cc001d301f598859a41f876370a945abc91275b18f8f9f166e3a708418b8f73f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-400.png.exe

Filesize
190KB

MD5
4b3338dcba0d80339e3b88bc1d62b6a7

SHA1
7193529bd55dcf6191e8c4a062487c973c07bb32

SHA256
804423db6bd3d69465dc46365fbbcd8f4587cf11d81b74a1e739a4e96a07eb82

SHA512
c873078730b435c364985e8eeed638265557a343bdc548d6f6266de38dd0e2e49c0b5c1088fe4917f741a47bc1166326327c14761183c751706e1077ac6c6a92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-400.png.exe

Filesize
197KB

MD5
f81c9978e78b2b837cbe43457b4b6895

SHA1
44e76ff0c8cc688e458a297c5ca69a08b2ac9b79

SHA256
eb1209cba47ea143f507fba5a3f49869dbd7ac07175f34276be8f480a813aeee

SHA512
152dfac3f1a8249fa0be71521ea0ec9ddb6e14a8c8818aff7c32cdf47cc24cdd6e13bcd78f431faa6de7ee375225c16e51673d05048cf3efa12701f6dcdc8e8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-18_dec5fb1994d3579b05ee221e5a0d5410_virlock

Filesize
7KB

MD5
3ed2012c1c8e57798e077855d8e8ebc6

SHA1
db4b84afb91f8fb3759c97dad938b01bd8bb9059

SHA256
e637ba906569d2393bfa7db260611cb966b149431eef1137da488aa3764a3ca0

SHA512
185f834ad9bffa42f7c3fd5bdb43f3b861d77e0ada4faea2d51e3d5a1441928e441e007fb60f8b53813f508794cb1c43b9e675ce326b80cf44f9ee13620e4692

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAIa.exe

Filesize
211KB

MD5
74b101fb5b1cbaacf4be7bf69352c900

SHA1
918eee5128d1820794fdf59d7a93df840fd2eb9c

SHA256
db920cc0d5fcf6b2d5a0c336c59deac78e0b1af902f72d4dc328e085bb248d51

SHA512
a848d0be5ac3eba1ec1a06ca3899ff2d88679df167466ab0607f4e1dfe89cd4497be88930113e9f3d3dde0284036a7695d583cb9e7b0eb41e88e445f1a7696dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\AgAg.exe

Filesize
226KB

MD5
ffb8f1116389711891a27fa75f568c73

SHA1
c13a35c793c468ce4acd2e2cabd867782924b4b5

SHA256
7aa1b0060f17a18179cd0a61c0b699f21579dea46fd700dea467bfe2e44ecf4e

SHA512
60317176d1c5a32bce1bb71e1f0d3d03c401a6eb90f7cd8041e0d84e208282627a5ca629fa1f1216a244e63193ca75ee274df6b26f704fc8b85f0fa40898cd91

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAES.exe

Filesize
195KB

MD5
ed678d8ad2a836f843d6c02cf4ae4c3d

SHA1
5c21cbf776072effb9a826eec87c03d3bba4e003

SHA256
5be41f4f83ec7eccdc035ac925c0b3728c354598e919df7f813bb1fc56deb9fc

SHA512
243145981336287b79336b05c9c0e991a17cb3a11e80fd5ece452c5553d20b9cbcd276e0a4a4febe8c49d7044cc32437debce4586cc2a283171a5da20ac154b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMkI.exe

Filesize
648KB

MD5
b4bcb09d1c86559e23d0254455916bc4

SHA1
25eb9ee9e0c5a652be46ab879d90cfebb1b52d4d

SHA256
a9aec60f9a1ddc3602d16f57e3ca4eb9b8e4c27c94875f330213cb0ebf35b6f4

SHA512
1a07e0a4d75273a7bdb41da5a6a3e8888a0f60d0b5657c8a21a68f040652294ba466c9f69ea70c4d10cda6dbbda9d13f15b3f96677aed7de4ccb99e2e162f01a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMsS.exe

Filesize
810KB

MD5
349a187fd410e4b71b47cfbeff027204

SHA1
dc32285dbc560dd50e010cc3eb17f28a17e082ca

SHA256
e7b2b36c233ca8a404bfad4530f5ba3ef5803bafdf647fb1c725cde3ace719ab

SHA512
332cf2ce5a9bf7c94dcfcd331b385a59abc2520ef6adb4120fe250fa056292e4831f92c433280d3bcddfacf0f66a739781690cb3fcf3d1882ba235876a4a748f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CksY.exe

Filesize
809KB

MD5
c8507a15681a4bc1feb0954839136aab

SHA1
e34a1cd64e9f493b1d1908b14339512eea05bf2a

SHA256
348cc1c7f08397b10601ced25eaf7af23eaf76b71ea6660d7aea14bbbb3810a3

SHA512
262213232f7474367ee9a4c60829563354f45b1829f45094142e25f7d5b32755312cdb9ba542916d9faf2a3859a0dfe60f7a32702270686cdc7fc854dead26aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\CscK.exe

Filesize
5.9MB

MD5
d5b4c9ac89324f437df9cd9385c8118d

SHA1
5096499fff3f8b88810e62790dbae0898f80e005

SHA256
16a57f39a52f75e12289f5c8fa4fb079f32e48513ace3393bbecd61cb3d93d50

SHA512
f25bf3ce6a4a1682324ffad361f2ccfad129fb30d8561c0dfd6272d252064edcf89822901485a37e7955db011849e5681895c6b54fd8937cce35ed291c7bedbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAUO.exe

Filesize
941KB

MD5
20eff58a8de0f3ad8fab07c77b742ce8

SHA1
5a042619c46760b30bc349f704528c88cfbd6694

SHA256
e99683da0b32a7f55b5d6d4a0cb780e49eda6463b6127af60a428e0f338ba7dc

SHA512
271deb0c2db5e40b18be43f116949f0f281a70f1e4affcea29a0cd199fc8cbba2f6776a22ca63b3be01d114eb88be0c41cafa310c48a0054cb0782e236f610cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\EIUC.exe

Filesize
190KB

MD5
92aae07b3da2a042889a619185eaa878

SHA1
10a4630e6675a9897b904f6838833ef1a792decd

SHA256
2a82d237c3adfd8978e6c7422935812d7d4a6d0904d73ef12301ee94b0f5b72c

SHA512
f460798285e91fbd30a049332c07c8d41e6a2f1952cf5674302df0302964e8e21dee9d088e35d5547768d24c7c1f165497901b7671a15d2efdb743e6a5bf620d

Download Submit
C:\Users\Admin\AppData\Local\Temp\EIgY.exe

Filesize
198KB

MD5
4303d746f0eec41672151614ed1df526

SHA1
0728fd8931bb4b10d666be1c35b74a869ffa752f

SHA256
07ec3d8a79cfdcc807afdcf45f0c69259ba02b5f97ec89e73b9dc5be9880b031

SHA512
b482a006b92ca54a4f388086df803293a0513a262365dadec3c99762500f880fbe362e46657989e415e9ecfe41cb15dc5875d8bcdefcc76cc14a601d441418f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQgm.exe

Filesize
198KB

MD5
1fa4cd92c1f16ffd84b8be22e8e636bc

SHA1
d02a0c6f3f0eeb981c3935a8b46ce603f54d8852

SHA256
e4c57fa364cbf3d26f63509eff1cb9347b7d39d0ab328c2afc5f8068b1249e32

SHA512
c0a47c45d4f9b2b16e7fffa21081db2652135d60745667fefebbd4d8234f1342eda6da7614f2890d1f4cfc41c92c2fb3e57b1fd4e7911086c5b203791d329515

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQoY.exe

Filesize
182KB

MD5
e67c81df6d16e89a2ab50859c3f8c72a

SHA1
5f7fa2324f015b666400b408fec3f9e4e24f6261

SHA256
7571f51614d079d1f7d8e8fb79c837f335e27c5996948421d78541c37e036000

SHA512
dd0beb64731897cb09e8069d58383344ac944925d2ee96d686b125974ad63ad6c37dcd2661e9cba0667b7c5a0f716ed56b1c1af3f3cefbf9bc80f4c5b388da45

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQwO.exe

Filesize
196KB

MD5
ab1dd52e2e7a5bbed567936d5541b709

SHA1
48309bb301dd606eec550ff85ab05ce024c614a7

SHA256
027419282fc2559c8230a27ac178aa3c2cda260de37dffaf0d9f98283e5beedb

SHA512
b6a6d82ccf0ca04b52c217655b66c1bc5e39af30935d466d48b99799785edf28cf3577bf601dcf49bcf48ac6184d4dc9d17f578855a6a62eb4d9ad6d4427b00f

Download Submit
C:\Users\Admin\AppData\Local\Temp\EoEq.exe

Filesize
189KB

MD5
3b85cf5a23e99577ced41e813cc84b35

SHA1
3fad33e73147abafd9a72f54c33676aa978f246b

SHA256
61fe0fe6aa14349cc17d92588636ec26e792deb1c83e8f523d0adcd5b90db9a0

SHA512
eeb775693d5f1ffb614283f886e2e06df3207f35857c02ce8dc2e7a0c32360172a7843c338b275a1ee22a872c2ad0639e73789b96613a43822212c0a441c20d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\EwUy.exe

Filesize
189KB

MD5
fcb7e95a89b7730e4ce3c23cabbe9c73

SHA1
106be1aaa15ada87518834aabda305ed7c41a00b

SHA256
f3896c7274177026fb37d1b9f45d6fff3e382a55b581e49c536a0af01c67445e

SHA512
c514e4203693b9d4f5fdaeaf7ed46c5328a494f52da6c467b483925eec9151ceeb11356c69cb4d2744c422e8962f4465a1ee41fbf35fd14e6f581a9dea09ad09

Download Submit
C:\Users\Admin\AppData\Local\Temp\FYkwEYEE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUUm.exe

Filesize
183KB

MD5
6348a9770b58e3bc4548f4612ae25e0e

SHA1
efe578c9240576667b8ec693c41f273895e927cd

SHA256
e02c782b4aa7d9f0c314924d1195d91d49714f6823f048b50072b8061a953d1b

SHA512
c8d6bd34f5f275acc5e78430bb4f1bde5026b2b4aba3995f9a853ca347c2dae11f239cfe39b83e902c9bed2b876f51af2ec5eb6f279cc066a9b8213eb835052a

Download Submit
C:\Users\Admin\AppData\Local\Temp\GooU.exe

Filesize
573KB

MD5
c612594ba0d08163a6cb208df04339bb

SHA1
d07528032b60ee022865ed4fbe9d04a1bab8b1fd

SHA256
040fc2f33a5c1c603b4d71035806548c752c6cb91cb9ba9b05e67ba079163c9c

SHA512
92cbd44a18322e3afdf2f1a3df55b8a4301178050d6ef15fa43ea4a0e92425bb4cbc26131fdc3929acc4340ee70ddceef4719add156812a6db916d999d9ae5e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIYY.exe

Filesize
200KB

MD5
219b06abb0ebd98a32392822b335e2fc

SHA1
8e2346155cb38750f9d6dc5d66f909975da1c0a6

SHA256
cdf307ca2c39f9f5e3007fa5e30e946a22c2bcef0cd46ac4249917d1d46c3b1d

SHA512
4f0d923922e62cefd436d39d5a942d2e2ae798a6d9f3271bac93bab5808a7996534426199ea5825937e5d8fcc7f3ab9c9fee38fd19574ec293ccdaf4c4d6abc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ioci.exe

Filesize
812KB

MD5
5f263c0fd13ee9c4085b9522950b7740

SHA1
a237f9e24b0bf5ab18aea04de7905caa43c5709e

SHA256
b4fa61e1f2bf849f3fa0f60280a93fc7de437171922eb7996514f672272be661

SHA512
5ba147935cb3a3ebf409f5d5ca5b1d63c47dfa88ed0dc283f23c599a6c0c06eeeb68cd7fc3a64866c10a1c856ff8f22653d1c8232c8330dbf461dfc5b07b0af2

Download Submit
C:\Users\Admin\AppData\Local\Temp\KIca.exe

Filesize
214KB

MD5
1fd2d20e0bae686b23fa0cbd3f6a2e2f

SHA1
8b3a01113c2454e3b61ddaa879306670f4f614d9

SHA256
18a442cc0cae52b9abf15670ea981c194cb5e7c4aa1fa55c9fca24b3a67e79fe

SHA512
375edad396a91b14c389c06a206640ed48b85c09c4c7b2f450dffc66bedb5186df296de52bc003850e9ac70d65151db9183afc90b30512f1d0700106f5ca3846

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMkM.exe

Filesize
188KB

MD5
5ce81007c754811752ee391f8671a580

SHA1
84c44e3253bca9354d086ed5c2ecb4e9365c40ad

SHA256
d7778f1c1130bd9f4d67b56fc5d95f63c9687b884dc342e467345ff35f14f50b

SHA512
95810f8eabb5985c4c593381c8c82bf1e1e32da2a1a6e1a4fc62a74b7eea49f0ee337a76e9fe26e07280747f4a4f5ec50a83599e878e2582be16e1eb17313da9

Download Submit
C:\Users\Admin\AppData\Local\Temp\KYAk.exe

Filesize
840KB

MD5
d35deb0adff7ff0f16d60addbdc40b8c

SHA1
5ff00596605903db956447a46867a045a9444d0e

SHA256
b85f4238c50fca6d51fa4452c948e3cd0f3e428984a0adf1d15ac79ddd308495

SHA512
7523b2e8454287f902d20ac3d63fbe01432a84cde3f78389c8dc2301bb313080c8a888c090279ae075ee59e9eb4804aafda9aa79a578f8b72ebf0b2e3b4b28df

Download Submit
C:\Users\Admin\AppData\Local\Temp\KcEa.exe

Filesize
752KB

MD5
f0db2bae2724258a598efb9aa2c4d935

SHA1
aed4593c595f7f1e7bbc94b379a292ac78ce8a3f

SHA256
ea0b3f7d8418cbc973d3d29e991dece4a4ccbd91ef31f423b9577f443988406a

SHA512
5cb0c8cb6d618beffbd6e6c2f6d0b4c552cff55e933051d662d313a78e40c646e3c95ea6e062e75cc6445bbd72ae3b30d9d2af532eaccdce4632b244dac4a4d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\KgsC.exe

Filesize
818KB

MD5
abab4fae2f2161279c9ac364c9659e7b

SHA1
38b5ff5b03e8d094bcbe9fdc1cfd1bf9735af553

SHA256
1b0a83d903a7e6fae01116017df383a24f2dc9c2ad6164ca524d41f3ee225d03

SHA512
ec2f902f0fbb7090c70cb89bee481793e441139e559a51602a878125785c2f62cacda580d327444c23bf7c32bcde941bbf0997f3529e6430bb117ae1064d7e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAkw.exe

Filesize
614KB

MD5
d29809ff18d7cc451dfec989c4be27e7

SHA1
d0e18c16c5a9deaf82b6054fa3146d6430532e5b

SHA256
ab42f42a160cae36002fc7e3ca6811920c1f5b8ce2632fe5b41045d4937dfae1

SHA512
82e49608960acc80ba6764a350bda0ed12a53f116cc9cb802073999cf65d08161550b98bca870e37e25be4ac417492c85fbc03ed041bb5fff7c1b28c4e198566

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEAS.exe

Filesize
808KB

MD5
271e6c11a2237c58e7c53eddc40cb6b8

SHA1
ac9ed0e3a9657a8ac3bad1b2d07b81482516458e

SHA256
f2398a49396c9a4c47245e499e0dd9a201e4b32c6188af9a9d9ae8e1f3a536a7

SHA512
82f526be576d24e6f00dd27afd531acd1338370274267c04048ff9bff1944ee6ac25402296503ed666185e36be2644b7965f5409e084d03ecc042aaa62e0ef90

Download Submit
C:\Users\Admin\AppData\Local\Temp\OAgg.exe

Filesize
197KB

MD5
b90755b98ab9234eb52e3932a31a3ca9

SHA1
8d20a414573d41ac1a97c3769f66d74b4cc75eb1

SHA256
1b915a5c4da36e2921b8d7c76dd52b03ce73e249e275e95141f2c98c47bd5701

SHA512
a40b236a84722a135f6bc75df5b449adb5f0a8c548069bc1ff3dbed396bf46a2978d4717d21b83d3c7c2d23dbed7ebf34ea02e8da73397132b3e9e8e4cf48161

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUQe.exe

Filesize
232KB

MD5
82c0ff3f624dc4a07a25af90a1cdd4e2

SHA1
2565264b3451b865a32a0c67e44711afa5132421

SHA256
c0034de7b65fe3bf154520f46093bd8c78dca73054e17e81b96b9a97d969979c

SHA512
67a04aceebb52425cfafbb775036412be443fe4fe088504130e9d179564fde684f2b3cfdafccb9372fe6bb05d1b6f9a81239ce678e1f3b9982d4406df4dabc8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\OcEk.exe

Filesize
194KB

MD5
5fb921580d4ef3c2c91ee2665183c84c

SHA1
4f825b3f0530d90ad3fffbf8f88be7a53c2229d1

SHA256
775db0e4719f996d4c9d8ac94fb2f2637a21b2ede4d1ff48a0f8109847ec7047

SHA512
9578685a2680a318c4cfa1358e8af883fd35ce4fdb40ea59bdc23eaa0325e5fa11f8db57653b5d9e5f2835f00ff090200966096190807129bcab07bff6fde6d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\OoUM.exe

Filesize
203KB

MD5
cdb8ac01a33a5657290944eda26cff10

SHA1
f3d88c4e2af286896135dcbb35231d416a9412c0

SHA256
2601c4ca9b97572f699b9227c09ccd9d0a89077e8f18ffb7dd97f1d5e675f48f

SHA512
4a16bce87029cbfc67cefe1341586ab9b93657c3cd995b7d96aac0c46fad448c65273e9268c3e7f3d6b095cf85baf3bdea80335247a80f420e40a42bca123878

Download Submit
C:\Users\Admin\AppData\Local\Temp\OoYq.exe

Filesize
203KB

MD5
aaf56ec50e1d16e1bf42a855c2f244e2

SHA1
574438b9a06a9050fb11df897cee01d1a5fad5b2

SHA256
cd0758943353486b7a212395a50b4f10f1c14730fd18ceb85ef5e51614305b5b

SHA512
daf73beb3f1df0fad8e7ade2c12b4b02ed72155a7a282107b13a9dff6a4cfcb8dfd254dbc06b370a8bf23fa7f5f7729d2515f3a02e244f5086fa7f751622be98

Download Submit
C:\Users\Admin\AppData\Local\Temp\OwES.exe

Filesize
216KB

MD5
113c4ecb0cbf9fbcb37e8e8809e13ce9

SHA1
8b9121fd60530f3127dbc7f8292fdedfdb375cec

SHA256
9acea2697e0b382af91b30f00b43cb03ea757e50533c4b66189de69b64e4afc8

SHA512
b5fa5c5cff2a2ee53a1e5fec2ff3aede96790d7973a992fe9a090d9923d2f78e04d61be5966ffd4e6170db1ef0b263d03933f4725f891cb096c0dd376c6512af

Download Submit
C:\Users\Admin\AppData\Local\Temp\QAQS.exe

Filesize
200KB

MD5
c6a8f3dbc83734a175a98ef26b5b1650

SHA1
56bcbab98491db099805454ea4c3ddbc766acb34

SHA256
0b2849e8d9f4f31f80c149f37384266ecfb2d6a75d6d63cb9b5c4392f750e7a3

SHA512
1dd6a6e20a2c7f89456669348dcdd40cd66b85a615b3ead743376ed298fdbe813ec43760e621c371a2139f392d04b59ecfc9628e4b95cd6d478008056d88fb75

Download Submit
C:\Users\Admin\AppData\Local\Temp\QkEE.exe

Filesize
185KB

MD5
eedf389f35b9dbe842d6a8f794ce5bf1

SHA1
790d2d9b67deb3b7b241c18df29afb1eb657253f

SHA256
51dc61df6a0d6e0ce5672f73c881f1b8b13636106e89ccfac1c21bae8d02a211

SHA512
b6453bb227f2cef2f9105599869f6fc0ac0482d5869a5ed85acd7b66ca3d77e69801d9c5340d0f1931a7c7e1b141039eeb95ec9dea9276422d72128b46ad1ee8

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQUo.exe

Filesize
206KB

MD5
e9b5f1a1d638278fd78fa1f05b383987

SHA1
f55296241fdd0975adae2a889f6756a682215d95

SHA256
74675c12fff5147830beb46a4180d8fba11aa1a6383a8a1f6b19beeae369c2fd

SHA512
3f2d48228f80e203359c8f92af3ca999e9682f61224b0ec6cd35c71797a55e80ab52e3c06808e5dd9253a8716c26bacf4547446619349aafaed339eded4a9377

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sscu.exe

Filesize
837KB

MD5
05437b94406b59685ddb6b664fa52f66

SHA1
841aeb91d42326f9409afe6368157115ef4687c2

SHA256
c11de93ce0ba36ee9983a91d873cdce27250926afc9106ab46cdd6749d52da7e

SHA512
03a386b06af9d8671c49a8f8c4e2f4b05d7044d38eaee9c75923110b512caebf5037cd43789f7e61ea5cacddb7a7731d3e2c63b6c6c525389b038ed1d2754fff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sssy.exe

Filesize
239KB

MD5
0da0d4cc45f02606b3d790b7b96b1c14

SHA1
6f85bf1a0b7cba712921ec7dc58d7d4e0b720fd8

SHA256
a162f4a3f95bd813d471583230c9e6305c1f789d0785a42af7ad2e7a0adf1bbd

SHA512
04fa0f8155eed2002cbcfc95a292f7ddd0a6370543e4bb36bc405abc97c38d28a7342675a8610d38062ab7db4481330e99e23ff7f7dd9842f84795b6ad5172b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\SwkY.exe

Filesize
188KB

MD5
ff3d80d296f1d8b374ec86923f50c52a

SHA1
81050984c385c7eb1504e83852c07c7b7496896a

SHA256
4e124b4e5b10b49b9030b43b983aa9ecc8a9e06eccb2d99efee6e78e4774dcdf

SHA512
c2618179e447a7380563210526787f19f751243276b6aa1ac0d6d1050efcbf5825c14c6a26e57140309b4bfdfa4631e8e11a5b0b07e77c31de13a78df84211be

Download Submit
C:\Users\Admin\AppData\Local\Temp\UEUg.exe

Filesize
323KB

MD5
7a1b29ab2cd29892b7255a0bcb9700eb

SHA1
4532160280245c873d5cd2655d957d61c0d6b76d

SHA256
51c0b1dbdccfe764c5aded736368a0a75099298e39a2e2a44df248793ef1bd3e

SHA512
6339e8588452ab4bed250490c881261b8759e59bd89d27f7c569c4a02309f6f5c12948929306e1d0a4d2cde54ca367724a0d952419d4b18e9273ed6e25709c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uoga.exe

Filesize
181KB

MD5
840469753789ce211011bb535fecb855

SHA1
6f23cf68e4bb20d8031cfed8cb664ecef14c2cdb

SHA256
d5bee416354e40963d9eee8d4d2cc7779f858fbdca9e9284bbe845f3178f9567

SHA512
c91b537d95ce112d69f80f0491f28097322f27c64e4f364d35017a6ba508925b25360a58fbcaa99f3f0c067fe9812d46d1e5826a229ac666f53bab8672bd9f9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WQII.exe

Filesize
205KB

MD5
61592ebb1ea5c8329610a979c11eae75

SHA1
3f9debb1ceb153b53e3f36bc7ac0294a70bdad4a

SHA256
a5189bb15c8d32bf283cf87331f45619575a48f05cdd74884bd40b3c3408b53a

SHA512
b57808ff4097dd4ab3b5a6b7460948a59225600cd04a9aaebf3fe92fea0fc91f734c2927886645050fcbaa7ce85f9cccb94d17091f0f02381af29d07c2b66c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WUEo.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\YMUk.exe

Filesize
1.4MB

MD5
4d0c44f5d468e29352d4d77db8dbf9e4

SHA1
6811db74891f9535520c9428fed801b95f799cd2

SHA256
71db695220dfd5489c9445de63f2afe6a1cc136d8db4d00c42dcc478575c3cc3

SHA512
46d7d6e820beaaa9a6de27aecbef2be6c4930e5f3215d5eebdb74583f3189c34dae4abc111b64fb494dc5461d88061754f9a73a7add68a70aba7d19b08db5762

Download Submit
C:\Users\Admin\AppData\Local\Temp\YgMa.exe

Filesize
201KB

MD5
b02f6462037ccd01afbd5c363c713882

SHA1
d756710f9d4e93258c68d9bb44515e79c3f177c5

SHA256
fee2b3706c58109fa9856ed72221bf7645044a4e0cae1a193cdbd52d56f64117

SHA512
9e7851b3cdc58891e31e63cd4046d44b9cdf83169efcb39b2b4cfdc06eb70f6deb3c900770c455780ef880380735ee492d9b9a2f13199f2227ce555d452ae8ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\aEYM.exe

Filesize
199KB

MD5
5de9023b33835e7c2b7946d131554250

SHA1
00de8b49b8707fa968b23a8c45c46c63cba95850

SHA256
84dc13fbc2f6ccad28800d68b7b6ade8f070d37954181211043059034219a438

SHA512
e640ec26e07ffc02b926c946d6952c2128b3e7c4426a3ad2196d8ba5a662d2330a52e605a3087a8ae2235bab73bba495581bdebfd5afd6eb287cbd8893105b03

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQck.exe

Filesize
211KB

MD5
29e861c7233bc987a1664c56a0c7a749

SHA1
15fc885e61c3b2767eb14f90a86d6b35a78762fd

SHA256
5c475e80e9f09ea2b4c3e2bc25ee56e7faa155b7fa053ce54ee3ce680bc02787

SHA512
5cc5689d4bceb5b7a86f202c4c802a286b9286298c5aef7e5f687a87e7c1970eff779cc8f7de7183b330e24ec1906d9096c064f12c49ea7ddcca5958f61021f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQsQ.exe

Filesize
205KB

MD5
2341c830ddcdd6fd65b577aecd04e9cd

SHA1
9b1097e12733d73e604fe8287c2d975290312aff

SHA256
9780bb5703629af6542ee76e3474e5d7e34b7786488c2b684789283df3993a26

SHA512
b9f164c03279b8c71da0453beddf30a57b57a60683a7a4a35b3b820600091957218dfa5c83481c1f34fdc803d5305e90eb5c926574fb46a1a5663b7aaf82e97c

Download Submit
C:\Users\Admin\AppData\Local\Temp\aoQs.exe

Filesize
203KB

MD5
584b357dba329be54ddffead115659d2

SHA1
7f55a5a91a78e56da9eead889bad4345a302be9a

SHA256
91c642dd7fda554b82e8987119e897120bbee768843ce73694d7afde77663951

SHA512
46a3e4ed22c7c594036426323d428b1d0c191a53d5b938de6d832ffd239c027ba2586bd360e9a3df2aa8f4e4919930e0513b5cc0562b4e0a27427810462b2b0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cMAy.exe

Filesize
199KB

MD5
27d6b4aee3c7de46392beb999080b0ad

SHA1
8a340a960034196b3d59a51f311ef4e7c80f7829

SHA256
5f2704e8774c0f4d44be10e9193c69d0c3025b9ec2bfdbc01e937b86a025b6dd

SHA512
8152c1504b369a41b8297a3a95ad1d7e58c493c1de68ed0730fc0261daadc1fa29ae317a9cadba7576ea72574826031090a2bf2595603f8855026045e128e201

Download Submit
C:\Users\Admin\AppData\Local\Temp\cMkw.exe

Filesize
196KB

MD5
2680ad5fa7310e31054bc84ec8389e3c

SHA1
fc6106b104b9e664f11b3089065f0c06e4ca8e9c

SHA256
a1f7db458cada9e6ea0bb5d331f9e077be67166e84a13f5c7659abb8c33d3bb7

SHA512
488f3018bf7b8adfafb70747786cfd82c02d53b94d19cf0829ee24ca202bc42b9b72fe1245da40beb95bf48ed2e3a74a380f0fe107470738ec15850deeefbf86

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQcO.exe

Filesize
224KB

MD5
864999d484e357f423577d6ae5ad1557

SHA1
c764925693de04dcc03ff2e87a2ca544f3d311e6

SHA256
5a6b4a22bfdbfb13c98b3466fdcbd10278d6df91d80aa59212ced21433056b01

SHA512
11373f5f62a7d917b1e42db55f5439a1dcd7c7d9263b520029b3c9ef16a5ac612dde116b5bdb93eda0c0e5124fc42502f614a484a14617d67c3fa9ca0b7799a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\cUQE.exe

Filesize
186KB

MD5
0ee91abbd1498b4f2aabc7142df7ab9e

SHA1
eb2bba40b4292641179e095d9780b80cfd9ad8c6

SHA256
302c3ef909e316b7411cdacab336d68384e4c0ab460ebc14866811250f27a1af

SHA512
5b5974ab72c1d26eafcb4763656d06c30fe594f4f64a2ee61e4dd294846fda0ef795ffdd2513f3b7d7484b830d8439086b46466afc70fb81d3e1e94f47934408

Download Submit
C:\Users\Admin\AppData\Local\Temp\cUsk.exe

Filesize
209KB

MD5
3207f38c2034ccf881463a3265a4fc87

SHA1
c928a0dee969ec4ace9b130aa544b1af9770768a

SHA256
0e88fd3b924161d724fcafede5f0dd8910501ab95d87a68d352963ddde0f8f45

SHA512
736e3c8b449e5e85a35a46bff5771fa005dca8737ac3779ad08366e6c8095b197ae06de24f1bd707c81aa37d6ae71068835aa03a6c496b45b03f72530b6015f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckEs.exe

Filesize
652KB

MD5
40c437c8c228915a94e9f0960c8d46b6

SHA1
85ad5bd2e98cd39ef199f8600d5498307a0916af

SHA256
8ab05a98523ddcdbec8b3c609f78b4652565a65155956d1b10fcdd7606f83a7f

SHA512
95a0cbcce526dd858598324854d9ef02f37c2d340af21d93457b5feb996c1af20781cfe8a7c3e3c7101034540ef1dbfca161eff4980c5d8e274e004b289523e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cswe.exe

Filesize
5.9MB

MD5
11ecebaa160368eab661e1b1dc15ffaa

SHA1
abb52cf20ebe8b0c719f4034f7c1fb62843a6ff8

SHA256
1f3009c8c3d36d42500c4cf8180ac820d2e8ba734fd212ea211c119442c49c83

SHA512
42aa091b5ede09fd9352bd668a581cbda3f3fc004786a6fba128a2bb2e61b31d4e90f5b5bb060c9fd01ae4887127ee9a5662e94eefce90b4a95bca9076c4130e

Download Submit
C:\Users\Admin\AppData\Local\Temp\eMsi.exe

Filesize
195KB

MD5
e327a26964d17c014730137a00d13832

SHA1
ef1b9ca357e307ee4a032ff0f26fe80db4ba7c64

SHA256
8f9b8583bf3b34907d9178e6f283d8c567ea8702f8ac8a35734936b3d8631ffa

SHA512
1a21c95aad2da95c32a0b8b0324f760eedb291ab88621ebd96526c27d6342633c5ed347ae544357be8660b9abe12569617a25f69b1d37d23cc24269b7629503d

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQEc.exe

Filesize
645KB

MD5
12953f07e928571ba3abf3d7f850aa9e

SHA1
7bae6eaaaf0e3761a433c91fa87993bef4e7ac46

SHA256
a22578ffd1e9edb922cf4786f92b39f0ab96b22e6b2457246a740205a7894b0e

SHA512
264b35002adc59bec7f72d2b5239a34b8b2a87a5d138f7625ea9de00811a48dd7f4aa635feac47965416a8e325e6b080e65f9e7437e6dc158b002ba55cfc9890

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQEy.exe

Filesize
253KB

MD5
5c90a72aa33d1a69f055e08a05c79db8

SHA1
1fe47f1a11313d8e5b9781147ee572b29bf7422a

SHA256
d4011bf647afcb23818ff7b5d88c40650b2ef32677e8e30122d40961bda18881

SHA512
16b1c40057a9b331ae7be522176fbc8f4b5d5c783e335128f8b90f66ed0e8ff8663bf2f9931cf20c90e625a2b81caf812c24f8ef0182a1bed179ecd60a434343

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQcc.exe

Filesize
218KB

MD5
2d7f789f1ac4b55b7e51b029053a2186

SHA1
719a23fc0b29c70a0849db2d138f756fd566d20c

SHA256
be1f4cf8d63e69f84b0b62554301b47c9757c7ca686aa112f5ce85bdccf8d838

SHA512
59ed0d78136d979254a5ae9bed89c952a822a78b1e10820330942e3ddb675f6b863dac4d7f143be48d7c6afc871a117ff4fdb167f11b43c405613c04fd019822

Download Submit
C:\Users\Admin\AppData\Local\Temp\eckg.exe

Filesize
189KB

MD5
77309f841340855bde42fac08781198e

SHA1
352ec406603838ecedcbbef910d437fafa0ce004

SHA256
4e3564ecf95b91d541145933101d924add8120d62ed40dfbfc8c5ae1ac8cf54f

SHA512
86c07867a352897bd329763eacae7d5e9448e8d932761f70c8cd06e168d0f695caf18c81b9783f4e1e655f952118820c51844a62d98c92b1f73838a8ed55c8bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\esgs.exe

Filesize
1.1MB

MD5
3ab3093707da67b0be719a40b25e9812

SHA1
ee75fdd95ee8f4ec4122e08967a86abe77392205

SHA256
0eb38d2b9aef68e1a0bab89728ce57bd089ca90458171ef9ddb8796e3f8f44b0

SHA512
138684b9e61b5c072b91c5b1040695257ff65b5018b1d1064fa9af1fbb6ae39c66d1183eed9d7ead2e77b79fe20a8504d80f3b25451658807f7751cab7933273

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gAcW.exe

Filesize
707KB

MD5
6dcee8f52cb992a0caf51d6c1280ca85

SHA1
08bfcf52ca0f8f4fbd53951fbc59742f9bc3950a

SHA256
9f48f98cf0b30a25136808ee10ad65a22d7cd33ce075b7130d51881186b2fda0

SHA512
c8f7a1f5bc1ea69be4c1339c5f02be7a56de33544211433b20e7d7f856d1b51aa5f14f9a72f10607ee44192fb2755249d09f78c4c853931c5105448b0a2b0970

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQEo.ico

Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYME.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYoO.exe

Filesize
237KB

MD5
4f03f60e9e2456343c69c0d1a0e42433

SHA1
442f9f237b2529fbee51630acf57625e15bdcc0b

SHA256
b06022fec2f7ab83569038ed0b29dbb89163e22228f11544fe265a9ebe242d01

SHA512
8619a2d311f6c2d5b56c1ee215fe16611c5d94972791e36c6a621b0ce1dde800d96ef99849a8ddc167107bec6200f449dc7937f0ecb8e2db47b6df9852af7b8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcAI.exe

Filesize
308KB

MD5
5808dec243ec9762563b0fc77f101935

SHA1
ffb4fd04b0dbb6bb5887fa0ec4b48a98243d814b

SHA256
9bce53b120641c1c78953c4e0f6e36569b30c88bcd99ae62926ae578e206d3ef

SHA512
f96733c3d75b8f2fef7028332dc964278c9fbe1b558f19d2d517cbb7328e7d834c0508a1fdc8e0ff8dd709772d3c45e525d75e191829150e45256b891f6a59d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\goMw.exe

Filesize
198KB

MD5
0969958bf4fc47d4d654b0089b9fecd8

SHA1
7f7d5262d01413f801eae334592bb3c5bb9a238d

SHA256
8ae035450693f243e6ba622b0a04df100faba373a79e13cae92cff9b2d982212

SHA512
90d4e6e27d9e7bc47b5b67dc73cf0e771d333c151ce49f9124586d2afae94e0f4aabcb0482c1b143e94d4eb718a97d9fb69dd1631268fe4b78a4dfe354379e9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\iEoK.exe

Filesize
193KB

MD5
e1ab915f2089e51df47676a33614219a

SHA1
80bb4344266318520d0437beee13d8ab4ded82f9

SHA256
d190108e4103a4bba54058414f3332bc86e9fccb4b390a4ec908059c2f367926

SHA512
83d4816fdf16dac63ca7947901adbac301ba3117dc5b926e5b0bdd9ec5fdff2477b42632ef23d35f99429d30024893d71c5d469c3a11aae7facc842e3661c3f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ioki.exe

Filesize
206KB

MD5
1aff807f3e7848f9fa144616c8789d26

SHA1
af0964ee7c2f1b64a231ec075ad60d94efddb02d

SHA256
d8667cde80ae114f6bd98be248903286eb6b183f09651c79c277b75bac6f959e

SHA512
5ecb37eb13f985af635323557db91c7e917565fb200e4865e5448abec0ee063dddd46f29e06ca924139a1c1adfbb5aabe4b24b6c3c97037d42c0524c8869a2b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEAa.exe

Filesize
197KB

MD5
4dc1cf695c0d07362d8ef997d9bf229c

SHA1
04b527ea6b6ea0bf0be0395f187351bcb0303e1d

SHA256
53b2a0a537705626ee0938e143194e28bc6fc01bb585b334e13e6bd73ce9ebac

SHA512
3f8f31063fa454bc061c0733a314a410a30e894871aed6017bcfb0efdc2cf4a60daefefb69a89d058fce9fd8c3c3267b4c337565e829c253d3cfaea9c7449f17

Download Submit
C:\Users\Admin\AppData\Local\Temp\kQgu.exe

Filesize
1.3MB

MD5
59d3793bacd90b5a874377cb9949f6b4

SHA1
331fc844917778ed4351f2e2a6e3d4d1ab093d97

SHA256
222ea92b5b8667cea19dd958602058a8226875714d07e7c55115cd17db468785

SHA512
38674f6508227489a2541f467c1127a46f09f4fe3d1c6feed79205c1e0defaa2e700eaa3a374318d50c6aca5f93cba0858b7a3e30659408c45bf98186b8eb3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\kQkq.exe

Filesize
648KB

MD5
8f1b8bdba361f5be66cb885bd0729c07

SHA1
80c184df2ee6db3f184316e3683d26b2f3234211

SHA256
7faf004ba4260e92d98abd15b72977fad8a0be9e071622cba60f113bcee405f3

SHA512
d652c812cd73d6f8910ec3899aed9d3cce898aa9542142a8b8501b65a0d726a0673d94c8854d3e6792a720f0dc524b4854c2e690ad9699fff0995b2d8365f860

Download Submit
C:\Users\Admin\AppData\Local\Temp\kUQC.exe

Filesize
433KB

MD5
feb4c6196a200fe701b68253f5669798

SHA1
4f23af1d3c4d5221c830713763ab6c352644c1b0

SHA256
65ab4401631cb20b2c5dba017eaac927e4ccafa1106506757253ecc5361dee53

SHA512
d11f1214645fb67fbbe94039512aed6c23900575d9219dc029d545b1ebc23c6abeaa133ba4d48e48553b147d1336bcc045d7fa5ffd480cdf4a504b5189d09b5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkMS.exe

Filesize
190KB

MD5
79344c0bf2b0bc3b95614c40121a4c46

SHA1
8f6e39dabb5c232b0fc43ba79680afd1f0695904

SHA256
e75e6ea5cea773d5c3941518e32d1b46664a555bc59418acf38ada49e0386ff8

SHA512
7a1d0e60d90dbe06c9697921d4b32bc58e0e63a0f5f5736f1a739517fd3674ce5a685874f14c35afdf08c2535c0381138b64a8e95499592a3305830c319bd840

Download Submit
C:\Users\Admin\AppData\Local\Temp\mUok.exe

Filesize
1.8MB

MD5
ec373772bd50b5c9dd81660294c79f44

SHA1
b94a72cc824ae5420bcf134b5053b915f90026ed

SHA256
7abdbe597a7b0b21f55fd84fc2a36032d75cfd656cdc0ccce53933cbdea7d500

SHA512
63bc1520ec76aac1dc57376dbb17426856e4a13e4dcdb0828e95164e962d359ad98a2b8190f6a00ef32ddf6206ae73bd2c595f62ab3daa7ee2e8240a95da3506

Download Submit
C:\Users\Admin\AppData\Local\Temp\msUW.exe

Filesize
1.3MB

MD5
e53ae96d68994df8a29f12ec058bbc6c

SHA1
73522602c3bd00920f375d3c639fc2dce4d2434c

SHA256
db7410262ce5021e03e11154bf71a3d1162539d62a539807f214219f80107521

SHA512
0be9bb7c691b0ae09a0b4b33fcb122b8f3f84b89bde7bb6f5d827f457af4d24a9a36d51fa364ef7a37e34966e3090ec2af02cb9f683d42f5e510856295da53e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\oAIM.ico

Filesize
4KB

MD5
2d56d721c93caea6bd3552e7e6269d16

SHA1
a7f0d3d95a19f61d30b9e68b0dcee7c569249727

SHA256
f8e8be11d1062a945187b65fc5e5b1500bce03cbdbf6f4af9404b649aacc2aa3

SHA512
c01d86c43876fb8eeab79b72380a00f095d95c3047f530b777ca89d309e7bd797bf83857beab29527eddbbc491da3edd95ba343f6a0725cc565015f095cf0919

Download Submit
C:\Users\Admin\AppData\Local\Temp\oAsU.exe

Filesize
187KB

MD5
cfc4abe2aa4f3325ca014332f6479b12

SHA1
ff84771d901b2ef7f6a9b760ac75bade68b31111

SHA256
5709e61b4793933fa1011acd6f777dcbcac1a44529d02471ba3d6805f8fe4020

SHA512
6576f07c45b1217046f7e92e845a563e538afd26135d8ae3aa0333052762e20f1b1906c0e19c1da8345d89be8f541ff5e951a91e96b69b487c46fa901093c83d

Download Submit
C:\Users\Admin\AppData\Local\Temp\oIQE.exe

Filesize
747KB

MD5
1d76a5da3cde1e5a2f12a02f90c696bb

SHA1
dcbea66b9046e9d2f3341d91e0be46cbc02ced0f

SHA256
09ac528ce7a4d61731ded37bb80dbfa107a36b3305d0fc9e05e147dbd6b84b58

SHA512
b54f42a0a968d7108e6f9f2e1c008c93c0b3048dd93ae4e0fdd7f32c9246975fc6532fdfd16ab84af003d90f418ed6782d48965098eff57d148217dd3e85723d

Download Submit
C:\Users\Admin\AppData\Local\Temp\oIsW.exe

Filesize
188KB

MD5
600f12ed821075908cadfeda1924a089

SHA1
49938cddc4330d4dc13f187f6954f82c0d5db0da

SHA256
6180a9d8787473cae75ad07867bd9bb71bac2675ed286317fec9a26af2d6474e

SHA512
bd03752e5cc55db6473359b1041dd8c4c112d0885f010bf910a93c9c9412f1c9d6a8a7cb96b5dded11a6da48137c2ad3e8322950cdee955bdfc505051181c30e

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUwk.exe

Filesize
328KB

MD5
d437a4c692d6636495b814c33ecfa8ac

SHA1
90f87a7208eef80ae8c3743695d8cbdfcbc7aa56

SHA256
e69d6eeb362c00673d243e8c4c3fd04ae4b0928dc45b2708455ffdfb11028253

SHA512
1a9ec41d8907b558e2ee08eb4f17be5e2ca53d6ac08ee02923b15a259c8bfb777a1b560c3f963855059f1aa0e4d856811a38015f39b9f677852c285159c35ccd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogMU.exe

Filesize
772KB

MD5
a5ae95b310c32a3f2ecfb45201270b6f

SHA1
cb78ad09732bd9527a777bfa41c4839c8beaa7f2

SHA256
cd46243ac0765312efb3a916271cb1bf8d13f58efcb96151e087b64b5af16fa9

SHA512
f6f9bdeca9677d49dd9ea9a68bb41b89e63c5c2b6fe9f5734856683cdab87d25f628e8e6240bb7474b9f92c910052b25c38ff1ff8fd607c6ee04696c150d18c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\oksA.exe

Filesize
212KB

MD5
b1c27690366d5a9982335226bda392f7

SHA1
7eaa2559ecde6831b26886b716c65a380024f784

SHA256
3d048cb01685301feaf304a310fe8f383c10584c328d336195494250dfcd4278

SHA512
56b1c14d1146af0102286ce8b80327da7031f664202c257f2417e894b7dc427f859f6a9ccfb5bcfe83519b134db0cae21edc53be9e4d6bdf6c603291ead6b1a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\qkMA.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\qkcK.exe

Filesize
185KB

MD5
d1f8bb0de3b1b5b60503d1db1cde9c67

SHA1
0fe58adaf0c43b2654c07f07fa5081658b22b592

SHA256
aa5cd41fc2dfd706d2c218f7aaee76932546be4f2deea2390f8d71ba346713b6

SHA512
22a7b84385cf78caab17590b0be28eb9bf5d4345daa5d65a0d534727b5383a8a5831bd4d40064cba894fce051afda80f16a2386a2d901ecc4ce94b052b94b735

Download Submit
C:\Users\Admin\AppData\Local\Temp\qscy.exe

Filesize
640KB

MD5
c7e2734b5ef3f90da00013708c66f1a8

SHA1
bf1ad299a93529f392fef2676232524b8e237173

SHA256
c00cf84dbfa14df0cc1bbed1769aa775026eb841fae90e6684b887b3e752b449

SHA512
ab954123a256b12e250eb1ea28a022a5a9a2b99b6b9a2f71372061424f8e8d9ccf9b3fa286a32a8f622ce23fda507f18c7a4a3a2eb53e55aec6ac494cc48e040

Download Submit
C:\Users\Admin\AppData\Local\Temp\sIos.exe

Filesize
660KB

MD5
a594875f8bce9f52585181f4fc3a1c2c

SHA1
4af52d405e2c54d800e70e6bf5b084e3ee1a4808

SHA256
c932fa738e6f72fd39ac574665613cd90c693dd7560722d2a4355656839b1b23

SHA512
db07207cccad99ffa795bd092db54874b20e014baeddf089fffd0478e36c527564636123efa12854f6c7b59f9e63e14645bf357d9b79b434160127f5d8b9b861

Download Submit
C:\Users\Admin\AppData\Local\Temp\sUYm.exe

Filesize
188KB

MD5
e22f51039d5a339446e5f24c9c6c70cc

SHA1
91ee23f9ba262009b383714a265b02041a27176d

SHA256
9f1ba0fca9444c8a5bf9544d22ec2c8ed78d46318fbc8afbc61b32f85e9e564b

SHA512
03268342434a2c103abe828d4bbb4d40515dbf7c3896ab93779c9eee4d33e03129cc494958aa9e371035d5273dcb4c6f1b74a73b08a4311b8d029a957574b2a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\scQW.exe

Filesize
185KB

MD5
35955aa12d53b5d7c0815ebdd972c41c

SHA1
353e6ba683e7fa8754189f347094fd69ad4be12c

SHA256
5981eee949639cab860e301cab3627c058986f8ff07d9b057c8743ccc34a59df

SHA512
8c424949704cb8a94063963b070db3003bbf2c9aa8b8cc9d4c060cf994a9a046aa0c6f9cb05c28828b759ded6b9696671e6b73a8847422d32dd75e24d722c4e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\uAEw.exe

Filesize
196KB

MD5
f8fd421c81bf23e66c46b05f5e7d3a21

SHA1
dc4e08ef02d6c91364442749cd5a8d589e2267ed

SHA256
a54bbcaf3e96a1fbd1dcb3996e8605430e70860f1b7f7983c7df6f449b46f5c7

SHA512
7d5f17ed9a09b3cb98e0302b1cff6c845852619f116b561f40261063fd7885740b5f82c7deb2010ba5983edd5b59f8bdc5b742f3620233ed9c57ce67ed4e54b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\uAgi.exe

Filesize
192KB

MD5
cf1e1535d0bbd940c62aa1bad1be82ca

SHA1
0ca0ae2a32339413b86cb7ceb740a741106aeaa8

SHA256
099810d461304a692557eabe45e46c258d4c972b49c6b6c3823f2feac1623ce6

SHA512
def4c1a5cd000d64808ff5313478ae5138a31d9a46a03fe3562f92c7a3b1c4b86dcd79b41064a77b512fdfa686c335bca9fa540215c01e3a29318e78c56300c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEQW.exe

Filesize
201KB

MD5
8bc0162193674cb4a9ef0f19ac85ff60

SHA1
7e614e8fb97095b6e2df2a624e38d74cb5516df2

SHA256
a6a3f982fb768bf97e04c853cfab884ddeb83b4360464b041358b6d9cc8c22d5

SHA512
6e0482dcb09cb915f243fc69b5d38fd47428b586542bbf14bb5b443600e354ea7d4b071e4d2c94a62c38d6454faaa7a632f1d580025668f9813947e88bda575a

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEge.exe

Filesize
768KB

MD5
401a1c52aa8b50bfc91779d6c818d1f7

SHA1
5971fc6acffef257e300d0a4a9d51fd7a869f465

SHA256
a3f6ec849b11c94128c00b7809ab2acd054072ef24b03226c81fb350bffd5b46

SHA512
0f566b322b8ac8b756b6efed59bb5e886914e077e0bf4651bdb29a43412e9388bcc08157aaea342090b8fa5dc8b26c93db5dee957086ba56b90850d3b57b0b98

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQAI.exe

Filesize
657KB

MD5
25342be360933673079513ca977047d5

SHA1
6cc6e002f2d8d2d75595272f44f2481b94db4f62

SHA256
b4188fd18ac699650f23b6468a6a95bb45b06699108c25a268a0e8700d500378

SHA512
921b170730cb1f067d20ee263f3ead1071260b2af8e616a6bb8b092cbcdabc4c805c31e44aeb6389b1d8bc7ef27ca6e3082ace07f3bcd02796993f206a729e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\uUAA.exe

Filesize
657KB

MD5
ce44f31c93f270e78125d9e27e5722be

SHA1
fefd22a81b7d5c99ffc8d8d234eb8b29bc1edeba

SHA256
c6acc40387be7c4c877b0ad39e22a71006744b02b22a37f2f6bfb732006441e9

SHA512
d0f2e2aa1e1b2a17dff92d286e74577ae1e6ccb6b460fc5537269277a900e61376ea00b93367a320756dafb6146ab4c4edfbfdab458c68c9f5ce8133fcdafac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAMy.exe

Filesize
202KB

MD5
33553ac8ebcc29f49a2bdb122de36e50

SHA1
11c2b8d91d3f8184227846f14b86a9f98ee10226

SHA256
5a141f21a3a020c3e16820517242a1071d61f33f65ddd14b21cbd673e0ea662a

SHA512
e8414f1e26f3297b162804c3bce1a25583c5fcd138cc4f90101c49f7226fd7b6d06919cfae6701c5b92dc4cf93970759e90627381c8a323d31f691650cf9aff5

Download Submit
C:\Users\Admin\AppData\Local\Temp\wgYo.exe

Filesize
314KB

MD5
7d6cbe4b3d6023f927ae19382ffccc7f

SHA1
7999c2c4142e0bc793744d037ae54f2e32605b92

SHA256
49d0c9fe92ec95da4a8c903f2c6437fb6cfe30ce0c4f57b32163d97f6d3f451b

SHA512
b419df7ef79fe4a52a22997a6758392c6c7dfb80e0277c4ff74bc1b712fb81347a9510aac14bacf7f54cecc2681196631646aa02ac65f3f4e411d8672dbf1fb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\wooM.exe

Filesize
185KB

MD5
91397bc8ff00a52ddacf71e2b94ff72c

SHA1
5c65c0765beac6a444312f4c8fabf35f020da139

SHA256
3d378b1d0f7b71559ebceba71ec20f3c04b202bd895bdbf87cf75e37740d1250

SHA512
c6cf6e5fb847efd7d8353eef51d6a7558c0ff38c6ec8e75bc87419a0eff0a771ece66477f58fcef3c00680d6b5befc29bc82f2f1381c07d85e5994bb9c092543

Download Submit
C:\Users\Admin\AppData\Local\Temp\yYAW.exe

Filesize
185KB

MD5
d58174b5ead7fc899da93d8f85757e2c

SHA1
c48f01651c864b15b1bbf5bbba18852de6c9a806

SHA256
d766c9740bb2df404b1f551b8d408a14604cbaf345f1401e473d011e163d3e7d

SHA512
ffb50ba1d5f7d56be6b6f4bd4a081ef485d2e173e9d310d5af1937829877fe28a267cfdd25aeb33540d239e99f37fd86c81718d21bec91bc0fb7f2aed4fda374

Download Submit
C:\Users\Admin\AppData\Local\Temp\ygki.exe

Filesize
201KB

MD5
848d7d971cc05ab52ce4f328c48250de

SHA1
0de923bdd28ece2bf294c9217cb47944746355dc

SHA256
39769ccd2beb944f075efc3d335e446de49306285cbc3abf68a3aa695e29237c

SHA512
512456aa20d9e259c9c0a53cd5582ae6063950c3da13083c660b93c56a108a08a05521f54458f61f06e9a8a250ba18b7f083d60ddcab1b8de021615c16dd6879

Download Submit
C:\Users\Admin\AppData\Local\Temp\ygko.exe

Filesize
198KB

MD5
1b554a9ca1a9e4053ffd602f9d1af99c

SHA1
8654dce378f1a66f5ed4bde960a08aaf07e52a59

SHA256
8def16199a95a0490dc724dbc95dd5a0b3db49c5f2a20cc25c9981da4f164f0b

SHA512
f5b8bf363e7e8c95096da5b6c5606a25aca5dd5b4e6d7cbd5945c1271001a020524e9287d0e87dd915905415e8710d52404b1997dc53d4f9f54e65ce80d558ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\yosA.exe

Filesize
564KB

MD5
5a23380fbf7bfa7b7d378430da5ebbd9

SHA1
04953563d1ef3f6af634c4a91d8d5765db583e66

SHA256
92f834a59c7cfff2faeb07f9f5b5c55b4c2a0b68b0fd581aedd270d1f1fafabe

SHA512
b949c0a5433ce43a2a44420312bb7d821b15599e9d90894f112e4514b918c7ab6249494b8f130626fa0688866dc50dc5d5eea36ecdd0c8f417bf794af316d216

Download Submit
C:\Users\Admin\AppData\Local\Temp\yscK.exe

Filesize
1.0MB

MD5
3b75398151cbc3529a1d0fc073c8605a

SHA1
16e08d9e7069209e353a76c2883dcc09d0c7e4cd

SHA256
985a658b934185ac13cc47e40625f09913cdf54027a352e78b79aa8e817e9430

SHA512
29aa5fb1366fb320600f6784d12b106d209b38e85d29fbb1145f1af76c13c88c8cdab9b7d30e4dc54ab924fd5dee8075e8b9da9934538b2610ee6cec81319d3e

Download Submit
C:\Users\Admin\gwwoYEQk\YkQkMccU.exe

Filesize
197KB

MD5
e79270a92ec532a5805b356887da883e

SHA1
1575691a77d2f7b87cd66fac9bda0b3333d3ed61

SHA256
379d80605a6922b59d01fdba9c39028cfbcf61f533b54694df822b43f738f47d

SHA512
705829c95e11cc71c92bd6c6e574daf585cfc599710c3aa968e7517ad65334a4363cdf2a9c39dd3b079d621efb8f9bfc4a4a6d830eb36eac775fa5127b9ffe61

Download Submit
memory/336-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/396-147-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/468-66-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/576-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/868-651-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/868-642-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/888-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/976-90-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1032-125-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1032-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1048-418-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1268-480-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1268-472-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1436-463-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1584-614-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1584-605-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1680-669-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1680-656-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1736-350-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1756-78-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1756-62-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2216-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2252-579-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2252-499-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2252-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2456-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2456-247-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2484-712-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2596-101-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2608-517-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2892-333-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-148-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-264-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2968-720-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3128-14-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3200-615-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3200-623-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3272-686-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3300-164-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3300-173-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3320-309-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3360-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3396-595-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3528-694-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3540-291-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3544-490-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3604-414-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3604-428-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3608-641-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3608-283-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3616-325-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3748-367-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3792-569-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3792-561-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3800-54-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3800-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3880-631-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3944-393-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4056-273-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4056-265-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4284-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4284-19-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4328-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4544-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4544-220-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4556-525-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4560-375-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4604-678-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4688-604-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4720-195-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4808-436-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4864-507-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5000-660-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5000-650-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5040-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5076-544-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5148-471-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5184-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5284-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5428-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5428-221-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5432-454-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5432-441-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5436-534-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5436-526-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5452-445-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5496-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5516-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5524-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5592-729-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5592-721-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5712-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5728-43-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5836-702-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6020-409-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download