3ca3cf4fd5903f075c9d524a4cf3cb07e3cb4d04200c887bb7fd8ebd2fd94a6c

Analysis

max time kernel
150s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2024, 12:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
Size

742KB
MD5

c2f2ce5f0660afce6129275ef6e8d5aa
SHA1

2d7340dabae0b25c7c74d1e5fedb067c3b81bb35
SHA256

3ca3cf4fd5903f075c9d524a4cf3cb07e3cb4d04200c887bb7fd8ebd2fd94a6c
SHA512

031d53cfab712c2ca31f7c0575048773c9c2760eee13ae944561ef6a3c0fc75742c8cec727c02983bd73c41802eba860410130d918b7850be4f01f7f517e4888
SSDEEP

12288:8jgpOimob/2G4R+/H+l9gAlKOyNU10IW2ZZe9hQbJB+BR2x4fl7ttiLU7xKn:+gpP/29+fI6zOyNU10IWwQ9h8BNx4t72

Score

10^/10

discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (76) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Blocklisted process makes network request 5 IoCs

flow	pid	Process
33	5040	Process not Found
37	5040	Process not Found
39	5040	Process not Found
41	5040	Process not Found
43	5040	Process not Found

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	mIcAkccY.exe

Executes dropped EXE 2 IoCs

pid	Process
3012	mIcAkccY.exe
244	JIcsYgAg.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mIcAkccY.exe = "C:\\Users\\Admin\\IuQcEkQs\\mIcAkccY.exe"	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JIcsYgAg.exe = "C:\\ProgramData\\SQEsMsMk\\JIcsYgAg.exe"	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mIcAkccY.exe = "C:\\Users\\Admin\\IuQcEkQs\\mIcAkccY.exe"	mIcAkccY.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JIcsYgAg.exe = "C:\\ProgramData\\SQEsMsMk\\JIcsYgAg.exe"	JIcsYgAg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
4516	reg.exe
1792	reg.exe
1936	reg.exe
4968	reg.exe
3488	reg.exe
2676	reg.exe
1792	reg.exe
4372	reg.exe
808	reg.exe
2028	reg.exe
1732	reg.exe
64	reg.exe
3652	Process not Found
2824	reg.exe
4720	reg.exe
3968	reg.exe
2352	reg.exe
1872	reg.exe
2400	reg.exe
1812	reg.exe
2672	reg.exe
208	reg.exe
1892	reg.exe
3056	reg.exe
4076	reg.exe
4776	reg.exe
4764	Process not Found
2624	reg.exe
4976	reg.exe
4776	reg.exe
1740	reg.exe
2352	reg.exe
4500	reg.exe
2776	reg.exe
228	reg.exe
2352	reg.exe
5024	reg.exe
2688	reg.exe
3400	reg.exe
3268	reg.exe
3204	reg.exe
3380	reg.exe
4304	reg.exe
1484	Process not Found
2912	reg.exe
2668	reg.exe
5112	reg.exe
4516	reg.exe
3268	reg.exe
1740	reg.exe
3900	reg.exe
5112	reg.exe
3036	reg.exe
4940	reg.exe
3372	reg.exe
1884	reg.exe
3536	reg.exe
2968	reg.exe
1296	reg.exe
1792	Process not Found
644	reg.exe
2576	reg.exe
3644	reg.exe
692	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5060	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
5060	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
5060	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
5060	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
2724	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
2724	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
2724	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
2724	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
4516	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
4516	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
4516	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
4516	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
3652	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
3652	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
3652	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
3652	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
4352	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
4352	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
4352	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
4352	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
3552	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
3552	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
3552	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
3552	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
4556	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
4556	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
4556	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
4556	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
3224	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
3224	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
3224	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
3224	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
2452	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
2452	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
2452	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
2452	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
3196	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
3196	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
3196	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
3196	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
3364	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
3364	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
3364	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
3364	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
544	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
544	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
544	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
544	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
3488	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
3488	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
3488	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
3488	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
2752	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
2752	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
2752	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
2752	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
2920	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
2920	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
2920	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
2920	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
1880	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
1880	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
1880	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
1880	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3012	mIcAkccY.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3012	mIcAkccY.exe
3012	mIcAkccY.exe
3012	mIcAkccY.exe
3012	mIcAkccY.exe
3012	mIcAkccY.exe
3012	mIcAkccY.exe
3012	mIcAkccY.exe
3012	mIcAkccY.exe
3012	mIcAkccY.exe
3012	mIcAkccY.exe
3012	mIcAkccY.exe
3012	mIcAkccY.exe
3012	mIcAkccY.exe
3012	mIcAkccY.exe
3012	mIcAkccY.exe
3012	mIcAkccY.exe
3012	mIcAkccY.exe
3012	mIcAkccY.exe
3012	mIcAkccY.exe
3012	mIcAkccY.exe
3012	mIcAkccY.exe
3012	mIcAkccY.exe
3012	mIcAkccY.exe
3012	mIcAkccY.exe
3012	mIcAkccY.exe
3012	mIcAkccY.exe
3012	mIcAkccY.exe
3012	mIcAkccY.exe
3012	mIcAkccY.exe
3012	mIcAkccY.exe
3012	mIcAkccY.exe
3012	mIcAkccY.exe
3012	mIcAkccY.exe
3012	mIcAkccY.exe
3012	mIcAkccY.exe
3012	mIcAkccY.exe
3012	mIcAkccY.exe
3012	mIcAkccY.exe
3012	mIcAkccY.exe
3012	mIcAkccY.exe
3012	mIcAkccY.exe
3012	mIcAkccY.exe
3012	mIcAkccY.exe
3012	mIcAkccY.exe
3012	mIcAkccY.exe
3012	mIcAkccY.exe
3012	mIcAkccY.exe
3012	mIcAkccY.exe
3012	mIcAkccY.exe
3012	mIcAkccY.exe
3012	mIcAkccY.exe
3012	mIcAkccY.exe
3012	mIcAkccY.exe
3012	mIcAkccY.exe
3012	mIcAkccY.exe
3012	mIcAkccY.exe
3012	mIcAkccY.exe
3012	mIcAkccY.exe
3012	mIcAkccY.exe
3012	mIcAkccY.exe
3012	mIcAkccY.exe
3012	mIcAkccY.exe
3012	mIcAkccY.exe
3012	mIcAkccY.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5060 wrote to memory of 3012	5060	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe	89
PID 5060 wrote to memory of 3012	5060	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe	89
PID 5060 wrote to memory of 3012	5060	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe	89
PID 5060 wrote to memory of 244	5060	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe	90
PID 5060 wrote to memory of 244	5060	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe	90
PID 5060 wrote to memory of 244	5060	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe	90
PID 5060 wrote to memory of 5052	5060	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe	91
PID 5060 wrote to memory of 5052	5060	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe	91
PID 5060 wrote to memory of 5052	5060	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe	91
PID 5060 wrote to memory of 1744	5060	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe	93
PID 5060 wrote to memory of 1744	5060	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe	93
PID 5060 wrote to memory of 1744	5060	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe	93
PID 5060 wrote to memory of 4792	5060	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe	94
PID 5060 wrote to memory of 4792	5060	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe	94
PID 5060 wrote to memory of 4792	5060	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe	94
PID 5060 wrote to memory of 4820	5060	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe	95
PID 5060 wrote to memory of 4820	5060	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe	95
PID 5060 wrote to memory of 4820	5060	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe	95
PID 5060 wrote to memory of 2940	5060	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe	96
PID 5060 wrote to memory of 2940	5060	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe	96
PID 5060 wrote to memory of 2940	5060	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe	96
PID 5052 wrote to memory of 2724	5052	cmd.exe	97
PID 5052 wrote to memory of 2724	5052	cmd.exe	97
PID 5052 wrote to memory of 2724	5052	cmd.exe	97
PID 2940 wrote to memory of 4912	2940	cmd.exe	102
PID 2940 wrote to memory of 4912	2940	cmd.exe	102
PID 2940 wrote to memory of 4912	2940	cmd.exe	102
PID 2724 wrote to memory of 2624	2724	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe	103
PID 2724 wrote to memory of 2624	2724	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe	103
PID 2724 wrote to memory of 2624	2724	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe	103
PID 2724 wrote to memory of 764	2724	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe	105
PID 2724 wrote to memory of 764	2724	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe	105
PID 2724 wrote to memory of 764	2724	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe	105
PID 2724 wrote to memory of 3644	2724	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe	106
PID 2724 wrote to memory of 3644	2724	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe	106
PID 2724 wrote to memory of 3644	2724	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe	106
PID 2724 wrote to memory of 2828	2724	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe	107
PID 2724 wrote to memory of 2828	2724	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe	107
PID 2724 wrote to memory of 2828	2724	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe	107
PID 2724 wrote to memory of 216	2724	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe	108
PID 2724 wrote to memory of 216	2724	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe	108
PID 2724 wrote to memory of 216	2724	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe	108
PID 2624 wrote to memory of 4516	2624	cmd.exe	113
PID 2624 wrote to memory of 4516	2624	cmd.exe	113
PID 2624 wrote to memory of 4516	2624	cmd.exe	113
PID 216 wrote to memory of 4744	216	cmd.exe	114
PID 216 wrote to memory of 4744	216	cmd.exe	114
PID 216 wrote to memory of 4744	216	cmd.exe	114
PID 4516 wrote to memory of 1864	4516	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe	115
PID 4516 wrote to memory of 1864	4516	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe	115
PID 4516 wrote to memory of 1864	4516	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe	115
PID 4516 wrote to memory of 2068	4516	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe	117
PID 4516 wrote to memory of 2068	4516	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe	117
PID 4516 wrote to memory of 2068	4516	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe	117
PID 4516 wrote to memory of 2352	4516	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe	118
PID 4516 wrote to memory of 2352	4516	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe	118
PID 4516 wrote to memory of 2352	4516	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe	118
PID 4516 wrote to memory of 4328	4516	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe	119
PID 4516 wrote to memory of 4328	4516	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe	119
PID 4516 wrote to memory of 4328	4516	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe	119
PID 4516 wrote to memory of 4928	4516	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe	176
PID 4516 wrote to memory of 4928	4516	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe	176
PID 4516 wrote to memory of 4928	4516	2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe	176
PID 1864 wrote to memory of 3652	1864	cmd.exe	125

C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5060
- C:\Users\Admin\IuQcEkQs\mIcAkccY.exe
  "C:\Users\Admin\IuQcEkQs\mIcAkccY.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:3012
- C:\ProgramData\SQEsMsMk\JIcsYgAg.exe
  "C:\ProgramData\SQEsMsMk\JIcsYgAg.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:244
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5052
- - C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2624
    - - C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4516
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        8⤵
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        10⤵
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        12⤵
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        14⤵
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        16⤵
        
        PID:3996
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        17⤵
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        20⤵
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        22⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        24⤵
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        26⤵
        
        PID:4272
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        28⤵
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        30⤵
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        32⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        33⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        34⤵
        
        PID:4212
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        35⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        35⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        36⤵
        
        PID:264
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        37⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        38⤵
        
        PID:3940
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        39⤵
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        39⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        40⤵
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        41⤵
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        43⤵
        System Location Discovery: System Language Discovery
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        44⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        46⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        47⤵
        
        PID:688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        48⤵
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        49⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        50⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        51⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        52⤵
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        53⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        54⤵
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        55⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        56⤵
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        57⤵
        
        PID:808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        58⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        59⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        60⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        61⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        62⤵
        
        PID:2452
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        
        PID:3664
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        63⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        64⤵
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        65⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        66⤵
        
        PID:4556
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:264
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        67⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        68⤵
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        69⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        70⤵
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        71⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        72⤵
        
        PID:3588
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        73⤵
        
        PID:948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        74⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        75⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        76⤵
        
        PID:64
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        77⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        78⤵
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        79⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        80⤵
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        81⤵
        
        PID:264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        82⤵
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        83⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:4228
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        85⤵
        
        PID:848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        86⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        87⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        88⤵
        
        PID:4868
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        89⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        90⤵
        
        PID:4052
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        91⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        92⤵
        
        PID:2500
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        93⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        94⤵
        
        PID:4904
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:4252
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        95⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        96⤵
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        97⤵
        
        PID:208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        98⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        99⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        102⤵
        
        PID:2300
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        103⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        104⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        105⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        107⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        108⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        109⤵
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        110⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        111⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        112⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        113⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        114⤵
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        115⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        116⤵
        System Location Discovery: System Language Discovery
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        117⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        118⤵
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        119⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        120⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        121⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        122⤵
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        123⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        124⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:1232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        126⤵
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        127⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        128⤵
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        129⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        130⤵
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        131⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        132⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        133⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        134⤵
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        135⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        136⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        137⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        138⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        139⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        140⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        141⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        142⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        143⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        144⤵
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        145⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        146⤵
        
        PID:3380
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        147⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        148⤵
        
        PID:1416
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        149⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        150⤵
        
        PID:3144
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:892
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        151⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        152⤵
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        153⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        154⤵
        
        PID:3868
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        155⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        156⤵
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        157⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        158⤵
        
        PID:3292
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        159⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        160⤵
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        161⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        162⤵
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        163⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        164⤵
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        165⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        166⤵
        
        PID:692
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        167⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        168⤵
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        169⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        170⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        171⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        172⤵
        
        PID:3868
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        173⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        174⤵
        
        PID:2224
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        175⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        176⤵
        System Location Discovery: System Language Discovery
        
        PID:3144
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:3268
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        177⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        178⤵
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        179⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        180⤵
        System Location Discovery: System Language Discovery
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        181⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        182⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        183⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        184⤵
        System Location Discovery: System Language Discovery
        
        PID:5040
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        185⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        186⤵
        System Location Discovery: System Language Discovery
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        187⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        188⤵
        
        PID:3868
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        189⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        190⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        191⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        192⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        193⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        194⤵
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        195⤵
        
        PID:264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        196⤵
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        197⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        198⤵
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        199⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        200⤵
        
        PID:4920
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        201⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        202⤵
        
        PID:2576
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        203⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        204⤵
        
        PID:732
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        205⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        206⤵
        System Location Discovery: System Language Discovery
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        207⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        208⤵
        
        PID:3256
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        209⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        210⤵
        
        PID:472
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        211⤵
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        211⤵
        System Location Discovery: System Language Discovery
        
        PID:3868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        212⤵
        
        PID:1416
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        213⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        214⤵
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        215⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        216⤵
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        217⤵
        
        PID:264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        218⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        219⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        220⤵
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        221⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        222⤵
        
        PID:3808
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        223⤵
        
        PID:948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        224⤵
        
        PID:3076
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        225⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        226⤵
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        227⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        228⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        229⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        230⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        231⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        232⤵
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        233⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        234⤵
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        235⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        236⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        237⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        238⤵
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        239⤵
        
        PID:820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        240⤵
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        241⤵
        System Location Discovery: System Language Discovery
        
        PID:4704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        242⤵
        
        PID:644
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        243⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        244⤵
        
        PID:692
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        245⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        245⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        246⤵
        
        PID:1584
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        247⤵
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        247⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        248⤵
        System Location Discovery: System Language Discovery
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        249⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        250⤵
        
        PID:3720
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        251⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        252⤵
        
        PID:4476
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        253⤵
        
        PID:1232
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        253⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        254⤵
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        255⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock"
        256⤵
        
        PID:3484
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        257⤵
        
        PID:3664
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock
        257⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        256⤵
        System Location Discovery: System Language Discovery
        
        PID:4572
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        257⤵
        
        PID:208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        256⤵
        
        PID:4356
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        257⤵
        
        PID:644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        256⤵
        Modifies registry key
        
        PID:2688
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        257⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ygskQUkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        256⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        254⤵
        
        PID:1032
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        255⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        254⤵
        
        PID:1744
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        255⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        254⤵
        UAC bypass
        
        PID:1892
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        255⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xeEUcwMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        254⤵
        
        PID:4820
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        255⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        255⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        252⤵
        
        PID:2900
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        253⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        252⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        252⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DgUYkAsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        252⤵
        System Location Discovery: System Language Discovery
        
        PID:4920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        253⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        250⤵
        
        PID:2224
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        251⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        250⤵
        
        PID:852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        250⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uUkcIMgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        250⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        251⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        248⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        248⤵
        
        PID:808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        248⤵
        UAC bypass
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lyUUwYAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        248⤵
        
        PID:544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        249⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        246⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3592
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        247⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        246⤵
        
        PID:820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        246⤵
        UAC bypass
        
        PID:4788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ouQgMYIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        246⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        247⤵
        System Location Discovery: System Language Discovery
        
        PID:1180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        244⤵
        Modifies registry key
        
        PID:4776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        244⤵
        
        PID:472
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        245⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        244⤵
        UAC bypass
        
        PID:3024
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        245⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sSoYMgMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        244⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        245⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        System Location Discovery: System Language Discovery
        
        PID:1324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        UAC bypass
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UygYAcEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        242⤵
        
        PID:4000
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        243⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        243⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XGgMQsoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        240⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        241⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        
        PID:2676
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        239⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        
        PID:732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JCQQYUsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        238⤵
        
        PID:4868
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        239⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        239⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        Modifies registry key
        
        PID:3536
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        UAC bypass
        
        PID:3664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UiowQAMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        236⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        237⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        
        PID:808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        UAC bypass
        
        PID:3540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kUowEsks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        234⤵
        
        PID:644
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        235⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        Modifies registry key
        
        PID:5112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        UAC bypass
        
        PID:3144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hokwcIcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        232⤵
        
        PID:4268
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        233⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        
        PID:3484
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        Modifies registry key
        
        PID:1296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rkIMAcQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        230⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1740
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        229⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        Modifies registry key
        
        PID:64
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        229⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        UAC bypass
        
        PID:2800
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        229⤵
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tosIUQII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        228⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        Modifies registry key
        
        PID:4776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        UAC bypass
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CGYAIwsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        226⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        Modifies registry key
        
        PID:2352
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        225⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CwAEQgME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        224⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        
        PID:4028
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        223⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        Modifies registry key
        
        PID:3900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RmAUcwEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        222⤵
        
        PID:4988
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        223⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        Modifies visibility of file extensions in Explorer
        
        PID:644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        
        PID:2900
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        221⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        UAC bypass
        
        PID:2484
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        221⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gQMUEAkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        220⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        Modifies visibility of file extensions in Explorer
        
        PID:216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uAgwAgsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        218⤵
        
        PID:1260
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        Modifies registry key
        
        PID:3372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        217⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RMUoIQUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        216⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        UAC bypass
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dywAMokE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        214⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        
        PID:4076
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        213⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GmogQMMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        212⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        Modifies registry key
        
        PID:4304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nCckUcws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        210⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        
        PID:2956
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        UAC bypass
        
        PID:1180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\POoMMIwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        208⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        Modifies registry key
        
        PID:4968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NawIQUwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        206⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        System Location Discovery: System Language Discovery
        
        PID:3364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        
        PID:544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BIkQYkcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        204⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:3024
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        System Location Discovery: System Language Discovery
        
        PID:4172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OAQYEEIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        202⤵
        
        PID:852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        UAC bypass
        
        PID:948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jiYgYAUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        200⤵
        
        PID:1708
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:64
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5052
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:2924
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        System Location Discovery: System Language Discovery
        
        PID:3484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iaocosAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        198⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WQAQgwII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        196⤵
        
        PID:2724
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:4452
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        System Location Discovery: System Language Discovery
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OkYoIIgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        194⤵
        System Location Discovery: System Language Discovery
        
        PID:2916
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        
        PID:4112
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ckkwcAYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        192⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        Modifies registry key
        
        PID:1792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        Modifies registry key
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SiUkgUMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        190⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        Modifies registry key
        
        PID:3968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        Modifies registry key
        
        PID:1732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        Modifies registry key
        
        PID:3380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yAYUQkYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        188⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        Modifies visibility of file extensions in Explorer
        
        PID:472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        Modifies registry key
        
        PID:1740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZeUkoQwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        186⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        Modifies registry key
        
        PID:4516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:4492
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oOEsEAUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        184⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        UAC bypass
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MMMQUYoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        182⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        Modifies registry key
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        UAC bypass
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bussAUsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        180⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        UAC bypass
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yKsUswoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        178⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        Modifies registry key
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MOAIIgMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        176⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        UAC bypass
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ccEoAoQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        174⤵
        
        PID:4512
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3664
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        System Location Discovery: System Language Discovery
        
        PID:4788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        Modifies registry key
        
        PID:4940
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ScEQIsgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        172⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        UAC bypass
        
        PID:3076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xuEYckUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        170⤵
        System Location Discovery: System Language Discovery
        
        PID:1892
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        Modifies registry key
        
        PID:2624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:3268
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xuUoMEkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        168⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        Modifies registry key
        
        PID:2668
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:4920
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:1232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RmgIUEkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        166⤵
        
        PID:416
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AQkIMYgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        164⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        UAC bypass
        Modifies registry key
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UYsAAMQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        162⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:5112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KUYoEEgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        160⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:1580
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FWgkMUEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        158⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        System Location Discovery: System Language Discovery
        
        PID:1416
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ncAIQIsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        156⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:4172
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        UAC bypass
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NoEIoAwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        154⤵
        
        PID:4076
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:4644
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        UAC bypass
        
        PID:4180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FsgUwEAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        152⤵
        
        PID:4500
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        Modifies registry key
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        UAC bypass
        Modifies registry key
        
        PID:2968
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BEwocMAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        150⤵
        
        PID:4896
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:808
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        UAC bypass
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UuEcAwUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        148⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        System Location Discovery: System Language Discovery
        
        PID:1792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        
        PID:3644
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KSswcsUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        146⤵
        System Location Discovery: System Language Discovery
        
        PID:1692
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1032
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\duAwYAQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        144⤵
        
        PID:2576
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZCoAEAYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        142⤵
        
        PID:1932
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:544
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        
        PID:732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YKQwEQAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        140⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:2440
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        UAC bypass
        
        PID:4904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sWIcEAwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        138⤵
        
        PID:4660
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies registry key
        
        PID:3268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        UAC bypass
        
        PID:420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nMYkYQMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        136⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GsIYsMQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        134⤵
        
        PID:2872
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4332
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aAYswIoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        132⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies visibility of file extensions in Explorer
        
        PID:208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        Modifies registry key
        
        PID:4720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        UAC bypass
        Modifies registry key
        
        PID:3488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mIcgIskA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        130⤵
        
        PID:64
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eqQAgcsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        128⤵
        
        PID:3940
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        
        PID:3204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OkEAIgkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        126⤵
        
        PID:4180
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        Modifies registry key
        
        PID:644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sCwksAcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        124⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\niwwcoII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        122⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        Modifies registry key
        
        PID:3204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tEAUoksw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        120⤵
        
        PID:4544
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fwsAoEMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        118⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:4280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KoUwUgMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        116⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2664
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:3400
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        
        PID:3204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hIYwQcgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        114⤵
        
        PID:2824
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies registry key
        
        PID:1884
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rKYsgAoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        112⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        
        PID:3892
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:3076
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        
        PID:3488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RsMYccUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        110⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Hgsgocws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        108⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZQUoMAIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        106⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:2924
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hqssgsgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        104⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies registry key
        
        PID:1892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        
        PID:3652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tksQMEEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        102⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:64
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ACIsosEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        100⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        
        PID:1008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yaoEUkso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        98⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies registry key
        
        PID:1792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IeQAEUQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        96⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        Modifies registry key
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VaAcQAYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        94⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        Modifies registry key
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uKQMswoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        92⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        Modifies registry key
        
        PID:3268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        Modifies registry key
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JoYIsoAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        90⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        
        PID:416
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:64
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QGQMAkgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        88⤵
        
        PID:216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eaowookY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        86⤵
        
        PID:1584
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        
        PID:2864
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        85⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:2592
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        85⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vuIAAwQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        84⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        
        PID:3608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NcIUMwsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        82⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:4660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WUIQoYUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        80⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:4940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pSoMcEwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        78⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:2388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        
        PID:808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:420
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OqsEIEwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        76⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:4424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ukMwEwsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        74⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:1600
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        73⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QckkMQQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        72⤵
        
        PID:4352
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        73⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4580
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qIwsQccs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        70⤵
        
        PID:228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies registry key
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qEAEIMow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        68⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:3412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dUcAwYYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        66⤵
        
        PID:1744
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kCkskkIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        64⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1584
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:64
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MAUkEYwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        62⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies registry key
        
        PID:692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TAIIQgEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        60⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:4356
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2672
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WywwcsMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        58⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oQgAIgMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        56⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\saEAkgUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        54⤵
        
        PID:732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        System Location Discovery: System Language Discovery
        
        PID:4880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        Modifies registry key
        
        PID:2676
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WAsYcUEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        52⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        
        PID:1800
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YKkgYQIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:4400
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:2916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pEcsIMAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        48⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:2224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:4252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wKQckcEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        46⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qQIwUkAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        44⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3708
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PqgQosAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        42⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:64
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4656
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        41⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        Modifies registry key
        
        PID:5112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QcMYQYUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:4876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eSUIwEYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        38⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:2596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:4776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FCgYYMEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        36⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        
        PID:4384
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        35⤵
        
        PID:848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        Modifies registry key
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uusEMkYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        34⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OagQUgkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        32⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:2060
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NWIgwAsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        30⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FkEUcocw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        28⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        
        PID:848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:1864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AuUYYIkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        26⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:4944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XgUUQYAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        24⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:3596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cUcYgMwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        22⤵
        
        PID:2624
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        23⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        Modifies registry key
        
        PID:3644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NogIkMkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        20⤵
        
        PID:1192
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        21⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        
        PID:2288
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        19⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OyUgAEII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        18⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fAgwwIQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        16⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VEUIwEko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        14⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HsUgAokI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        12⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uoYsUUQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        10⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:4068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GKsMEUMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        8⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:3288
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2068
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:2352
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:4328
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qKgEsQAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
        6⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:3608
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:764
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:3644
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:2828
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hAckQUoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:216
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:4744
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1744
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4792
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4820
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oUUYwMoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4152,i,8548254608087149642,10333768245962368401,262144 --variations-seed-version --mojo-platform-channel-handle=4308 /prefetch:8
1⤵
PID:4156

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe aa71ab563410b47aecccad9bc3bff781 xYmGqNJXf0mhOVerWVLKRw.0.1.0.0.0
1⤵
PID:4992
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3196

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:688

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:1756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

Filesize
234KB

MD5
cc5996afd9869218c2bc5dcd6cd364f6

SHA1
5b0898aecf5fd3da33697b645b9631c637bc20c8

SHA256
b3bbc1014e52816baf29d8d308caaade73cbfc2c059a4b2b72a014dc7cfb7aa6

SHA512
9d825626587c0342beb13405d08b1ff236e7bc834722f5d0ac8ecab4f17890cf26fa8755587cec47913937cc7495de546a801699b34a60e9d3c440c29627cbd2

Download Submit
C:\ProgramData\SQEsMsMk\JIcsYgAg.exe

Filesize
192KB

MD5
9b8ffd7e8620af93290ddd8e682f2ef4

SHA1
a55a9bda6900722539d67e1ed41d3ebcb3a8e29a

SHA256
05414b4f796e8ff158213b21c59784530cf90ec0e98ee591ec66e3eee22a97cf

SHA512
c6a69b3950360b8c4adc1d0449795b19c4b4b40a42f6c00aaf51a6cdb412b62ede790b0c71bb244f09aa37ef35d63771f922c77c5b5e13d72fb58a1595e0a9d6

Download Submit
C:\ProgramData\SQEsMsMk\JIcsYgAg.inf

Filesize
4B

MD5
fe39fb94dd7f1752f8cf543cd0bc0f43

SHA1
7c3413e31e4a1871ecd46d4caa68c6690fbe769e

SHA256
b1c6b1ae2e7872c36e66da0f74408ddbd51fefcb26fe2f27fba3855c2c5eec8c

SHA512
0a0bbc151e8d208b98bc8320866b1a941c32275c9142917d284dbdedb2c6380cc2e7b43f9c90568a6c3b583d45c23269f6c566d0c8e91c2c009f5f25941a17c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\flapper.gif.exe

Filesize
270KB

MD5
0fb1d2e3b88f01c9d161d81ab54dc53f

SHA1
e079037afb9e3c417d10d026580e376b46928594

SHA256
093f96aba144b1dc02e452f4d203e855c11a9f489aa1dba0618e3009129eaa9a

SHA512
08a8e15b5261a89cb8146d594d56abf921c6dbd9b7d63a4db042f79bb83f73634c516700829d36be3bcc539b471300d7f64240ddf5127a5bf3f86cee002dcd82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\64.png.exe

Filesize
195KB

MD5
84ef15a9838bd36c6146d2ffbbba6d25

SHA1
bb53837964880f101daf01b983fed87261e07c41

SHA256
d50886bfbca51569ce800234853e386565b6727c16478b3592b6eebfa868f140

SHA512
c353ee5c2d27b28fa27756981bf918b00ecff3c455da5f3cd844511aeecced0f09ddb09f3cec3221a8d313797104545a1244fd9991ee9db0587998d1e696898a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-400.png.exe

Filesize
182KB

MD5
6809208bacd8cbff20e59931be2961b9

SHA1
604a0d6db1abb8c1e3a774ab332ef38f776fd2b2

SHA256
fa1cebbea737c3a1a3b4c9299d0c2ca2417e6a7566054e52a06edcccca6e4ace

SHA512
9b9daa56c692de573270f2cfa3a533cd8ac5f2f47a8c19399bd4a1383c06d2319d3acc1f2225d1f5b41061e6f42c7b1065f6a207b1e8a729006dc7dfa8b915e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-20_c2f2ce5f0660afce6129275ef6e8d5aa_virlock

Filesize
548KB

MD5
8969288f4245120e7c3870287cce0ff3

SHA1
1b4605b0e20ceccf91aa278d10e81fad64e24e27

SHA256
ff86372ce43519d675b8d8d29c98e9ccbe905d400ba057c8544fa001fa4d8e73

SHA512
9bdd0c215a9be94f6f677f8ad952fcb5abe876b59a1a2f537c7d9f7668abf4ee47c85acd9e4873c0b474eb98d7b211c08fd8f86b9f695d88d62c9695d88de90a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AEMG.exe

Filesize
189KB

MD5
d35ee44cfd161ca34bcac8bc3347324a

SHA1
e6aff18f9b97cd7e210e0371c65170a4f73f44e4

SHA256
94d0cecebd761e250d7a658512b57c5529723e5c4e6d3815c9fa72a484c49303

SHA512
c092797070467fb7050ce2d295dba1838c269762ee988ba4af7413ffd4d181fb5363b34c894df5aebd1a50a80eeaab312512152cff40c49ff049b6cb47725754

Download Submit
C:\Users\Admin\AppData\Local\Temp\Aoci.exe

Filesize
190KB

MD5
ed100a30ab6b98f167146bdbbb862172

SHA1
8809da4a7e341bdc5e0a025106950cdc8c6389cb

SHA256
48a26a236bec8247f0d4ca58cac3e74ae4157d9a5eaa2b1c42b69629bbd38d3e

SHA512
59641c07e5a63d7d37802eb83611a6946589ed4f8051a31f2f2a5dc58a730cc7f0bc20663aa85367b11ab9938f73c6da988dc8b4e5e30b419d592960bb2df76b

Download Submit
C:\Users\Admin\AppData\Local\Temp\BIQS.exe

Filesize
231KB

MD5
0556aecfe20dfc78b06624ea782622e4

SHA1
47daeed497b21bc9e4401378fe15ed9fa516a059

SHA256
50f2d9c88b216cbaab67a5e4d0de8239faa576484926169f86fe57d9a3891bad

SHA512
1e6734379bcb3d3d74f038d9c82ed971f15ff1a7ff6ca8b7a590d3df50f55a6eff3b029cb795c3f1c92845936c3e30a0f937295349d493213d5928834dee83f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\BUgY.exe

Filesize
973KB

MD5
59204ab7b5486edf270011d07d70dd1c

SHA1
76e2080247d1fe8f34442a6a9c32f5896a697825

SHA256
b228417f11c85fff35263c40098648f03d57578a9bdc0d24164d9df28258842b

SHA512
a1fa43f1ec0dcb20d2cb1f97d0b602546b7a0a257c883e35679bdedeb6250a1d68b5e892f0f8e20a4af35530ab452236f3891b36e38a543d6dab43ed81948f95

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIMM.exe

Filesize
190KB

MD5
0c3786988e4c322b56323fd0accb7118

SHA1
9209423d98ba08939960213cd168c9398d23e2d7

SHA256
5436b10987fa78c489b74bba8106f0f6ae586f5db85a48a8b5e6a5962ea5e097

SHA512
1fcbf298a666ac6e9c7098fc78d1ddcd8b251a8322d7e65ef3de5fd52dd4605918c22cc460ad608ade5fab4a40ae3d38122c2c15f19615d96e0e99f1a7e84459

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYoU.exe

Filesize
237KB

MD5
1b014010f349222deb7cc93e6ddd6ecb

SHA1
931011197354ab1b7baa15abf85421ce885b3448

SHA256
5c3c24763f0823ba0da42056de4d95dbdac451dc2f36b20d4242a751f3242f7c

SHA512
72f750c74971752ab2d1eb97be07c910b7d379452f58c110ff3a11af66f303f021c9086288fbeb32daa4ac79cd415d0b895b4d4944e877c87477faa9aaeb56b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DQks.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\EsEO.exe

Filesize
188KB

MD5
3f249a7fd90614d7561c61ac954937f7

SHA1
f3647b330682c9bc5f22f6172a580e7ebe058c10

SHA256
4eecc599307dda0e3e61c0ff2f694ffa70b2a68662132601d39f9bb9ec60d9d0

SHA512
c70b9cdca7d6cdd21b18f84d3219d9b1b4fbd840bcab408f8d0c8d8999f4077b59378b126390c7fd8a43d6c198d047f284191b94dc913b2c545f84435fa5ffbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\EwMa.exe

Filesize
186KB

MD5
8756083827019f3b759d248041df7370

SHA1
d401b75cca696544bb75d44a39610be01510bbc6

SHA256
6c4095f3546bf5e787faaead428d3e565088dc3e9456dc1e8af5c9c5916d00ed

SHA512
435809da921c0fc1c1208dfc100295592391f5150ae5b236e6bce570511531f794cfe7adb490aae5d2dc415c6f3d188e9cc483cd4b4cb373ac0ace70f1f843e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\FggC.exe

Filesize
180KB

MD5
872c0fc84d463697c601120fc4d4ca64

SHA1
156634d9a75f3e23721db30c0ac14fb6c5cb8ac0

SHA256
b585bbf3d49cda7e58cdb8ba27f836433466bba2b2524975c4f97aaae329730f

SHA512
6e177ee994dde52e673448890741c940c64e320748f95b29824d368053c59f51ea6f125b788b52bbff36e30f642524d1e532c816e8d3e922817b43ddd6d4ec54

Download Submit
C:\Users\Admin\AppData\Local\Temp\GAIi.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\GMIA.exe

Filesize
795KB

MD5
9ff9cb06163b77629d1b67ee65f6f7b0

SHA1
60ae56fef2a2cc8200ae63cb39c07f883e46431d

SHA256
2f4b199ce3468f772635b346f8ec078bda156cb19f39e566cfa2ecb62b0f38ba

SHA512
e1f37228cc2946b19016563dbf05223786695e47ed1c37a88e353f9e77ef9292882ecd9ccbd82d3db41e3c96e26d71697b0c83a4338ab967af32cf16009cb1de

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gksi.exe

Filesize
330KB

MD5
9ca3279c2107ee69cfd86dbd36b10898

SHA1
7d48bae8891fc7560c9db5aa142705cb5a1ba84e

SHA256
de7d99d6b332aff52c942fdaa88148904220b3e0e2be8836a3ede43e703a4ca1

SHA512
09a7dd16d578e4f09dad57be48b6bff08379ac127ce2a488e3df7931b3c19353094a54d7dff8b887768eec6916e46aa7e8447a7b5fa55a6c50d210bcf17e856b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hcsy.exe

Filesize
183KB

MD5
b4f92a977d4d62d2c9bd6edf7e1b8099

SHA1
0b32c2cc4927caba4f2b8ddacf49d85597a8b297

SHA256
5e52dbfc9e28026b3612ef374905168f51848120dfe48666a32bc18197a66fb2

SHA512
1c2f962ef1211baa0f6a9cf136b5fb9afd2886c887cb49b0c90b89b11482d1d12894f599a552b4bdfe505a82c7e6b900c506a23058130a2c4e8f6a8e48fca793

Download Submit
C:\Users\Admin\AppData\Local\Temp\HsQs.exe

Filesize
1.8MB

MD5
95b042507983e45486c91a6508884f27

SHA1
06881a6e1a79dea068ac2e0a9ebd6c100a6cb929

SHA256
cab43928d93a8d4951a5b57f2bf149b53d92b507ad84c1e6355897a073ea7fe5

SHA512
bc689bb8d49c741aaa35f13cef5cd18eadba6b33435dbf244cf8c9bfe1e7dc5dde240e3d46fab79510aae02ba34579825affbf917d98b6dfef140cc6e98a76d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEEa.exe

Filesize
927KB

MD5
e1d05620f514f9d993927b9cb60be20c

SHA1
20b86a13bef8951686689846052e61407744b2fd

SHA256
7552281071cd6a0bebeafefb8822e12c659ccc67b4354e2b56f3c0cf320b2bed

SHA512
c8c32a326579acdda064907f5d02b54b965c64f87dd650b606e49e21e7fc7f898cee1afc796b71b8335f2c069993215fd8361a7c979f358c22bb93551dd125c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYYg.exe

Filesize
186KB

MD5
5fe435a3fb3c6d599e907e3d77841486

SHA1
fa2468e82b797b23b347d4f3561a144717fb8b8e

SHA256
a64afdc2886c191ad0b44f76447aedb969b8679c89bd6509232aff69dba94aa2

SHA512
76e5b9836b1b1139fc7b09f72ac57993ab62de39267343185d16f50a1cf654d9f66e09087ca0911e33a529f43f01665462f4883e1d76d67ec974db2100e5d4e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IsUa.exe

Filesize
206KB

MD5
b65cc99e7939390a6347c496a1b322c0

SHA1
9d135b61aefa524af7bb39b98f0341863600cf54

SHA256
47e3fec6d0e8a0d571d65b6e4b8dd68cf69883c7c220b42b51300daa8b3ca9c0

SHA512
ee50011c63591378d226bcc3983f56894cf0ade408ad48fcb9fc62e6e3cddcc0fb8f53c4ff633c66c71c2ae1501c5edb078ec818577dcd1c7109d7d382a14a6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\JkQG.exe

Filesize
634KB

MD5
a53d540cdbb6e5d23f2e5d2ebbf844e5

SHA1
17cf486035bb324c99a44e8a82647096ea3ba4da

SHA256
a3147afd2eb93c0227d5b1ae86fbcade66e6b478ef305a2c2995d705a98df745

SHA512
1f87ff27100c6ce2cce22b2b69ab5ec8b9df80dc2d5ff07220c475f4e178a08ee6563e018ec927b3d1b18f95a3bef5e70198565223e00e65ed206f67d16759e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\LEwS.exe

Filesize
203KB

MD5
7e9fa487ac6bdf47f30f6c6d975235d5

SHA1
a7307c345e959aa7f761624c689a97221417ae96

SHA256
0aa2e74f2f570e252d953d22b88422b6a60005e1b56095aba30d2ac4c3b3303b

SHA512
60d57de974ca3f0e3958aef1a16b947ceb862451ac6323d71dfed9b06f0ec85c9880bbbdb738edd353ffda9f3e85253850a723517156702c3854d2499e70c73e

Download Submit
C:\Users\Admin\AppData\Local\Temp\LgcG.exe

Filesize
202KB

MD5
3df72f1bdd6dfebebbd2703d69b71206

SHA1
a44f76f1613b71f9f846db9a4c7baa7357f61fea

SHA256
0b064968cb7e7860ca71f4648c77f729f12ddcbeec42ec5c77e59deb99e758e6

SHA512
cffc8f60557368ba73a7a027f9c766e825bfd01d2e4d4ae85f07b655c1cfd5cb21701519162d15a899f430d75d66e4e05a3fdd36d66d5ae7a0d1ed81702cc478

Download Submit
C:\Users\Admin\AppData\Local\Temp\LkUU.exe

Filesize
189KB

MD5
a14854b0a8d7f1af39d29e6f61b2f1b5

SHA1
b4e9d1bdaff403f9b50af0eb04baf565e76a1f57

SHA256
e62a8590cc61652eeeb8ba44ad993e219eef96812b736a3add261c459cb29268

SHA512
b50559af758ce7da15f9eae836fdd9da7b2035b095a4120d447ed4cfc5c2506a0be6199be75607f04765305b4db3fbfeea22fbd165ff6aa0499e8c808e551892

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUck.exe

Filesize
332KB

MD5
bbe6b84b16878287533066db14929a8a

SHA1
ec694ac5e641cd2818730da48bf1c7d4230e5ad1

SHA256
e710f4c897bb31a2fa498195411ed89b7aef8ac6c616ecc01386fc45242f7854

SHA512
63bc554d4e1440a3a605ef18f9f64357a7e9bcfd8a919ef78c6f137b02702c8df169e3d23ba61ce7c28d10ff620bb5bafce8ca0533dfd5982e6d0ab4a5cde376

Download Submit
C:\Users\Admin\AppData\Local\Temp\PMwo.exe

Filesize
206KB

MD5
a4e2202307ce8b8facdce1f0c2fd7c8e

SHA1
283d2e7c1d6cda5fbed24fed13ff8210af519d7a

SHA256
f13f1bf056448adf2e2433e4ee9aa33b57ad78752eeb428e85619f47abf7ab2a

SHA512
1410df22f85484b0353a9d417a141e5e4ee019286d9f06a4fb1eb641409f103d578da04d326eb743880a1e2f2c1dc286e9170eebb8a248cfc6a3ba485761b7f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\PUEu.exe

Filesize
205KB

MD5
5f0c0ea25b2e4309cfc126a3ad7337aa

SHA1
e93972565bfdfd580fda99932826ae782a31b87e

SHA256
9b4c20a6d9a6ce26bcf02e84dccfad10b7163cabd1ce7c80ff5bd3c391c1dd43

SHA512
6c8df2cea453abb981b61cce83bafa35b3d28eab177c593cf76bdaee82b7d3e84bc578461858912332e276ff1c845ed8031fa71e400dafe919d4b9180c7e60b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\PwYS.exe

Filesize
196KB

MD5
b0eea7a397afce176c28351a59a9450e

SHA1
f73594f8d4d2e0bfc2df951b6466971a555080f4

SHA256
44e3a1160120b93801d0a813612627207c8f56a80d7654cd61a27cd1eeb5e8b7

SHA512
cfee1ca1749e77a15268686d209ca2fe91babfc6563be2c663f337173c1b31fe81d8a817d7e4d72aafe7309db751cfb7f7e8ec67148a568f3c4589a57db768fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\QsYk.exe

Filesize
424KB

MD5
94e0266e8b5658863dfabd106efff010

SHA1
54bac77b4aeb34319569d4cd3cbd038d7f82c332

SHA256
d785dfa1861a90723e026a145d64751d4f50b04fa6a64811b2a4d06f8889b235

SHA512
1eda16c2adbb9994375e73872733d0235bd0836cad7d50614bc6e39a98cdb19de976daaad8ed9ce7bd4f25eef968ad8850d92828f90e71e92a54659e423dc249

Download Submit
C:\Users\Admin\AppData\Local\Temp\REsO.exe

Filesize
196KB

MD5
294c686d7780d0cddda66b3e786bdc69

SHA1
d46b5807fa2f4a574e104ef13359453d9e5a7533

SHA256
cbad156843e1795d3de495d9c2de0922add59e3b25decb45f96bae9cc4d002a8

SHA512
2bc84f0bbf2ff3d036f845dcb09b60e80e80a2083c496aac162fb0a012a76f935226d70c923cf6a76306e0a1324994ab88956fac35742f4fcaf279b0344e7630

Download Submit
C:\Users\Admin\AppData\Local\Temp\RIQS.exe

Filesize
782KB

MD5
5bce861f6e1ba23a01feebd6313e45da

SHA1
1dfd902a6c306f043186536cf4a6b6658ac2a1b7

SHA256
964785c3b6bd7dbbb504f9ddc13981f72313f28c62e0278cecb7ac6331340cdc

SHA512
045c56d0a8522251d9186d46418cc42be42ab9647b9a652320d9a7b8cc849f86f46b24e145fc9473eb89171b94ac0a2a828d7a9b31f18c6820a3dc9ab2d12a31

Download Submit
C:\Users\Admin\AppData\Local\Temp\RkUW.exe

Filesize
623KB

MD5
b808d62a17bc01568214257ff0b42402

SHA1
63ce179cdb472ae843835941c274ded4dfcfa72e

SHA256
f735e7dce7a0b00786f143f836e37f76d8b86c33f019cd56c656f34737dfb0e5

SHA512
a54772713f091253a4c5432f63e48f6653bccc2583f55c52653ed6c9736a9ffdbb515c431686a93e74be4ec925a75b0ccd42af24ed581adce20b59311081f333

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rkow.exe

Filesize
312KB

MD5
a7d3c411976265bd1602ac5e61f29a9e

SHA1
15fe9d759c74c2628fdf8efabd5d45e6612e938a

SHA256
29f99f88b7b984d5a923622bca21bda78b339eae9233e56e28f1f81c9a49b3a4

SHA512
d34799ebc26becca403b82618bfabe1ad1bf1d29b7df75eeaca0d859876e231238cb518d84a0ea16364087e48ecf70b5a630a72c09f28ce7244cfafb1a455590

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUAK.exe

Filesize
204KB

MD5
ab861fc891fbbf3230c9c12bc6365c5a

SHA1
d461c81b0b1d469aea13b1a962bd1deaaf6e61e9

SHA256
92a9738138c999a93e489ef6284a559fe2d32662be4e9a5558929b3ceb9b257a

SHA512
8d2ddcbc84bf7c1b48a74666f85b0c9d0bfa82469605a3c2ee2706df1ced61808ae4f58c2e3d11f2fb1ff2e55e73eca1e685fbb4ec7b0153ef703155861d512c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TYoo.exe

Filesize
1.2MB

MD5
95b745038a188a8d6d8559e0c9a042d6

SHA1
1c61e1e7add04c5bdaacc17fc2d97497f6ec3e69

SHA256
120b24210dfaa604a431c2e2638ee2dd06b1be43b4a7ead6d90a62047f8cd7b0

SHA512
a617bc3851c951b51f04940fcbcb9ad4c4290670851d716bbfdf4aee9040b2bd24784f1400fffaab0602d8cdf169194de401142503b475e22b98918abf791817

Download Submit
C:\Users\Admin\AppData\Local\Temp\VkcC.exe

Filesize
216KB

MD5
950bc4468a16752c9ee806eddb4aca4b

SHA1
78ae07488b6bfb687cb8f6a60e1d35a75a295204

SHA256
46405df6bf224323e70f3986da6bb82d17c636a694932523bf94fd53180ef0fe

SHA512
51ff5d239e1ca0280a25f012f083983d4feb821daff9259e036342ad2b42b9ac632341b7c5da449c9df49f927a765fe6344ebe3219b51bc5a4a34027092eb6ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\WEYi.exe

Filesize
182KB

MD5
6dd357bfbb223eefe3dff98046aac57a

SHA1
11cf054028443a42bae8b7a7e206781e55a56152

SHA256
a555dc0223a9613865e03597c1a44f61b6aac87eb123db033f5cab5b48e7c5f4

SHA512
e83ede773fbbb0a83099e2f4882fd59f46383d7c97dca9f32fd851e0c69799b96dcd29755d363ab909c1101c6a843258f5540bfe252908af9208e17462164df6

Download Submit
C:\Users\Admin\AppData\Local\Temp\WMcA.exe

Filesize
209KB

MD5
54608d5d4ace8f384263aa32afa87b6e

SHA1
f01f776a9bcdd997af34b384f6101b8ce5bee7fe

SHA256
6652476572f8b72c2951bfbb185de5596e4bfa5af18f059b8d209a2fd001e1aa

SHA512
0577430211d4f8817d0b024d4478fbede781a2e43fa35a8ac5e18041de9ddad7b82cf1d0baf99ef9b9a3b1cd00bd0b9e0033d5591dcc0b79e239d999262b7b65

Download Submit
C:\Users\Admin\AppData\Local\Temp\WUoC.exe

Filesize
221KB

MD5
1ccff96648e5a79c34944e71edfb99a2

SHA1
7a9322aac3454c1099010c764ac340bb44e93572

SHA256
5711243c573c3f3506829b9391e681f5155e9138eb234caf80da496cb167f75a

SHA512
9e7e9c7ca6c07c6562a8c38c40485b1bc562ee4e3bed6961c81e6c27b7482fbeae40b98338abd39c6c4616b928ecc51dea2fa1415aea772d1b188c90de6e1a4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XsYS.exe

Filesize
185KB

MD5
66d75ffda4ee57dbedaf4bd120e0a5d9

SHA1
e898449650da695ecc773bfa4cfb99a607b3775b

SHA256
52a3ff789e20ac7a94da295e6267767e4290ef6e1eb6847c34520573efa450b8

SHA512
178bbf99251df24bc55ed893087a149121ee54a418a0ebad682c4530e4e9be61584d7ac46ef514d43b1e6ab2afebe9e80c12d69c76edbd6a2301e7e09dd0f0f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQEE.exe

Filesize
205KB

MD5
05d483dc5f9c2c32ceb029db4a954f56

SHA1
e20333cb1265e9fcf6263157444a8600fb8c708d

SHA256
a58d6cef81dd1ef070e6a6404a56b924448bbe304514e0baa76c519223db1ac1

SHA512
1d6ee9614106a9a5bd0f397025179f86388c0d35a31e0ef06cae27da4fdc6228d5afc7f44290758adaec89f801ea6cef68ba6d26ecb167e1b68c0eaaf53c8b2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YgMk.exe

Filesize
817KB

MD5
9012673da9f0c261d8a2a0f2a5db962f

SHA1
b1106daaf21b22fb4d7048aa58179b61329f6088

SHA256
1decd4126af28c0d9f384c4d3cffcb5602a1d31b4be323d82ed7741326bae059

SHA512
d3948a998785d2b90b70cea41a5ab42480e0ea3a829dd252ae1bc50c1afea3b2d4cc8216c5f3c5cf2316a14bf745bd57e60d8d5d6647dd222bd1fa267d09ba61

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZMYs.exe

Filesize
196KB

MD5
3cd93b27010d7af5a3f5d60bcfde0a8d

SHA1
54112d29bddcdd8bcf6f17e6e47354cff1b8c301

SHA256
1b6c15fbeb270712e41961344613455bd8ff7becf84bbb0f791307d913b85286

SHA512
eba73f16d210c793cfbefcab2c527d8f8189ab006eb72f5d39e5be7d3629937cbdf837725af21ffdfa331b32e324b44fa30a66719b4606c4a6e32b5aca24b29c

Download Submit
C:\Users\Admin\AppData\Local\Temp\bIkI.exe

Filesize
211KB

MD5
fa56b0c8a4f6c5065528ca2e09e54720

SHA1
115e82d948b54211aa401931da41db1a66626b67

SHA256
b87424bc7dcc09c645d62a26dc54c16455c15280860f374bac0763ca80df8ffb

SHA512
c7dc58e9f5ab8b8d397f47aff30f3aaec78e8f86d12d94ad64472d37b5340cfbb86b1b89e4fdf0fdc34f36a7b0ba38e33006fcaffffe415a68c81871891fff24

Download Submit
C:\Users\Admin\AppData\Local\Temp\bMwk.exe

Filesize
204KB

MD5
66068f8059974ddce78e6c8a3b5e537c

SHA1
4b8d9be6d646dbbfd092eec867039bb2f1ce57ac

SHA256
edef843bd3f188365e22b1eec2fac20eae8db3a5c4d212111b1a64bdf8334756

SHA512
cd4f13727cab036f3167f253c47feca7c29d59b903d620676bb75af898965141fbaeb97a281c5e8d522f511af2f0040995d90e49e1c1bf69f986fd237fe96a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\bYAw.exe

Filesize
202KB

MD5
df8f8d4c73ad2d8e6b89242a0720d002

SHA1
07bce3c15eaf47a882e1cc5a9b7b7e7cc1183270

SHA256
1b59c8db8baa538d8298584d766f815f56662b2b6119ce413ff1d3d828d8ed16

SHA512
58b6a3154a44986cc2c185e993f2f299f21d76ab4dc2bcc38d72a794c6b52fb9eb793d2a079a0bf809b1f62e3a19b40fe1c4f11dadbb14f5e25b095d412d674d

Download Submit
C:\Users\Admin\AppData\Local\Temp\dMUQ.exe

Filesize
192KB

MD5
9124576d3d76d736785953dfe456052c

SHA1
8deca70dafbee26e0f86b4f29fdc245c0d411306

SHA256
4650dd1ac442a75e2b47e1df9642d1798f12947a7bc676c1dd924cd95f06f815

SHA512
e24663ead9e020b9536cbfdcb1554c1eb519ee0a1fceea9f625b09f58e864d9352516b657d03135c87c373c0249428b7d667840bd84d3339975452c97809dd2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\dgAQ.exe

Filesize
199KB

MD5
e7f75deea3646112cc8921ea87ee3f02

SHA1
017c2ef16670fb11a6c4e5866c6d0964699a35cd

SHA256
df3334572d457165e3f563e356b5affacaab7f97b2308f310c5a5224def2ec17

SHA512
ff5985e468e91bf29fbb276cebf3bc4cc98abed1f097116d0117b0b70d1a334fc4f426186671e0b9bd684b588b62abd45109e0debe05008a05240f22bd51b3da

Download Submit
C:\Users\Admin\AppData\Local\Temp\eAMw.exe

Filesize
189KB

MD5
de1e9f264ddec25ef7823290fe0ffc73

SHA1
3638f7e1183abb78e182a122f178adcfe8909344

SHA256
41f61dcc51c1d6ce9c888335862aff7b2dcddad7396f4caee8f786599407f30e

SHA512
093ac105ad7c250263f2d0704be090041102b24a7acb0e2b3fa495135dfec8b243c73b33889bca7e8172f65ca6241f814c9962256a031b96db6f789e72b70375

Download Submit
C:\Users\Admin\AppData\Local\Temp\eMcS.exe

Filesize
214KB

MD5
e1380649c63f0df083f96d934fd5dd18

SHA1
ef149d11f01c495264277e2d5c43ac71480576d5

SHA256
bccb0433f488bb609fa3ef27a889dfd172c14716b13f6dab36b92072b6be7282

SHA512
9e2b392168f59075bfeeb843125200eb3f67d245f50c8afaa96351699c13889fb3d61432d91529954875ab9cd66cf3788c3a593286400d5d5213fbedab7bd677

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekcA.exe

Filesize
448KB

MD5
3fe1a34d6edc0f99ef444e0c76be93ab

SHA1
a64343890452d686f6c52d4514ef41db5459c071

SHA256
c9740213fefaeb44c14fed0fd32cceaa1e0143f80cd6b7bafd455bc7e8017bf8

SHA512
19c7083617bee613e8a4a227b6177f3add61cab19d543cf401b251dd68caf8771ff5f0a2fc4981b368d7dc011ffed44e3455bfa82458ad42d123ff47257d1ac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\eska.exe

Filesize
805KB

MD5
84fc4ed9f70dbab35ddaa375d3beb290

SHA1
dc9cb9285cb90a4ba3f59bac88326042447667e5

SHA256
fc810385cdafa2d510337b99e852623c612b67aede0981d794b4c4730a683636

SHA512
e0af6bd8823b7223b99409f48fdbb0de6d95473bec049396860fc9316531216176ad2599cf67af016f622dc7c8af766f65e990191a8d7540201a35a3104fa437

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewYE.exe

Filesize
925KB

MD5
45106e009410197c8df075addca03ef8

SHA1
c74f710794e25a14818b5a188179dd9d7b643918

SHA256
aa544becbcd78e31c547b52aa49a6ec570b615418d9aa901572517a8c7c96490

SHA512
5622577929e854102a18c28b719cd875e9ccb8bd0904562e3b7a2b712cd629fb0af173f6fa389470a96b46d180a1751c0db1de3a90887f8b33e5700cae1b0d44

Download Submit
C:\Users\Admin\AppData\Local\Temp\fEUc.exe

Filesize
210KB

MD5
19cb5ffc79463d42677bd40394616ce3

SHA1
318e6ad9aa571f898cfd34b7db88a4c570178f15

SHA256
daa1a6c044d207e2a9fbaa361d03c0735e4577990071316cc72f81f2357320b8

SHA512
3a98f15cf67cdb15d6a0181a023776f94f824c60415ee371d19f1352646b7ff5135a34fb145213e0baa14b6f02f367dfad3c34dcf19eda37b1d1762cb5ad9fc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\fUsw.exe

Filesize
215KB

MD5
5e8e5a19a10e7915e29481c780fa6086

SHA1
7429a8fb37d3ef755cd3ce705317afb3c2cadd41

SHA256
7433072e0f78d68ec21c11098a0e33de977122cb627764913d761b7a6969c589

SHA512
90e4d02f3195776245b12757e3744b0f5695d4550c64597789ba147d9a5cde59266c50b3b01d481736598f709de9db1398643c2525a5435d657e175e0f25fada

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\hAsA.exe

Filesize
232KB

MD5
e365136a0a6ee36faf1e9221ec6e9870

SHA1
88d0b4e1750594cdf9012407695067f7809aac0f

SHA256
0722bcad7003ca37ee592122ca3b4b2d011de61306bdc506ec2a4903ba1d958e

SHA512
3fe36863e1b0ebcbeda0753b9613c41900eb8a31528dccd355f7993fd06c5932785d385bebd80593162466895c3f066877e308a1ffbbc9d3d6ad09ee9b2b841b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hYEK.exe

Filesize
1.7MB

MD5
22482aefc5a1ae4a791baee316b9b62b

SHA1
ba4bac993f3a4cd2033da2233d2068d2301f7c4f

SHA256
e401fb397afef5d9667a3f7088341f626601064fe9082a0e7fec35d13e72f21a

SHA512
5d4c2d827e2f9b5c36a90f3afd5c2aa06e4dc4c4956d52ca71e673bb3c70eabbb909def6df8fddf36576077bbf13f909922d72c82e9d818200ce3c33c0661380

Download Submit
C:\Users\Admin\AppData\Local\Temp\hgwO.exe

Filesize
641KB

MD5
8b5e6dcdd46331b81a8fe316185ffcea

SHA1
ed6e942ee6f3630de96aa5c455bedecdd3fcc4c6

SHA256
84eb650b809b3a37da844c92129b2c853db43fd6517678c8835ccebd99555cae

SHA512
f5dc169830571a99d92466f090f2e31e115064d886b58db3429d692496006053675994bf73dc058ae4fae373cd4559247226fa8f34733db325f72fd8e597b974

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYYg.exe

Filesize
216KB

MD5
6aac26d6f4899a1152dfe7828be614b0

SHA1
7960a12eb8799579a527e1a401ed6063da746311

SHA256
4748114d7b9e00418454ff0f4ad270fa68882a73daa1270d4dd8c6327f362203

SHA512
fe7dddf408698ffff456349aeaf2f588f5911d475758692c6ffeb2bd9a8a35a2f46b63e6256936fb3e4d1fa3f255294fd23f74c926df8add29bc70e058719b9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\icoO.exe

Filesize
208KB

MD5
61457b55e2451f4ae35e19696c5888f6

SHA1
0d95fe7f5fe5411a62ec3c24bdf8b804f1950a99

SHA256
fff0904c18ae19234e514482ba73fc7089fed423e10e7c0090ebc399101ab2ed

SHA512
07c4d44432cf43f5fa3a023d04805a1a1d9ae17c0c9b61663d24a8073aaa1be48f5a4fc8ce6f8ecbf680a718258195a3c93301077e446c82c86640ab1bf31992

Download Submit
C:\Users\Admin\AppData\Local\Temp\jIcu.exe

Filesize
201KB

MD5
bd7dede6df0e19d80a2e12baa35604c1

SHA1
8fdfc343ea4a737377dc0c686c1fb67c392a4fe3

SHA256
cc033264c88f472def162c118e464ac9ab33b6a4b8fa3288417f5885cd2f2456

SHA512
a4d38a9efda25f009c6901399a2929a63c1cf0782eb5f3e524bd93336839e3da79530bb499361aa9883f065bd544b79fd9611543ee57bb8398b7d8e31ef8be1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jgUE.exe

Filesize
811KB

MD5
c62c402df18404273b8d801dfea668f7

SHA1
a4dd2605b593b97e9960455460f1524523423e34

SHA256
e0e0264eb91aab0cc6826be93a360892f1f7e84f053c7cbd35a083d6574ae786

SHA512
1b352e59d9bd487f800d93d269704217963b1ec35fae6bc3aa2b85d6a835e5f94ecdd4be73779a0697b1c838ca62a4a726de2bbc792dcac301bd1614f8b060b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\jkIe.exe

Filesize
200KB

MD5
bbf09f649b6e7871a30cedc277e4b372

SHA1
dd9b265f0cca020d8c7c744b0b84f1babf5eeebd

SHA256
99a2197424f8addeb86210236db7c8416ebda07bf0ff91f6691d575e2beb8607

SHA512
cf7f8e83700e832718aa2b04ab0f76bb6a25c678dafb38147cffe97eef1dd956ce0e4b7e5f5342d4ca9b07aa4f9e2c274ed115bf031ce040afc336ec251b41ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\joUe.exe

Filesize
186KB

MD5
54368628e39a30b54f3c1cf60c75580f

SHA1
412597f6a4c0536c260a07f6740d034a9a21f297

SHA256
70f30345524153fc0f89f0b65473339d88c41f75433212aa023b23294312eaab

SHA512
8987bd1cc4b7fd97435bd285c0457716b711222b2557a70ae8220cbaf114fc83a6065acfc0bd4adcb30d0c2b6dd30988105d56e73a212185047ed1c7335d1a47

Download Submit
C:\Users\Admin\AppData\Local\Temp\jwEQ.exe

Filesize
204KB

MD5
26daad8cf00efe5e6e63f890a5caff25

SHA1
08f83042addaf8952dd3ef9b3f73e63f73865c8c

SHA256
d8a28259198e8572c3ced2772fecf6c1aea99c5dc4f7b461ce0b4e8225459188

SHA512
e2ed16aae65007784337170b9b1ec99ef27814202f44a4145ddc2d75799b0709cff948b52c670f6d578a9f9127bc85af6c26827bf1f1a6c36abe383887437d25

Download Submit
C:\Users\Admin\AppData\Local\Temp\jwIa.exe

Filesize
187KB

MD5
4d5d67820c5d3b4618a4d3d14cbf1626

SHA1
3a7067be05a023c02dc6faee9a009528c82ee7ed

SHA256
5143e179df86bb487fff0ccc055614619bd171e5a6334f7b3a93aea168c10577

SHA512
aa33f58a8b59595c6f52c63899153c89d641fece9964c774db9be0c0c82b87c8cbf9b8ef11b53fa3b3421bc1affb405918a2e831c76982f065b2dd999c54ce8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\kIoG.exe

Filesize
216KB

MD5
ab699bd5fa6d461906e0b518f72a8455

SHA1
100c857f179222a35ffe7c7a17797fb0177f5c1b

SHA256
edebcb30c971db6e601e37d692a18350101e9a4a338458d8316acdf558d8fa39

SHA512
68c85dcac88f30de427b14aca307aa84a8e6f3bd7a29c24c19775fd93746105f927d532644cb3b8ea0adc1d0b61cf7f83e9a47aa8896e18fd947ada9943c1c6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\kccO.exe

Filesize
563KB

MD5
88fd57d24b90b532047748dfa42c38ce

SHA1
98c52969e8a09630400459732890620be4d3a91a

SHA256
4dfdd34ad849750f9ccca1d591c97de6b74c5607ffa34df14cd569629b953b6c

SHA512
3a23067d22e66170b3b5afd4d8caff0ed33045016bee6872fae55568d25ae36531821bb66e9050f03faa7d927bfc738e305a1c8f96fee20b655c29eca931cdc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcso.exe

Filesize
197KB

MD5
b26b0ff51508d859de8d8375e91275d0

SHA1
b9e7bf4f658b3fb4758704d1524d7a762f7eeade

SHA256
e1bf786ffb7c8ae398413fbcaf931f16175d8c75657d7d798822e4b937fc78a5

SHA512
e6feecc052e7b141cd34ada54e8d1ba79a3ea702fe67dfa62e1c0a17a2ad07e6a49538b99a52da8d3eec6146ce7a35f8a6e08b80c56237530d09dae49c8662bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkEY.exe

Filesize
634KB

MD5
7a7bf9b54bdc1fb3325859768cc61f3b

SHA1
d8df0c921197bcae9ee503d17cc43e5abb6112bf

SHA256
12fd552e5029ccf6667b116350a5979306276d98f7eff4725bf202fa2cce06ce

SHA512
e28cbae50b63e58522b851d1d91740456cdfaecc0a7f7cd25c2e391dd007e22e23df1da964322f95a585011b5d0cff06014ac3116cc6c369bbdf4734e0cc9d02

Download Submit
C:\Users\Admin\AppData\Local\Temp\lQQo.exe

Filesize
187KB

MD5
d1c974f580fba097978ed25da2c17c3d

SHA1
acc095b1ba9866e64a48a473c2a029de485a0828

SHA256
67143bc4d2a4b609e2fba4b43cafba9154e8c6960e5e0bf12f58f4b891b0d6d9

SHA512
6740afb7635af6634d5b133746f7cbff28223fd7f4dc1690872491a36397983ac8e5ad98bbb84565472ad8c50e245f3ed7fd17e0836adeeaa1b00122289d96fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIgS.exe

Filesize
201KB

MD5
110b3c1665845d04e629fd5789b612f8

SHA1
10b000f78c3ed28c353bc6096b0aa20888db26cf

SHA256
37b4729b8ec919490b780a9bfc0916aca316f0e97ef7edd58e49494df265cbfe

SHA512
e4370cc4b673fecee6beaf953cd6cca38af3c0cf2c106f8bf18997826a949bda64a713be628f79a1b6b4649ab449c2ff65f149690fbdecdfe5d40f3fe0c03ed5

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQIA.exe

Filesize
784KB

MD5
03a8b8e659f2470576b296e86e5a87cb

SHA1
a5ce2a40c1d1bb26aeb7e2b34bd8123fc14bcc9f

SHA256
bce9354baf2909f11deba8ab68ed13405ae5e5340fc021e763b6777303882ce9

SHA512
9683d2a9597af17d08a7653629d110ca49d6aa8e71243b72384409d3557adf3529b2e4caa34e446c4a152dcc04ef140ab1e03a2604c92dd33d3dcc39a1930cd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgMu.exe

Filesize
185KB

MD5
ff6eed12ecdd8644c9ce2f236349f40f

SHA1
58ad71ba7a545c56476c41595270e1d323208eb3

SHA256
9286e7fb7682fe8d01c0710d16f1e3f47a16664b1ac5d2cc4be6faee3b81f615

SHA512
944177c04b83f35203e981d3d32961adf70a4c6bed56867d0cfd944cb73695bc8096924136cbfcdcad5e20cfb647a40c1b8a71b5c1eaa0f7da5c5517c177309d

Download Submit
C:\Users\Admin\AppData\Local\Temp\moEW.exe

Filesize
200KB

MD5
5efcd40b5570d9a796f1114251981f01

SHA1
afacf6e4f591c9596f1aa336477658032e995a24

SHA256
8d5adefa845994b6fa0aa9db7b6169da7c0778ed9acac72c9c209063ef037400

SHA512
16ccd34b7aa2255ffbf5d5a1fbddde3e66fc11df18ac6f68d7fedb844ef568310015151d90569d7229a169438bc8af825b09b38df4be2f5dc2df4c64a32e2cd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nkQo.exe

Filesize
194KB

MD5
3e3fa5f36e61a4a70f63f1c8541de4c3

SHA1
6a73d85ac4117c8bafeb3987a13bdcf9678c3fac

SHA256
18aa86666375d98c28d36339baafab05b204726ff586eeab98a7f957ac46da88

SHA512
89a546ef06aae78b989d6e1ebdb398b3737574ce7cd11f67dd811b451d43c61a958b3336b6ca4d572ce7ccd244a35566d08ba4581b988091b032203a969d4617

Download Submit
C:\Users\Admin\AppData\Local\Temp\oAkE.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUUYwMoc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ocgY.exe

Filesize
193KB

MD5
efb1d5c770fbc4a8c15c97fc4611960b

SHA1
f2c7a2cba94c0ea73b447ce2e24fdde07d892a9b

SHA256
1295791327aea00cc798ba4d86d8d6913012f63f3f61281ffcec8386d03292ef

SHA512
f1d8750378e59fd4c78057a16a0924f7bf8032714e5afb7d0fe05eecd6ad2d55703bd4d4b952046a2ee778dd56db1a81c7b3a0cde25b2de47a7a4e24865d6ccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\owoo.ico

Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\pQEm.exe

Filesize
187KB

MD5
903f6ea31a9ac47419ccead1b59440b9

SHA1
29dc182598b67821243086e7d91d936cfcfa1eff

SHA256
7547f695333893c095c763e075ca978b82ca04df6f11d336b019a09f0d4712ba

SHA512
640de72b4ca4f6c450744c84650d121f0cde4459931b211df89d34eaf642fbad44b63934e52a1776ffc14a24380f75d2f7fc14e4d61c14f2ab30762730d9634f

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcYw.exe

Filesize
632KB

MD5
aa8a8d72210d984b346d004f0ef1c6d0

SHA1
3070c44fe0866bab4615a1aec7f9fbf0e027ca39

SHA256
773f258d4e749738c1fa40ab0096d9e2c8ccaff1f6e9f95bd65fa3775389d22e

SHA512
77d5a5818703c9a97bb2f947422d1a24104b282d8bff0f205c46565de1c75d2ab5ad7f3fbd9142973173be3b16f0a4e0d445b32fa7ef07cb4731f1979944360b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pwAa.exe

Filesize
193KB

MD5
3aed3fc27609bec3f8740aad1874a476

SHA1
7ab9ec9f21f180d8397ea44f2e9ce30b0bc3c115

SHA256
ac701bc7e9fc104882a59a1f209d044845902ea5ba19c980aeb01a89f202d901

SHA512
a2e67202a29e9c9148e04cae0606e7bbd46fc04af4fd0c2c0d72a8566d044aa5f7c4ee5f096d2587e318b121cc4b369f9db90e407b2910f1a47eda6bb0dd64fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQMU.exe

Filesize
198KB

MD5
0a88d0430985e5f45352619df55ec5d6

SHA1
35d5141d5cdbe8e1a59fb1089f41119539743a20

SHA256
fc07eff56a378fd266c9189261e8aa77f0cb20eace91006da62fd595047b7cd7

SHA512
fe970b9addedc5f4958641ccdc6822078d0dca95622dd27aa33ac3434488fc3555f1ed6dcb9a4e650f0eee62cf9c0d06b4d67410f9789631881bf343ce04c487

Download Submit
C:\Users\Admin\AppData\Local\Temp\qkIA.exe

Filesize
197KB

MD5
62b852b82c2c420bdd5b54855477e469

SHA1
c49b249f8dd213fad63152c18ce0cdef24cd0a51

SHA256
292b8d7725ee10478bea06caceb5c477c42aa2d0a6ab9ab98b7c08080f7665ac

SHA512
0ee791080c88d2ada0dacb782727454bffe15fa35026ec6a3c9af2e3d2c5e9278930c0ede02f9d5e954cf38daab1a516a009d0a9ca8890c1330a4854f25306e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\qkkC.exe

Filesize
637KB

MD5
4af3f1a9093ea740bceb3fe4dcc25a6a

SHA1
b7d74f63c47cfedb254c7b8e45730901f9913abc

SHA256
d6ec238b29262a2f15129cbe5a3f35a3944953d5f70d3e2dc0e43578f3191d49

SHA512
8afbd7dabb34278b3662b7339d2d268c756e9af88c86f64dbe6926965a03c396316edf3fa4bf700dd5bfc57ba5ae67f661d837fec7719d0915def5f1819acdb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\qsMO.exe

Filesize
1.0MB

MD5
431a6e3554bae9d9c08ac409dff137e2

SHA1
48d02aa3561bd66c281803c3cbd3765adfc0b315

SHA256
60f19a7142754c7c47cc87362fa604e30cb5e83d5e887c5093879b9d1e954fb1

SHA512
879262954bb92cdf5a6b6775209f93b31edbb44fccb2def311e9e417abd784ddfba33cdf09ca59f6abfcd48ceab7b0aabfece28068de58ed3b45bb9c5c5f77c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\sAYk.exe

Filesize
310KB

MD5
14397ca661983e8087e0b555bb873345

SHA1
e547a5c6e609cb1a83d7288ec51e9983c2528bf5

SHA256
71c9d3312a6084ecfb28d37640315e1774fdac36916287f01437207822f539d7

SHA512
f5f010cf37731d4b71a7ae4a46b15fe17c11d2c9259892aeff5c7f321565d1e8ccc9606a6bd7874e660aab251617ba843bf76c81259db638bb4577850398f2cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\scQc.exe

Filesize
564KB

MD5
00989f0fa5d035fb8e1bf5658f21953f

SHA1
057958f09c024ceff80721d7055cc3903a831387

SHA256
b2722ea1bab28a9b48c9f4361a7f97fcca63189da0e0a0ec11f76c6e6da9e5e7

SHA512
e59550d6749fab34df0780ce3f51018ae1834707c2fce9128f16e9ba0f09710240f1196cb5957bb823ebc1fc27cb9ebebe5ace71b20bdc9e5c1535fe3c5c63e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tMwy.exe

Filesize
194KB

MD5
399395e7ca2c6b1b2679313b4e8c1f28

SHA1
9f99ecfaac98a9ea4fa0e3be081b226f40c448af

SHA256
97899fcf497764503120a985806d015d6554bcdd992beeeeb512098b0ea35bf6

SHA512
f1cdb629d71e0603f0eeccac92fa2f2e0598be710f039df0504c9682e38113a398640cdb2a7c35e75397b31cf6edf7cdcd31f2219dd1f7cf2cf852bd82c5cf7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\uAgg.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEsK.exe

Filesize
202KB

MD5
9f025403d0217f0f43958d263a21ee55

SHA1
ad444bf85c8a6051661ac66fcd258ef8d945c068

SHA256
f45cf7704cd03e0b31b199d55e0c9d3f68605fce8a5b455e55d941e4a0873381

SHA512
c9b7a36137e8f9b24ca18934b143e4c0e1ee3f528012b6929f8c40de956358c2551ec03a2a0902b08fcbed8c6781a174c89e7c497bd1813367adeac51b97da2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIQQ.exe

Filesize
232KB

MD5
83e6bd94bfef4d55cf1108e1eb14eb9a

SHA1
7531aff4f86c93e4874a6b20b631c13006a4bdd1

SHA256
f6720b175ae4cc69de6dd512bc210ceca115e5e0296dcdbde668797829f6de98

SHA512
e73adf938acdf4073c9d34c1a5ba5fa87b3d0a1c26f913b49d70c943e8d68ee0f6c835ff2131a33eebee93fa2a6939358439e49bd161b3848021688dd453b8ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\vgYO.exe

Filesize
188KB

MD5
879740361cf8ceab90ecfd3a8113e0ae

SHA1
738540663d75ed7fb39cb79dab64b19e8c4c7de5

SHA256
429a66e25ed2392ba539cd11fb582ef3721973019baf07d17fac699c9636cee3

SHA512
69ff49feab4296723b6307f2e73a7c7819f90dfd681cff40ce20d8b61c43f259da98f7424865b66a0f7db075205ccdff92e9b2c56cbf89e2d63260bf3eb3c844

Download Submit
C:\Users\Admin\AppData\Local\Temp\vwwc.exe

Filesize
183KB

MD5
2f49cd81ba23c18072e303663c521f30

SHA1
8c87777ae3ae06c5d0b00711d8c2180a186057d0

SHA256
d6fa9345ca852ff4323e20968fae1adaf889b1607fbc105831c813a8c2dc0b96

SHA512
f7512257458a651e1a34cc982e95a8a9db32cff45dabb55622e914c3eaefd7d409bae8bc68c2f4863e991139db619ed5167a5f2e47e15ae6b4f53839e1db80f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\wEsY.exe

Filesize
1.1MB

MD5
b6eee234a2e103985eed0d49c6d53b69

SHA1
67dc6fb584cce8c1c26e465cd16ea3bf3e9f7a30

SHA256
cfeceb68966f094e19e195eb175e152c19b78f922b55e46f2a6745ceb3003fae

SHA512
e6231cdde29b37b6c08da868be2b043658922f7f0f231e63d29a21d904e1792a1e95b15489c724c51036c53e12d754885a1c28843943e70ed7b81aa44fdce008

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUEq.exe

Filesize
184KB

MD5
d58fab236bb88a4ba87c300ecb5f44b1

SHA1
ba212c3f53c4aa7f656f34d65b93ace1617838a2

SHA256
d4dbd98ab3fbd08a13a118cf4e4091ab1dbc9ec047a740cbb00688cfdb8ede7a

SHA512
96c56ee38405062edd09b08f0db7a6cfac3c37241a35ac94de5e8ca5806fdc37b58e79180cc4cc77c65c4c01c2708ecd0b27aaa9a7f4384d5fdc3ecbb68e5867

Download Submit
C:\Users\Admin\AppData\Local\Temp\wwwU.exe

Filesize
183KB

MD5
0a6f0101eecd82cb74a74be1331397a4

SHA1
03ea6dc5f1a4f4bf6b3b30b5792cc536b5b05351

SHA256
ce41c52665e857ffc1ead6ec77b58628ad9d2ede8eef47b2030b40671ac6c42b

SHA512
c6641aaffc2871b9b8e865750ee2145835fe090d05fa806b0efec0b321fb91500f4a0d2340dc49b7a4b97e56231d54eac0c56d684b6cd4eb081285878fc301a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\xAIy.exe

Filesize
187KB

MD5
982b1041742943e5602a7ce8ddc45dab

SHA1
5af74f83e2582bf1df0e2f11603d302b957725d2

SHA256
9b6c7f2671150adf58ae1a0098fdb788186a71f657df532303238ba8756c7b63

SHA512
c8c96ee6f922222276f0dadb26f30b291d482d78e6f30c88748ec3b1d06c6738f760b7e7a0b4797d0d62c21baba6536a542a5bdbed2bc25fdadc37e7780dbb89

Download Submit
C:\Users\Admin\AppData\Local\Temp\xEMS.exe

Filesize
196KB

MD5
cf80b922b89830209d0bb9259d7b3f8d

SHA1
be2f07c529cb5d61f808f8cdd39b0ca86b81ecf4

SHA256
1700759c5703247fed05bc8337aacdbc7be6673372de94d02406583f04d0aefc

SHA512
a3bdd288721eb94f4bd73bb7654f1d6ded369fc91ddf3ce2936f3202948fb44ef49ba0a09c4df824dbf5d9d22bf92407e23498f893be31601442c415aa66fa41

Download Submit
C:\Users\Admin\AppData\Local\Temp\yEQW.exe

Filesize
819KB

MD5
107b849cfeea6f830774be0f7d4edc21

SHA1
c63c50ed9fc3aa2ca408de40aca2bc2f3d8ac3f2

SHA256
eb9aeeb5d2944f33bdde57dee32ecc16b042a9fdf733aab5cade5edad35028fc

SHA512
c80497057e537edf5445b20cb1612d9b699ba9d8e470af61f9d7787696f09c3934a9eef8e00b8f7b1da9febf86059075e65a27aa8a15e6f8b8af400a5911c6ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\zUAO.exe

Filesize
208KB

MD5
1087b38a7196426b0aba123d100f6b3c

SHA1
b8fa90cd3328eef614a91cb7e297e8f4ba45c36e

SHA256
bbb3fb80bd4f010e689fa257a45e19ec6d60d73d4a4228cc589996ed9e517a4f

SHA512
f4519cf042c3578fc730b18567890803d82bc4bae1b265f53dd222d760f4a6487560e115cfa9603e3c35638ca48981c832780e01bce0db2e3187413988659340

Download Submit
C:\Users\Admin\AppData\Local\Temp\zgMq.exe

Filesize
196KB

MD5
c648c40b0d8bbbe4c72558c69439fbe5

SHA1
47886ab67d0fb17981dbfc34c66b21dc0239067a

SHA256
09c667154a521b5c221d0d6bb9c96950f060f171a15588bc3f3ec0176289adc5

SHA512
fadc3453e1399f71708a246208fc8a0c387ab590cf981d779ba0d266235f368496e06cd6f04c997f093a1674f9f268b96123260444b4e5ebb74fd2a0e19df41a

Download Submit
C:\Users\Admin\IuQcEkQs\mIcAkccY.exe

Filesize
195KB

MD5
7f2833362c564e13651e5c866c18e6b8

SHA1
6f4734b2dbd95f3d4f2df096bddc9c701148616f

SHA256
e03a06c26c568f317072148c72332d6d6cb2a7f965522d5bd68cf339a4f9aa1f

SHA512
09de1c3b51847f0e502b23808704086fe07be144ffe9a98e82ec3e4b98258a34ffb300ffb7a3a17ac6bd002d60c3c8fe530255e16416fc7609c14e01bbbf2dc7

Download Submit
C:\Users\Admin\IuQcEkQs\mIcAkccY.inf

Filesize
4B

MD5
1973fcaf1a8e4c4b1c244ede287ed5e4

SHA1
57b3984aa7388a90aecfe791d86dae559406eced

SHA256
cae17db791193b4f90fb4d472ada1682aa7ea68b7ff272a079b2f5ca99e392a7

SHA512
0202c1c8afeb5ec1096ff3b6bdfcd28ca11e0638bcb147fd779477e402b523b4029f23e030c5f13e3f5e1221b976b569a54d2ea051ba2b147bf00bb6e0ad0b73

Download Submit
memory/208-522-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/228-256-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/228-267-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/228-576-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/244-15-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/264-438-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/264-450-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/544-154-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/688-294-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/808-331-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/808-338-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/848-469-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/848-459-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/948-413-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/1324-367-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/1324-358-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/1480-505-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/1496-395-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/1496-388-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/1528-386-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/1644-243-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/1644-232-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/1744-524-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/1744-533-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/1880-203-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/1880-188-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/1884-359-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/1884-350-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/1968-272-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/1968-284-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/1980-605-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2028-321-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2028-311-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2452-119-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2452-108-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2476-339-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2476-349-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2484-559-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2664-302-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2672-276-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2672-263-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2676-458-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2724-31-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2752-167-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2752-179-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2912-378-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2912-310-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2912-368-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2916-585-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2916-595-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2920-192-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2944-572-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2944-584-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3012-5-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3144-496-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3196-130-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3224-106-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3224-487-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3224-479-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3364-142-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3440-442-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3440-433-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3488-166-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3488-157-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3552-82-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3552-71-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3652-45-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3652-56-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4000-329-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4056-255-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4352-542-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4352-70-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4352-58-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4352-550-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4460-405-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4512-470-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4512-478-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4516-33-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4516-44-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4556-568-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4556-94-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4556-83-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4580-514-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4580-506-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4644-422-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4644-432-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4880-217-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4880-231-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4904-421-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4976-215-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4976-204-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4988-541-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/5012-596-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/5012-604-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/5060-0-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/5060-19-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download