1a6eb2ce513a1c92f261ab533cf7075f4d7b0fb32ad032e343dd41544ff66b81

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08/10/2024, 22:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
Size

115KB
MD5

7128fe39c0f51169acbbf8f33881b06b
SHA1

709b19abc274a0f134f60561d8bfd64fca8f2ed5
SHA256

1a6eb2ce513a1c92f261ab533cf7075f4d7b0fb32ad032e343dd41544ff66b81
SHA512

98ba998f8c5aca823afe77ab04ab453cc56ab2cccb57afbf92f16407a5b47f3e1febe3aa8b9d0bc8eeca3cabbadee8ab6e18a6e383723d08cddc4cdf8f315379
SSDEEP

3072:tYJpW3Unj1DXLaEAOwJi02tmq0wT0Kjr6d:opsUnj1DNPwMmrwTBw

Score

10^/10

discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (80) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	AiwwAMsY.exe

Executes dropped EXE 2 IoCs

pid	Process
1868	AiwwAMsY.exe
3752	bUMoYsQg.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AiwwAMsY.exe = "C:\\Users\\Admin\\BcYUwksU\\AiwwAMsY.exe"	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bUMoYsQg.exe = "C:\\ProgramData\\mQowwksk\\bUMoYsQg.exe"	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AiwwAMsY.exe = "C:\\Users\\Admin\\BcYUwksU\\AiwwAMsY.exe"	AiwwAMsY.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bUMoYsQg.exe = "C:\\ProgramData\\mQowwksk\\bUMoYsQg.exe"	bUMoYsQg.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell32.dll.exe	AiwwAMsY.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AiwwAMsY.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
1000	reg.exe
1432	reg.exe
2268	reg.exe
3140	reg.exe
2340	reg.exe
4848	reg.exe
2384	reg.exe
4468	reg.exe
1732	reg.exe
1688	reg.exe
2252	reg.exe
3404	reg.exe
1604	reg.exe
4304	reg.exe
2608	reg.exe
5112	reg.exe
656	reg.exe
1200	reg.exe
1572	reg.exe
2020	reg.exe
4008	reg.exe
1788	reg.exe
3036	reg.exe
3324	reg.exe
5104	reg.exe
2956	reg.exe
1200	reg.exe
2252	reg.exe
4020	reg.exe
3068	reg.exe
3652	reg.exe
4676	reg.exe
3656	reg.exe
3376	reg.exe
4752	reg.exe
3592	reg.exe
3656	reg.exe
4360	reg.exe
2576	reg.exe
1972	reg.exe
3456	reg.exe
3280	reg.exe
3204	reg.exe
5032	reg.exe
1508	reg.exe
1200	reg.exe
1204	reg.exe
1972	reg.exe
3516	reg.exe
1824	reg.exe
5072	reg.exe
4560	reg.exe
1172	reg.exe
2652	reg.exe
3676	reg.exe
2360	reg.exe
876	reg.exe
4208	reg.exe
756	reg.exe
2340	reg.exe
3688	reg.exe
4360	reg.exe
1608	reg.exe
4412	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
436	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
436	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
436	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
436	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
1248	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
1248	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
1248	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
1248	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
1224	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
1224	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
1224	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
1224	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
2296	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
2296	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
2296	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
2296	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
1736	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
1736	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
1736	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
1736	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
3056	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
3056	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
3056	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
3056	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
2944	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
2944	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
2944	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
2944	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
2476	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
2476	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
2476	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
2476	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
3516	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
3516	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
3516	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
3516	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
4452	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
4452	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
4452	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
4452	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
2976	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
2976	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
2976	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
2976	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
384	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
384	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
384	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
384	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
3572	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
3572	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
3572	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
3572	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
4088	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
4088	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
4088	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
4088	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
3960	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
3960	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
3960	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
3960	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
4156	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
4156	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
4156	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
4156	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1868	AiwwAMsY.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1868	AiwwAMsY.exe
1868	AiwwAMsY.exe
1868	AiwwAMsY.exe
1868	AiwwAMsY.exe
1868	AiwwAMsY.exe
1868	AiwwAMsY.exe
1868	AiwwAMsY.exe
1868	AiwwAMsY.exe
1868	AiwwAMsY.exe
1868	AiwwAMsY.exe
1868	AiwwAMsY.exe
1868	AiwwAMsY.exe
1868	AiwwAMsY.exe
1868	AiwwAMsY.exe
1868	AiwwAMsY.exe
1868	AiwwAMsY.exe
1868	AiwwAMsY.exe
1868	AiwwAMsY.exe
1868	AiwwAMsY.exe
1868	AiwwAMsY.exe
1868	AiwwAMsY.exe
1868	AiwwAMsY.exe
1868	AiwwAMsY.exe
1868	AiwwAMsY.exe
1868	AiwwAMsY.exe
1868	AiwwAMsY.exe
1868	AiwwAMsY.exe
1868	AiwwAMsY.exe
1868	AiwwAMsY.exe
1868	AiwwAMsY.exe
1868	AiwwAMsY.exe
1868	AiwwAMsY.exe
1868	AiwwAMsY.exe
1868	AiwwAMsY.exe
1868	AiwwAMsY.exe
1868	AiwwAMsY.exe
1868	AiwwAMsY.exe
1868	AiwwAMsY.exe
1868	AiwwAMsY.exe
1868	AiwwAMsY.exe
1868	AiwwAMsY.exe
1868	AiwwAMsY.exe
1868	AiwwAMsY.exe
1868	AiwwAMsY.exe
1868	AiwwAMsY.exe
1868	AiwwAMsY.exe
1868	AiwwAMsY.exe
1868	AiwwAMsY.exe
1868	AiwwAMsY.exe
1868	AiwwAMsY.exe
1868	AiwwAMsY.exe
1868	AiwwAMsY.exe
1868	AiwwAMsY.exe
1868	AiwwAMsY.exe
1868	AiwwAMsY.exe
1868	AiwwAMsY.exe
1868	AiwwAMsY.exe
1868	AiwwAMsY.exe
1868	AiwwAMsY.exe
1868	AiwwAMsY.exe
1868	AiwwAMsY.exe
1868	AiwwAMsY.exe
1868	AiwwAMsY.exe
1868	AiwwAMsY.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 436 wrote to memory of 1868	436	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	86
PID 436 wrote to memory of 1868	436	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	86
PID 436 wrote to memory of 1868	436	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	86
PID 436 wrote to memory of 3752	436	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	87
PID 436 wrote to memory of 3752	436	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	87
PID 436 wrote to memory of 3752	436	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	87
PID 436 wrote to memory of 4528	436	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	88
PID 436 wrote to memory of 4528	436	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	88
PID 436 wrote to memory of 4528	436	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	88
PID 4528 wrote to memory of 1248	4528	cmd.exe	90
PID 4528 wrote to memory of 1248	4528	cmd.exe	90
PID 4528 wrote to memory of 1248	4528	cmd.exe	90
PID 436 wrote to memory of 2976	436	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	91
PID 436 wrote to memory of 2976	436	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	91
PID 436 wrote to memory of 2976	436	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	91
PID 436 wrote to memory of 2616	436	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	92
PID 436 wrote to memory of 2616	436	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	92
PID 436 wrote to memory of 2616	436	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	92
PID 436 wrote to memory of 3904	436	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	93
PID 436 wrote to memory of 3904	436	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	93
PID 436 wrote to memory of 3904	436	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	93
PID 436 wrote to memory of 228	436	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	94
PID 436 wrote to memory of 228	436	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	94
PID 436 wrote to memory of 228	436	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	94
PID 228 wrote to memory of 4668	228	cmd.exe	99
PID 228 wrote to memory of 4668	228	cmd.exe	99
PID 228 wrote to memory of 4668	228	cmd.exe	99
PID 1248 wrote to memory of 2368	1248	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	100
PID 1248 wrote to memory of 2368	1248	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	100
PID 1248 wrote to memory of 2368	1248	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	100
PID 2368 wrote to memory of 1224	2368	cmd.exe	102
PID 2368 wrote to memory of 1224	2368	cmd.exe	102
PID 2368 wrote to memory of 1224	2368	cmd.exe	102
PID 1248 wrote to memory of 4020	1248	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	103
PID 1248 wrote to memory of 4020	1248	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	103
PID 1248 wrote to memory of 4020	1248	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	103
PID 1248 wrote to memory of 2900	1248	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	104
PID 1248 wrote to memory of 2900	1248	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	104
PID 1248 wrote to memory of 2900	1248	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	104
PID 1248 wrote to memory of 4428	1248	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	105
PID 1248 wrote to memory of 4428	1248	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	105
PID 1248 wrote to memory of 4428	1248	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	105
PID 1248 wrote to memory of 4904	1248	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	106
PID 1248 wrote to memory of 4904	1248	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	106
PID 1248 wrote to memory of 4904	1248	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	106
PID 4904 wrote to memory of 736	4904	cmd.exe	111
PID 4904 wrote to memory of 736	4904	cmd.exe	111
PID 4904 wrote to memory of 736	4904	cmd.exe	111
PID 1224 wrote to memory of 464	1224	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	112
PID 1224 wrote to memory of 464	1224	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	112
PID 1224 wrote to memory of 464	1224	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	112
PID 464 wrote to memory of 2296	464	cmd.exe	114
PID 464 wrote to memory of 2296	464	cmd.exe	114
PID 464 wrote to memory of 2296	464	cmd.exe	114
PID 1224 wrote to memory of 3656	1224	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	115
PID 1224 wrote to memory of 3656	1224	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	115
PID 1224 wrote to memory of 3656	1224	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	115
PID 1224 wrote to memory of 2268	1224	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	116
PID 1224 wrote to memory of 2268	1224	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	116
PID 1224 wrote to memory of 2268	1224	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	116
PID 1224 wrote to memory of 1412	1224	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	117
PID 1224 wrote to memory of 1412	1224	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	117
PID 1224 wrote to memory of 1412	1224	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	117
PID 1224 wrote to memory of 1580	1224	2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe	118

C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:436
- C:\Users\Admin\BcYUwksU\AiwwAMsY.exe
  "C:\Users\Admin\BcYUwksU\AiwwAMsY.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:1868
- C:\ProgramData\mQowwksk\bUMoYsQg.exe
  "C:\ProgramData\mQowwksk\bUMoYsQg.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4528
- - C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1248
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2368
    - - C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1224
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:464
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        8⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        10⤵
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        12⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        14⤵
        
        PID:4020
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        16⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        18⤵
        
        PID:4124
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        19⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        20⤵
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        22⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        24⤵
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        26⤵
        
        PID:3892
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        28⤵
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        30⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        31⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        32⤵
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        33⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        34⤵
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        35⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        36⤵
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        37⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        38⤵
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        39⤵
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        40⤵
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        41⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        42⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        43⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        44⤵
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        45⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        46⤵
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        48⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        49⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        51⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        52⤵
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        53⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        54⤵
        
        PID:644
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        55⤵
        System Location Discovery: System Language Discovery
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        56⤵
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        57⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        58⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        59⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        60⤵
        
        PID:2576
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        61⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        62⤵
        
        PID:3832
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        63⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        64⤵
        
        PID:3508
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        65⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        66⤵
        
        PID:1416
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        67⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        68⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        69⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        70⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        71⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        72⤵
        
        PID:3328
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        73⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        74⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        75⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        76⤵
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        77⤵
        
        PID:592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        78⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        80⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        81⤵
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        82⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        83⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        85⤵
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        86⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        87⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        89⤵
        
        PID:924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        90⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        91⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        92⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        93⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        94⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        95⤵
        
        PID:704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        96⤵
        
        PID:4528
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        97⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        98⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:3944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        100⤵
        
        PID:3744
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:3684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        103⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        104⤵
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        105⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        106⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        107⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        108⤵
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        109⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        110⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        111⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        112⤵
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        113⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        114⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        115⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        116⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        117⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        118⤵
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        119⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        120⤵
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        121⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        122⤵
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        123⤵
        
        PID:384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        124⤵
        
        PID:3864
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        125⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        126⤵
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        127⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        128⤵
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        129⤵
        System Location Discovery: System Language Discovery
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        130⤵
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        131⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        132⤵
        System Location Discovery: System Language Discovery
        
        PID:1248
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        133⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        134⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        135⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        136⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        137⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        138⤵
        
        PID:3896
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        
        PID:3684
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        139⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        140⤵
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        141⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        142⤵
        
        PID:3204
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        143⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        144⤵
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        145⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        146⤵
        
        PID:1576
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        147⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        148⤵
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        149⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        150⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        151⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        152⤵
        
        PID:3580
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        153⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        154⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        155⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        156⤵
        
        PID:4020
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        157⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        158⤵
        
        PID:264
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        159⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        160⤵
        
        PID:2340
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        161⤵
        System Location Discovery: System Language Discovery
        
        PID:1224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        162⤵
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        163⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        164⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        165⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        166⤵
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        167⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        168⤵
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        169⤵
        
        PID:736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        170⤵
        
        PID:1572
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        171⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        172⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        173⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        174⤵
        
        PID:876
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        175⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        176⤵
        
        PID:3372
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        177⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        178⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        179⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        180⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        181⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        182⤵
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        183⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        184⤵
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        185⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        186⤵
        
        PID:1936
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:4020
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        187⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        188⤵
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        189⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        190⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        191⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        192⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        193⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        194⤵
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        195⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        196⤵
        System Location Discovery: System Language Discovery
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        197⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock"
        198⤵
        
        PID:1304
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock
        199⤵
        System Location Discovery: System Language Discovery
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:4736
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        UAC bypass
        
        PID:3056
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oqAUoYMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        198⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        Modifies registry key
        
        PID:2608
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eWgIcoco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        196⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        Modifies registry key
        
        PID:756
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        UAC bypass
        
        PID:3508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vAYcsIcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        194⤵
        System Location Discovery: System Language Discovery
        
        PID:3580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        UAC bypass
        Modifies registry key
        
        PID:1000
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JQwkMMck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        192⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:2088
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TkUkYscs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        190⤵
        
        PID:2556
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        UAC bypass
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QaQEsEEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        188⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CkgcMUAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        186⤵
        
        PID:3676
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        UAC bypass
        
        PID:3320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iAAEAUMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        184⤵
        
        PID:4692
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        System Location Discovery: System Language Discovery
        
        PID:3036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:1852
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        UAC bypass
        
        PID:1108
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YsAIAwMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        182⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        Modifies registry key
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VmQckkwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        180⤵
        
        PID:2904
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        Modifies registry key
        
        PID:1972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZcEEMcoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        178⤵
        
        PID:3604
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        Modifies visibility of file extensions in Explorer
        
        PID:792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        Modifies registry key
        
        PID:1200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        Modifies registry key
        
        PID:1172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LywoYwMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        176⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        
        PID:2256
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        UAC bypass
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XCIsAUgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        174⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:3744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qOAMowME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        172⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        System Location Discovery: System Language Discovery
        
        PID:4936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5028
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SukwAQoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        170⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4752
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:2012
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        UAC bypass
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CoMwIgcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        168⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        Modifies registry key
        
        PID:1200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        UAC bypass
        
        PID:4080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xgQYYkAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        166⤵
        
        PID:4412
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        System Location Discovery: System Language Discovery
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3140
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        UAC bypass
        
        PID:3904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dcEcEQYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        164⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        
        PID:1696
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nyYoIkQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        162⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:516
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JWQMQUcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        160⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:2824
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        UAC bypass
        
        PID:1208
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UuYMkwYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        158⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        System Location Discovery: System Language Discovery
        
        PID:4612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3656
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:5032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        Modifies registry key
        
        PID:4848
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CWwwEwcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        156⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        
        PID:4772
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wKYwgUYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        154⤵
        
        PID:3384
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        System Location Discovery: System Language Discovery
        
        PID:592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:876
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        UAC bypass
        
        PID:756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\segMAsAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        152⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IcwksosY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        150⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        UAC bypass
        
        PID:3576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FwMIIoMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        148⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        UAC bypass
        
        PID:3896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VwQwQccc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        146⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jOUQkMQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        144⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        
        PID:704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wqAwYkIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        142⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WUMkEEww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        140⤵
        System Location Discovery: System Language Discovery
        
        PID:4688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        UAC bypass
        Modifies registry key
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wIkQcsQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        138⤵
        
        PID:2608
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        UAC bypass
        Modifies registry key
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rIcAAgQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        136⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        Modifies registry key
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vEIAMIow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:2252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        System Location Discovery: System Language Discovery
        
        PID:1404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        UAC bypass
        
        PID:3684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NWwMYUAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        132⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:3648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eUoIEEgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        130⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        Modifies registry key
        
        PID:3324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\umYEkAYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        128⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        
        PID:3576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MwkgQYYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        126⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        Modifies registry key
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AAowAEoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        124⤵
        
        PID:4996
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:5116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xgQsEEks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        122⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        
        PID:3848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hGwIQkok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        120⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DAUYIMss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        118⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:4412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DcgcAYYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        116⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        
        PID:2956
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sUMkUwsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        114⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:3656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aaIMsoIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        112⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        
        PID:3920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\syYMwcQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        110⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GoQMkQYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        108⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:4996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LEggYAkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        106⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies registry key
        
        PID:3280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PkwsowYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        104⤵
        
        PID:468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        Modifies registry key
        
        PID:656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        
        PID:3112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hQwUYwoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        102⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qusQQAYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        100⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SYgAkwEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:4840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IaIYsQIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        96⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies registry key
        
        PID:2360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GmEMEQkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        94⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        Modifies registry key
        
        PID:1200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZcEYMckc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        92⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zkUEIkoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        90⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PAcYQMIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        88⤵
        
        PID:348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies registry key
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WoUAAUQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        86⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\moYYQIIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        84⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:4916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        
        PID:656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kaUIoYwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        82⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        Modifies registry key
        
        PID:3516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KQssEMEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        80⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nYksAQcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        78⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HiQwUQEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        Modifies registry key
        
        PID:3036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lSUkQYwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        74⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies registry key
        
        PID:4360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\doQUYsoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:2680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:3404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:1296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UMIgkYEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        70⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies registry key
        
        PID:3656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:4736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iEsUYEYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        68⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        Modifies registry key
        
        PID:4560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sikgkcQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        66⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JaAEswsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        64⤵
        
        PID:792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hyQkoIsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        62⤵
        
        PID:656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        
        PID:432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XkAMwocA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        60⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        Modifies registry key
        
        PID:4304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        Modifies registry key
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pkQsUIwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        58⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QaAUcQME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        56⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QwUsMooI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        54⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies registry key
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:4764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YcMwkUkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        52⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:3168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uSsckEIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        50⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:4688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pGQQkYQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:4756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        
        PID:884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JWQEEIkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        46⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        Modifies registry key
        
        PID:4468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        Modifies registry key
        
        PID:3652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qQAYAIgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:1824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        
        PID:3856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YuQYsMkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        42⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:4528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YkEcAMMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        40⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AGggAYkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:4124
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:4308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        
        PID:4140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hAgwAgIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        36⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DoEIoAcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        34⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        Modifies registry key
        
        PID:2384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        Modifies registry key
        
        PID:5112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dkscwkUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        32⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:4692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xAEgYkgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        30⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        Modifies registry key
        
        PID:3592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CQEEsckM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        28⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:2000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eOAMUEYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        26⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        
        PID:736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kMoUAsUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        24⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SKAksgco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        22⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fIYEsAYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        20⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:4412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hQYcEMww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        18⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:3456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:3092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JsoUMUQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        16⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:2288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:3636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GEEoAsQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:4188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SCsEgMAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        12⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        Modifies registry key
        
        PID:3456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QyEQAIcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        10⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies registry key
        
        PID:3068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        Modifies registry key
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QCYokckU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        8⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:884
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3656
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:2268
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:1412
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fegQsAsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
        6⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:1464
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies registry key
      PID:4020
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2900
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:4428
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hWcsksQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4904
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:736
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2976
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2616
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:3904
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xAYsEQkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:228
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4668

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:1112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

Filesize
154KB

MD5
a28beab1f365c3d4c5b1f0d67029421f

SHA1
320bbec33312e04a31ca81ce99952ef6ffa50a22

SHA256
c157f42dac9c29ba8e722bc10ba3da6aa166509b9738b5f673cf04a81b0b1cfb

SHA512
103c4514e6b2f9979cbccd7b8f6bc9e89cf7982beeab605c9a449dc3befd5b22f947dfaab4abf9e77d5e978080554cb9d0ee563ebfab2bccc483cef15653bbe6

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\guest.png.exe

Filesize
116KB

MD5
b3c70663eb859beedbab58a91fff896c

SHA1
b2523d70fa04a880455955e460c4cdc7daa695fe

SHA256
c05dd391aed447f751234700cf71de5a02dc9017cafde5248f1d9eca316d8196

SHA512
924a4a32921e68701250e1bb72770a730ad898d1eb171af0debdcadb39337e64f56ecff4de80d2933514e031109932ab734655ce737d0a1fdf7b99202b5c67a2

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user.png.exe

Filesize
116KB

MD5
faeafa8f9208bf426480a4561eb3221e

SHA1
206592874e94abf422566fa0f448c03d5e51072d

SHA256
b883b658e33233b706d0aec0eed2b2ed3e47222c0d19415017970b7a8c4697ab

SHA512
dbd4b475e5a43d069d749c1a036714f127b8fa94b816150f10179c8bd793745679864dc0b5e19ec11e65caf5b908d7991734be317896d86985e6c51543a6aec3

Download Submit
C:\ProgramData\mQowwksk\bUMoYsQg.exe

Filesize
109KB

MD5
32b5cc2fc8dbce32fffb163c134aed35

SHA1
d19e83318cf70c3e16b0120a73491f2fd9e35a7e

SHA256
bea74e3bfa49c96c41f5e2a6dd530e29e6097b8e97f278a110c8f435ada8c403

SHA512
cd956fd1b806644b080b46d0f5198a0fb77e8dd8abcf23187a1f34a004f77d41e6efe0971c45de02b8bb3514e8929da548332aded67f3884262de7fa97f3dc93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.gif.exe

Filesize
485KB

MD5
4f31978f0d5d52271bbf2aa3c65cf85c

SHA1
04ecdf556001aff06ab04c0337b24eff8ec299e8

SHA256
f6016f96c2c2d2e95e50d85600f59884b718fa0d6ce967ddab07845f995bb259

SHA512
631c177cc1690f688d2a7d1075519a819c3555dcf157ebb1abb630e991595cf55060d17f62366746a2244509d26326a25496a8637d0d1061a5a31594c194576e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Warning.png.exe

Filesize
112KB

MD5
2f73fe515b5470ee273b51d6039026fe

SHA1
5e48bd0f1f2d8ad2383da2e4f06c1236aadcae6d

SHA256
324891d539e2977c8d97e95e483df5802bc43a991b76c38847784fb6040999d2

SHA512
a722b8562e099d67c5fcc440eab642ab04e89e6e400ce3db93e2e31102645022ba83b2176da6346494728681f55dbb9b9b3a2d3ea7184de2f1ad8a6352f42f2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-100.png.exe

Filesize
113KB

MD5
77d108d72ea5a4456aa112197ef64a2e

SHA1
af746f5a823272b8874506a74d7c257fda11dd19

SHA256
ea077802615d4220bb66de1d5ebb3d48af103d2218fee89be5e68b96e45be1c9

SHA512
84e7b1bbbcb72d79338c41b9f6bde7326f3ff2111c17fd37a8ec3c07765fd9b54b7e6f0f2946911365cdb464d4751b20fca39e20905236a5da4c2fe21943efaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-200.png.exe

Filesize
111KB

MD5
d841441a6880e413e9e007d0988fbc23

SHA1
6573aba26378a816e9675ea57d14f266f601f74b

SHA256
89964779a227177070e7f7f2efc18b9c41ff9a9ea4fe75f5b9de50c27beb309d

SHA512
63d159485c03713a74a3ff1f0c924a8e3c4778c11306ce72cd1eaa4fc2b5308d1ede7b19370624678aa7aa0dbe441347dfbeb39df9d33e9ee7d14104b141336c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-400.png.exe

Filesize
114KB

MD5
91beb905ef6d3a4c689fbdc89a2770f1

SHA1
9ddb567b611156a27d0b83d7518a5d43eb1c6db7

SHA256
69e044196f3946a4206190e6b1f5379932f47b764bbbf1897d8e61ee3018d47e

SHA512
419072aed07987a97d2eae26d56d315dba9155b4a4a192ec6cce4e9ac8c4da0a5911d1fea9030db6cadf85d9093eddcbbb9f76a46ac0f92b777f8c225e485386

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-400.png.exe

Filesize
112KB

MD5
5ecbea778c7395cf620cc26120824b6c

SHA1
de65f6af7f566c4207f22e13cc4aefedc1a964ba

SHA256
059cc13c7ce3a91866f4aa1534251569fe4d4ccdde1610c8e43e17a704ac9235

SHA512
233afa438a96c6be4ab894ff37b4c30c8a02b3324937736dced78c7efdd6e780fd2ffeffda59bdc1d9a4617fcb2395981135b72160588bf3f2d76c35a9deee38

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-10-08_7128fe39c0f51169acbbf8f33881b06b_virlock

Filesize
2KB

MD5
d03c01df855f607fb98fff6cdcb91753

SHA1
135c08a6682dd6c8a63cf3aa33c930536d239add

SHA256
a556ffcf221ddcc816a1b2ae8487ff10613f468118bbdb76ee3eca6695df4c4f

SHA512
66c8fa21c1f69e2cf838c408c8b975e797c4328b56988f8eb9a92cb3b9cced98363994be0b341cdc6385735a823b4638158558d44c7a6e671ae44c5eeb5088b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\AYwG.exe

Filesize
138KB

MD5
e3e14215af0b2b9522fc489e57fe5ed9

SHA1
0dd518e677387b8459caf0f1931f5028647cf193

SHA256
6f2bb72008eff529400144f9ab1c73ef6dfbbe27fb545353a164de7006263184

SHA512
36a5166ed557d3aa2a22f29c127e1b33d545964f594391117003fd349df1ecedcccaa2af649abc5fd348d1fdf33aa6c56b4a2abbbd12527765e1d302b8bbacde

Download Submit
C:\Users\Admin\AppData\Local\Temp\AcUm.exe

Filesize
114KB

MD5
dbac737dcca36a68bb825612f97e804e

SHA1
2bc64e232aed365d8a79fb2f0579d66cc4fb5407

SHA256
b66d020c706cf902eedbba3da22a3ce8d8f5aac8933a981fc85dce757da3dde3

SHA512
8d6eea96256760cbf2c0cb4d3a7b4863aa6d5eea044a0cd09b63b63c85e80497ea8b36810fbb4d0a7abef5284e20f999a461c492d5b891c05f260219abf0baa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\AoIC.exe

Filesize
113KB

MD5
aefaf596c90dd8a9681a13aeb7410755

SHA1
6e4e25dffeabbf16f072881c51bd83fecda16347

SHA256
f9c7f83a8674f89774d48bf87146f44652dc0043a7afef0b91abd800f81b13f0

SHA512
1166ba924f4f7ea6b669b610c1ff3455ff59b3ecc44b583ad7efd968f005eac15627e2e26b71f29a235daead96c10d8922f65e50e69422007fea60150f6e4eb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAYI.exe

Filesize
362KB

MD5
f143e3adf89c07c43f2a74aaf6544624

SHA1
5a21ecdf55f6f3248d85b2ecee746df4421480ea

SHA256
48c75c950791d3a1dae8a494b1b98b98fd0bccd34ad076e42bb6022b57e8a207

SHA512
3ae20f5b8f69b5ccee065e4e9045797a248200bea00df615144b1650e045013e51cf02f4a5a111366c446e97c0de426ef6e208873304daa90996d92006247134

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIos.exe

Filesize
122KB

MD5
e5c413ae65419dc72d28b51e4338e87a

SHA1
b55f14b3e62b10ef7ecfedfeb980d4fac7b8d2e8

SHA256
649e550f41bb3f723fc0994e9087779f23f3f543eb03107f06f63ec9fe96d390

SHA512
c3be6ffd01429a06c0d1691149426e9f7a8a4f6d0abd0c514b45b622163bf08c9a66f82213d8549e8142e5c75659f64b3ab02fd20312d16f7b76e2c05c61ed9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUAo.exe

Filesize
720KB

MD5
bdea4aaafefa228403183d83ea066107

SHA1
5c57d0f3b31a3f09e60bc5bbb16579ad261fbeab

SHA256
b358cd0f9e8461a31e33c25e9b7b0e5fa85c5685f2a828f3ec81ee67fc3e1128

SHA512
8e94872fcee1d7c8faeb20a5727cffb1e0804694db56a39c76567f2d185904a7f30c597ab863077868523ed50fcfa4dfd1140d484af4e3f7079bc01ccb425ca4

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEUM.exe

Filesize
111KB

MD5
3460dd4cc79a85d582437fb57ff19cb6

SHA1
e66b2854a9216c1152c0ffb58c00cc4c88bddbd0

SHA256
0b1eaf6f805811a2cd67bf7e7c48fc15856fbae1946aeecad7db4627204671d0

SHA512
229c958909563fedd04866bd00c622c59bfb49f612102981dab6f5a4e57bf8be44b5f5978203e060bd5e2688fe86c6cc020da76a739dcea324ec47d530484dcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQwk.exe

Filesize
111KB

MD5
54bee4b4ca462e7a31cf8744ea1a0871

SHA1
5d5223eac02e248b44f8a497b39df9db7d82f332

SHA256
28728a2b460f8ad6a3df27c0cfb5b96cb41e53b4a17a211698456aee5ff0ba88

SHA512
37fab22c75c5253f8c47f45fc813a6de3a52a02f1cb79e9686b9c799b002c92698e096f276a8c255449f298db0f50fee5b60ae398a6f7c3b60714e297ee04a5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\EgYU.exe

Filesize
556KB

MD5
b76bb524af293f5cb0e4be9f68fa8297

SHA1
80dbdc71e00ed6f98c3d757bbd6515895cd0590d

SHA256
d23e2955edf0242fc01ee2b819d5224ece569d088b4981c47bc1c38388f5af3e

SHA512
4494d17e59608801ff95910520c441a580c896791c99b585b46263d4a3c0be0803fb62b1c11f3a689830beb88d2a278f511fac0444dbe6f67b72ff66a08d5f91

Download Submit
C:\Users\Admin\AppData\Local\Temp\EoEU.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eowg.exe

Filesize
637KB

MD5
45d62d1a52de9c7062635ae85d2da0e6

SHA1
c32f6b7e2c65f090ee2fc2578902e3389a59e854

SHA256
12a6b49ad72b7d86302581a52a22a4887143e3281dc4cef54354f7666fc10d46

SHA512
789082648cf27ff5a436045711b39c41fcfab5c6666385f4499df403f14cd651f3d0bd67e66be7934b323f4cd48636d6bf33813809d86492129f2198004f2292

Download Submit
C:\Users\Admin\AppData\Local\Temp\GkcI.exe

Filesize
119KB

MD5
32e1aeab52657538c550c0902044c20c

SHA1
5adc35651f6ac5e8e9b60a47540a460351af13e7

SHA256
17cffbe5a03ee21b443e07920638d491337a6cff467fe9d0ea0c18274503df98

SHA512
b66849256935d26003fdf3853e0931140a15580be331f729dbee8b943963c8d66e378813939ce2e971fc695bc71991a8cc5a26cdef1eb01a44cb779b5dd3d2f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\GwEK.exe

Filesize
721KB

MD5
0498de23d787c1e871626786e2b65606

SHA1
516658a2a7f779033db8e7f1972a2a46451fa6a1

SHA256
a261ac29f193140376423446191213c12b63f1f13be4eea28d6eacc8018132af

SHA512
f745dadbb24d44a1a6db25f1ae43eb7efe1526c09a9601f4844b6c33bff37719bf977c4c8ffa2d8772b404a6ad9a3dfdadfdefc899a8fe04d299ff679f101c63

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMcw.exe

Filesize
126KB

MD5
f98977d9fc31453e9eb06fd5b3f52495

SHA1
527ea80abe8138557eba0f49e087ae0d19e0f161

SHA256
bbb5599c1a0605cf366718e686ecb4b2d67d86303bd3474f3128dc08c50f755c

SHA512
7c7b453c7f56e01e7b82f612bf4748a670ab43546058051d3abdad650bdd1fe5e5b844e7731288a3791b4d84c8b1b000ff7c95e75d2c81f6be3a647e4dc880bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IQAy.exe

Filesize
256KB

MD5
e43c662bbaf1a2073624a53782f17c37

SHA1
bad1aa7b2c5bc390999facb5e58643cc04b045ef

SHA256
aa39a25cf21418b0289f1615a6e7af715c4797883f8824df1943dd63856ce67a

SHA512
fece0c4d82c70dc9e933420b2bb481843c337f3109a7a34a876967ad2dd424e01f57a5d15bf29184aebbf7f16f14616662967d067ec68f79dd231ae7069c3036

Download Submit
C:\Users\Admin\AppData\Local\Temp\IsEC.exe

Filesize
5.8MB

MD5
9a5ea95c240ee56af1b9d0152b184a53

SHA1
bcc218599fbb2fbe9fd1c5d27dd8697c1e9fa5c8

SHA256
5341cf0989fd6b89a46bc41292f6201fa58d6b19869aadbe9af58576242394b5

SHA512
577bc89961983838dd2666cdcf1dc3a186020d2a3f0594a7cc2d8dcb77aace31b5e749bbf04e993d7d5d6eb823aaf109c286c63c2d6566dc3cc851ba67308faf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IsYw.exe

Filesize
393KB

MD5
fb5860b628274841d6d4e93d19b38b1a

SHA1
fc22098b16191e07c687081526f5d1b5dfb178ab

SHA256
9e8ab8162c38d29c61df7558e5225458f5c0bb060d8e1586ebb827b9515828e1

SHA512
67e340927ec36b6d8b9ca6bde667b26049f07c3cac1017230852ce292dcc01cf0c6f1a9479cc1b62c02cde38cdce3f314abaa240f635f4c45a01d30a0e456d96

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAkM.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\KcwG.exe

Filesize
564KB

MD5
d18633018a94df44ca4aa5550214fc7d

SHA1
0ea8d7bc6da1e384dce5d5799331cd36af91e73b

SHA256
9ba9d1c63c13f0824b53ea00f0a57d8174249a5c31107e1f27a07668187558ec

SHA512
50191418099d0fb191ab11ec62b8798113774ec3ba420b75fd9253f0f3c73df8a3eda00b37c5dca3d4ac4372bc1e00f8aefaf7fdd83c6dbecb21ac5228d9c57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUES.exe

Filesize
111KB

MD5
6030cb72fe74798593b788f3604da09b

SHA1
400027e38883119c480cb69656c48e8b9ffe7c31

SHA256
f834c880b8bbfb5604f65e53022a2b9e26610cbc623ce54d71832258e0fc5ed2

SHA512
715afa6026a96f8a1563a25d2c04ec5c33088d576358505416ffde86d90fe4da2848e1f8500b4df50dedcb7b8883b413513571aecd6b0909d9f33e581181f490

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQII.exe

Filesize
120KB

MD5
6dbdcd480838ca4d8fcbbee277817675

SHA1
176997c547d4ee9ccdd930319889f3030d3a9d0a

SHA256
79f89935d5e7ec1114c92821fbeedf17a36761dc37d71eccf5e38a1cf22ab427

SHA512
ea6e4f5f8f4dad0df60fecbedcec2f87749baf4fba16c061eda16ff9e14378c20c0b611d416365ae6b162da4f47fcef30df8cddedd2e9aca223421ac5d10e3ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\OYQc.exe

Filesize
114KB

MD5
1499679b388f3404727e71727e67e129

SHA1
8bfe83e421b8c904116c5c9e988512b9650a4f7a

SHA256
7cebed49959080a1fdb864b71a177439480c2f2ab069cae8c7823fce2f16af80

SHA512
44ca37f4449538a64002519d9ad0b574c9702dd4b4d065f3012006694ffd7d8e16ab4edc65e81dfc1f841a2d9cba0b440c0dd4d5a2ef0c00a4f9d92ebe37db19

Download Submit
C:\Users\Admin\AppData\Local\Temp\OYwk.exe

Filesize
152KB

MD5
9f8179d743b2a00b938c1f0be805f927

SHA1
9dcec847ecca5d6581378d990103ffa081621937

SHA256
be0301476d0baa66a3dff19959e36ac20c806d960e1aa819955f183df192b97e

SHA512
51b09eeec70f85ed4ff6fb3b8db9b0dcbe8a4f4568a2e651425585bf0db60047330d206e9e691a63932b79ec8df91d093df1a4c42003b157d4fcfb13e98410f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\OcMI.exe

Filesize
744KB

MD5
77959d6c26cf68c341c4de288cff3ca4

SHA1
ce779d3aa26d12b1ea899e283a042caf040cce21

SHA256
d943fe81828a22a8e7a39f5feebf8e52cb3fac0b5f906b4769d91a7f74e9d1e5

SHA512
48af0aba39aaf10589cfb433b5eb85ab94b053363caf8a3603f32c22d92d54d28ad8df65a2cddfe6541e9b7ac3c300f8b64b1f51017d4d358978e0397e0c563c

Download Submit
C:\Users\Admin\AppData\Local\Temp\OkIW.exe

Filesize
698KB

MD5
0ad7d272ba2eeed8ae11695314feb9dc

SHA1
8588101c886e195cb3f749dc227563c9525a7454

SHA256
07ca92577bfcf8e85e2ba728bef5c57cf74b0e6d65cd8bb79b1945e43a4f05f8

SHA512
101dd60f9d265c1d6222c2dc77c75a782220f33a52c324905d928e27334edb22e1b7611997bc7d7fe5a89bac9d9a9be1bc323ac3391dfc852d348f6a56fbc006

Download Submit
C:\Users\Admin\AppData\Local\Temp\QMAM.exe

Filesize
110KB

MD5
cebb6f7ffceec476bc770e44dd1481f4

SHA1
9b3cf4352fd2e34c4da2c8f66d3333cded566ff3

SHA256
70774c2955d7ae5c2a4127a7bd576efc448a4357f665d16496443bed8da43cee

SHA512
252b049a2cedc97ab5f1cd4b5d0a2d4ebc16f9b18a338fde946c3f5f867195cc442bc08dfe0c952aead172ffce82e374ddc10ce7069967d8ff1c9829a5a09ffa

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQcK.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\QUwQ.exe

Filesize
110KB

MD5
a8490269aec2928e8eb2abcb96ebff1b

SHA1
32b07a2d6b23f6ceb047f90dc79cde4eada57f60

SHA256
32b21992de6848d241548bd0b7533c0857e939afa8ac4f54a32d2a05cd192392

SHA512
131fbafebf251d1fe8628d305503f78efc8bad7faff455f6efd5d6fdcca64fe9b5d93be1cd9dbb33d02f094d950dddbd52a593d6dd04c0eea8ff8bc5ec84740d

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYMK.exe

Filesize
110KB

MD5
5f6c9548b2c1ac3db3cc83b2ed573d86

SHA1
32043f88fd195df99eef2d013c7899d2822ab41e

SHA256
ecab7e4add3ed2546ec84e8cf524e0f361153c133879caf0d37c81f5861765dc

SHA512
5dd6a5a40475717024253e2790f8e5d4a6cc96ffe146d0fffe4702e4a8824b812ff639a767b2ccb0a09c7f4116faa179819d588c467888c98152adb46bcb97c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\QoQu.exe

Filesize
111KB

MD5
b009530434c8dbded913a4dfa33fa3c0

SHA1
e65db04d46438eab1852e88ff68f2257ba561be5

SHA256
10d1dbdceea03915deae89df931caea28fe5f531490078e71f0c8e4d50d3daf9

SHA512
6d77a18d77c44679900b1b9a0b502c07cf5c285be673601e70c41d2bc0130b391760996fd22c4667b17cf316f0928dfc3e61a8fd93a621ebfd6d95f08fa1fb22

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIka.exe

Filesize
112KB

MD5
caab0c583158e783d30241355a93d8cc

SHA1
4987e49f76fdbeebe2aef4f3c8054097f937f826

SHA256
bd8654d3e20809b8738a3c84260fa4db6c498a3ff3fb2c16e3e6e1ee541b64d8

SHA512
48c757c7cb4d69c694480d8db5f45c10b785f9212e79eb3b0198a02d14f9c2c3df8cfe6833e4e05983f18fcd2adfd68748b51a4acdb847d402a114a543555993

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMgQ.exe

Filesize
111KB

MD5
155f84fa453c46f26f6f38bd6ba8687e

SHA1
b7433d803af43200e2e151e4d7df7f82af8e4e08

SHA256
513a4cefc1a3b79fb3e3ef7f29a3d81ac464344f60300d07e24a3f5f04e2f4fc

SHA512
e4caa2e819ad716535cbb114301e56a4e91c2a7545252cc3db9c64f403896b36597d99d64b8ca786602a3dc6ac4c4b0411a979596ce4674f9a4dc7ad896f1847

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sgcy.exe

Filesize
413KB

MD5
ed5991d8ffb54a624db8361f28c24ecb

SHA1
eb9d656491a55631923031887a81bcfb70df0ddd

SHA256
c040d1803a700bffe27ab46b75ced154cdcc3b02fd294d0890d9030827f6bf65

SHA512
226ab437100e17943e6c47b208ed3846678c76503f6cf40785ec97f22a011fca27e3995e523b65885de7c00bf345270db4dcbd4b7a32cf9c59e2d38025864d67

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sgsk.exe

Filesize
120KB

MD5
0a72b07e60d473a4f3491cc75ca621d2

SHA1
fa4202899c0f601e0dd21ddddbcc835e76bedeaa

SHA256
d113fc8be2261a440f8a310dcc7139f45144e6f089a9d5593acb8b0268e42c5a

SHA512
6ea4cc0d1cb912e245b3785252babe575b797c064f03b7e56c450ae51527e197d45c08174a6efe84549f9e0e6772c6d21b058ae992bf8b8d2710469cde36f917

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAwa.exe

Filesize
110KB

MD5
65fdcd5be2f67010d8691bd83ce3d483

SHA1
075c8912562dbe4f9eb56bdbb6acf82f90a767eb

SHA256
185dde7bc98c58b6666c4cde4be7386ae13c34615d4489682fe3312641bd54f1

SHA512
fbcbb5d480f3e5b32a7f90112fc418308d15e63d372eee4e08c764c584641bebfc1f0e04a8613a4cac92a116ad07810a7110d3a853c1f3df05d73f6a7e572b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\UEYA.exe

Filesize
111KB

MD5
3c1cb22504e1206cf27382654c1365f5

SHA1
5bdffb5ca52dc112b117373d94ae2b96576f2b8f

SHA256
6c7cbe75ed67e1e67a0172d94a7aebc3c49e260f2f6e229288adc8dad3dce67e

SHA512
b0078da16a1e9162df33d89bc3be58029f3891fb036bd7792fe3dd0e5de88b4018475374fb73fa862b59fcf6ea2f874f75a8d624e2782dde006e51595d82c095

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIYk.exe

Filesize
111KB

MD5
35978c8a0a969ea426cb41a6a4bbad6a

SHA1
447c1fe2eee0a009a425131a3ed0496ec9173d09

SHA256
8b2c84d11d4f4cb7ec4d6f01f4065da48137fefc35ecb44426a0762ffd7e5101

SHA512
59b55486adf355e067938fb43d004fe9201b3c6d8c8da35177df3b52233399c3824433754d704af027265ed5faa94c32cec84fff46c68a5c3ad35aac6c4da79b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UcIo.exe

Filesize
111KB

MD5
0b0a3e8c1866f93b8c6429b5bf9df067

SHA1
478f3a93637fa8dd88f69cdaa400ebe63b8a1b19

SHA256
8898bc21169f3a49106d5286da7918b747bf522b76591e1f919452b6ec018c2a

SHA512
0a1ac9f0e8a5394b9b83ee7a0026ac69d3b3b54a86dcbb4cd035b2fad2cb26dc83370b1d0d0512136b053e3f068fba34abe52604c519eb9d997551a377d2e5d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\UgwK.exe

Filesize
347KB

MD5
0f4cf9a04848647033b055ae9dada409

SHA1
b9782a134c9f6895ec4a573d74bd82a0721b265b

SHA256
817dc634001d56e8853ffd61c8c4ace7d6e0e96b620fe36ac4657e9b846ef354

SHA512
b3ce8f285b404b11f80f831a26922cd29ecea440987d1713ce5a1a1cca9c1849cde904e16b816afe4e7ba5b45edd43f52da6356339fa0150bc7189510121877f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uksa.exe

Filesize
566KB

MD5
97e79fcf4472824428f53e7956058885

SHA1
bcf30956fceff807f900d7c24868b9141942bb1f

SHA256
bab7f428f86508348c91819ba88a16310a4465619c07fa698cb521f8a0a87e97

SHA512
6a2e6c37b7259a1f78bbc51e1bc7419d05db40d688d6687d6f2060d8c8ff18fafe966540cbf39380c125a1506135ee8b8bfa48d04babc45e1b37383524a79324

Download Submit
C:\Users\Admin\AppData\Local\Temp\Usgi.exe

Filesize
112KB

MD5
0f1e3d4d388e58aa804fdc99541f706c

SHA1
37d29ae7779ed036dc963262463dc023ab4738cc

SHA256
c21480aaa978bb4a1cbfc611ba2e2a3cf98649fa99f02722e54f4c85dd4f5059

SHA512
6ecb56b21f3ec0aa75138512ab0a45f92cd209f859fc44453562c52b0127bf977fddcb86c00910ff8b8eecb6302f9e4cc961cf7b3e05aee812ccecacf221120d

Download Submit
C:\Users\Admin\AppData\Local\Temp\WMwM.exe

Filesize
565KB

MD5
4801e196510b9cd01da4a33320d9b039

SHA1
bcae5b51a5dc709a5a19da978f0ecb9446011c9d

SHA256
83ce4081cc4fbb5e15d43c1393969b35cbdf6b719f9c080fa827a48b0948362e

SHA512
b51af9b6a2b8ec77301292af5c05821498de7cf17584c3954d77a452ace8d113a3c016900e2286ae2a3bb226278070c8c4e55169fba086efd6e08902a47315aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wkwg.exe

Filesize
118KB

MD5
41542f30339266193dbce0ae08bf5473

SHA1
f906ae5e88019500749ea2e21d230b5dd3664d41

SHA256
249bdbc6be963d19fe7200752dc38359adcb3d9c87d3ec775d3d0769a46eabc3

SHA512
b52a28b0c6a07807dd699786ee25bdff5fe2fe6d3440d548d1506425f1054978889cd70c705efa9902f115a08c4edf372194f844eb9c295338d771f6e391d8ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\WsAw.exe

Filesize
116KB

MD5
c0c22a34ff5fc2dd7ec29c43b48d708a

SHA1
5b86bd88044128a4a09cbe3593d386e74b06e709

SHA256
0076c530d7bbe089c44cbcd573e0bf88f6e526c0b2c2892bb8b3e030be85c910

SHA512
08a0fe7ee68857087f7b9bf0de7b4bd3d6c9dcf32df159293743880943d5664429056f33f3449d1f3823bcf44dba6ddbe111c854710088381076645abd098fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wsgo.ico

Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEsA.exe

Filesize
371KB

MD5
dd5607d479690256dd2e713e568c4664

SHA1
a3d415e94ee152135ae0efccbe54ce737331328d

SHA256
cb35d7269f36172078b78efd9e039493424bf3331c4b0e646272f81179c633e8

SHA512
24b3d21d38c4f3d0454dec5fe0d5e207ec3e6b119d5820f26cfee2da9caf031c14156593b85b28687d018d448879bdf4937aebf032f0f26abed187a6534b472d

Download Submit
C:\Users\Admin\AppData\Local\Temp\YMEY.exe

Filesize
138KB

MD5
2c940a3174f255f5c98b197ea9fbc962

SHA1
346295f4db4d64995f602e833e737197c338e83a

SHA256
96332ee60e09644f6b7cb3df6c244d55797dd060bfe966918ff13dcb6b8b593f

SHA512
c141de105a24cb6b42cd61cb086772e70876bebef728af249fe9bbb9eac817503f822bac33c568d587280885db6db6e7ef03dda9b2d339f0176038a5badcd2e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQkW.exe

Filesize
110KB

MD5
0d37e3a6a3cfe1b2d8bfebac9a98b29d

SHA1
2fec364f74bde31f49a68418f0450f1734f1384a

SHA256
a1db20afd9a5e32114ea4e02579349222d53d5b1d8334f1f67f14a5d8d5280b8

SHA512
cfc512abd4d3c8fbcccce941f0249d9f9749f2338477749ee3b1ddb281e77778e6f4dcd8fe15ddf93d2415b373c4b3e7841ef7462ed11af36e7023f3c198f036

Download Submit
C:\Users\Admin\AppData\Local\Temp\YcUI.exe

Filesize
791KB

MD5
54b687ff6937aabe3a97167677b4545e

SHA1
b85110692765fa06e44b168ce6fa91c186adfaa8

SHA256
76045c5823db2267d5aa5191f7823af249832782bac313b638858f7fbafa8cf6

SHA512
c9621ddec8d4ad89e3e4f24837f88055e4fb80f3a286711f03d1bf050a300c1ecb17c3ab5a533fb462f2dda44d434a6edd3233ab91c4ae46206ecd19c1de6cec

Download Submit
C:\Users\Admin\AppData\Local\Temp\YwMq.exe

Filesize
237KB

MD5
6a746ee535252c9a59e8bdc7f2691a06

SHA1
480d218a4fab3ed02eb0f0f2afc6a245f3c8d347

SHA256
0a3651a3d0626f6221fe624f4ad9a5bf8706b0cde156b96d702271306de25463

SHA512
6b7b034cb5a22714786bc3eefed6ab3f76f90a3ca15c55bf8effc4cbca6c952e4547c2b4864901a05952938abd856d4d227839667f2f729dbd966419ec24310d

Download Submit
C:\Users\Admin\AppData\Local\Temp\aEkK.exe

Filesize
111KB

MD5
75cb317d0e8e4711abe6080a6c5e64fa

SHA1
2a34a918325aac4872a95e478df45ca716dbdc8c

SHA256
ecf6a3b117f3bfcb9c5a38235fbba9f9abc0ffc28c21acf70a1c689c93dbdfec

SHA512
93cd667ae9d4bbaa95b6ce5edce1bd6b5d94224899e3190cfe1b827bd045756120c1e191eeb76bdb973f06ce1abdbe5116debb9c1e8ca4da89c1501a116cccb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQEw.exe

Filesize
138KB

MD5
eb0268e01057ca8294773f44ed661755

SHA1
86d8ac61099526e6e226bb50bf4e22a87ac11e6f

SHA256
8f9649c8fb586aabf1d65ec89935da04a609f32bff37b35f179abaa41c76a263

SHA512
0e1ac4339d9daae40b76a19758d4a117c01f130b26fee4a4acf08a35f6a897fcb3a36bb4937a2dc6180783ab5af4b25139e8e1930f8aa3ecd7b779efe2c9c10e

Download Submit
C:\Users\Admin\AppData\Local\Temp\agkg.exe

Filesize
117KB

MD5
9d15e989ef7e2df5206c16afb900b3da

SHA1
e843d49590fb27dae9d71965f690cb0ee0125530

SHA256
b40b638e02a667e1705a992312b7a3622b84b249b72a4156918e24536d0ad4cd

SHA512
e2fa16972c9e897f2fa4ef32ea983f1e79a65591f63236d447e3e88910db8a1faa0c11a2515c38edfc169241464b8d89aaf3074ca91b886a0ed340e4f32e9e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\asUW.exe

Filesize
154KB

MD5
4573f810486d8ef320784b2d315c0006

SHA1
d3a65edf3f859e44f771d56a015cc93c0746c9d9

SHA256
658a484d6d2addb7cef45d94aa7712387c6eb01c2cd563a71c6c85cddbd3dbfe

SHA512
bd4979578220fbb29a8838ca76f52f6e008060359bc772e9501f82356deb05f9ea5ff406d2cc7b94918d466ba270d51ef5fd273d7b63404b4e594b5d03e345b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIEe.exe

Filesize
1.7MB

MD5
723d15f2f4449ca3f06e73534af3f356

SHA1
19202c50c2a8d74af9cabcf87ae35cf4bf4a0762

SHA256
f3ce2f91f57daa0b14f8558bdf6de3c67b825f2ba914c8e674532184b1e138b7

SHA512
1c85b53aacfa53f635ebb95c2503ae8ef24d81987f7ce845adad21f50542e70677f70bfd939ff64a0709f1b627f6202bef75f2e8e3c69e5f815e942c23b3e72f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQki.exe

Filesize
110KB

MD5
bcb91da63353d5ff0e336a5ba2db34e6

SHA1
dd9515a01ee03f50ccf66fedb8b8d2ee148cb5f7

SHA256
2c7c8132f1425710c4ad73dd14c84ebc6e26c29f55fdf8c67f2c31ce2e199e14

SHA512
22ad3ec049e03de1c383cc91a03f708b5fdcbf7036e671341c118b1927e8e29fff683052f8437d92ba9656f11bea8b9de5129ea045665c332a710b91e60b0f52

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQoy.exe

Filesize
113KB

MD5
3e658163af4a31c6fa9663cdaa83aa2c

SHA1
22c30ede66bf48b1d455bb0d3184d15c8ee2732e

SHA256
3ce54f911d702a57b262daa854dbcd3359f992a13e78bc1fa5e15200992e14e5

SHA512
59b20196521573f039650c4a3a1d93669e00df7b84bcc9da7990f156f422332b9338153ad809d999eb693fed64eee8631b96210a7ec6d121f8688ad581b402bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\cccA.exe

Filesize
114KB

MD5
eaa614d2487948046c347718f995b5f4

SHA1
17ed22e3430d7d2f47b664dfb621d4768eb2fe74

SHA256
5b2b70d6e4ba6b682167ebee2defdc7a53f7dd8e8be2a81ae025a88856f0e3fa

SHA512
bf8c8e0eb72a867d75f343e897218841341b0344b84b81f2b624cda22be926f34250d7d415642ed98c20c79609625146e13cc2c35d73f13a1f9f0da1e83fbdb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIIe.exe

Filesize
111KB

MD5
dafcefb6459df99528aafbb7e33316cf

SHA1
57e9e1fd3af7aaf7bc37e58e007568d8b4bc4660

SHA256
283168c0534a8975cf7acbec4ade7a55ea7f97f6d0986b618db616ee7c1768ad

SHA512
7a31573268c93594441e5d33becae9d5b1bc130ac9b46a084b9c4dce5c673e69f6fcad97e2356532cb0eee874c91e0486b0277eb081b4faaf919b0a66ab19069

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecok.exe

Filesize
289KB

MD5
a395a023e136e7cd11633d625502bf9b

SHA1
9cbed4537817abd31912e2a49a307d0d4747829c

SHA256
771eaeaded7bc1022b9300c07708c5ddda6e8f3066c8d9b5ff7ee965e9e73bba

SHA512
13c64400f4bbb13af65b712c64f389b4361c8cc443af23c229161ff81f50b43c66fa6d3b61ed49c3e3fbee3de9bdfa043bab85d109d86f2bd27c57596e53b359

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekoC.exe

Filesize
118KB

MD5
63c0769efae5df835f6bccc382295bfd

SHA1
45be26d253da2b35282c1ccddbb15c7d0c61946b

SHA256
474dd177ba615e980c4b2190eab77eb2688f11ae045c2b45d788d5c48fbb0561

SHA512
591dfaacdaa6fcf024a8e34ec6495d6a60d6c1fd24a27a01a21b403dd8290fe4c2065474997083615862446306a8b04e70fec69468c9fb4aa24e6f8dee14b4c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekoM.exe

Filesize
112KB

MD5
e889fadfc3ade3727c86f0574306456e

SHA1
8262d78931144ac8545f3941a664fe46900bab57

SHA256
bef98d986b281051c6e1d3f8b3ed5e3525741fbc09960dc324a2b233afc54773

SHA512
5056245cebc773ea80e25a156f72e61fb19f56638b7213e417ad5428950e2b570baa2a2527b4c88938580c24005b49762b8e705093266270b5ad033740f7b4fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\eoIq.exe

Filesize
112KB

MD5
8f9b6753a405794eb64714e020067fd1

SHA1
e1a26acc0f57036658bdc666ec2b8f0463e622d7

SHA256
85976cc9be10419d2a1f5c9f71047641183abfbb85cbfe7038559c8b0f4e2662

SHA512
fc7dd1b693ee123e60267dcee8f20262a081c42e5086a8ac18a713c820ece6dddc8c039d332e5e5cee3e40e76f6480cf0a8f324314416b1ec8b6729fdb17ee82

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\goYO.exe

Filesize
744KB

MD5
f2fd302bcce7aac175a9f0a0ae67ba72

SHA1
a5c22489781e5bba23b964e7dec69d98c2dce735

SHA256
d94f2e748b3483df77c870fd486385d4a48049f5467b040bd0ec6494c7352cda

SHA512
20de1f5c183ffc5dab1180d22eb7154a902c85e1f4fd68043e76722c12644219937d490d482cedacccf27000d0ac75cd4780bec85d6a884abf16c650ed337485

Download Submit
C:\Users\Admin\AppData\Local\Temp\gsEq.exe

Filesize
725KB

MD5
8d3e6fffe9581b546c04eb739aa62b89

SHA1
13eb71c3cfd02a910c67cd98ee0b9a78864e02f4

SHA256
fa6f5eb65da3ab6cdd650a8dba4bc2e130850e97f70e607e9f817c6fa7c8cb25

SHA512
a7940c282ef061b043877945ba505980187dca5a2bab91339d6df9957f2e62c8a6014cb607b32c1ba18c761c51eb64c172768a0e3e1e495023741734c4d92018

Download Submit
C:\Users\Admin\AppData\Local\Temp\iEcm.exe

Filesize
683KB

MD5
46af8685168f279b80bd01d940d0b912

SHA1
3f6d2944ec7d99d0183e58b6fdc33213fef47baf

SHA256
ba086ecee93b35589a1276cf51225112c3e8c406f1a55426f0c6f05de8f9f5a9

SHA512
997759b891f4a601bb0507359e7b0e295f22d5b3d6a425bc469be260f16f530cad27c6038305220fad56286f8c524d1df41bd73a67cf386983a0f45cf135f432

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQAy.exe

Filesize
237KB

MD5
e6f52305f37cae96a8cb3b90acb69c54

SHA1
3e01c9ce9c49ed0b31566460d952b069b0fbda8a

SHA256
e8749661f85bae853ec346940c398db64fc907cf5f35661599d9d2bf3008e054

SHA512
329ba57d5a4e5cbdfbc0e8ee31ba75ed20514670cd4d44827f52c878648fa11f4e61a2cd9a7db3a952dffd74c06126ac58c385e219d3db1c117ac7070416e517

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikQC.exe

Filesize
113KB

MD5
04f49729723090f9d5d2b8d111225457

SHA1
ea2743f2c46688da0e19fb531746b78ad1c77905

SHA256
3b221701f4c9208168431b8094e217858578519496059c34b25ccec2aa79fac4

SHA512
49c77ae903cdd02ca3dfc597a4acec793807335d7487722f8f25c710e5e3b27d1eea133f0df1f577b01a17f1360add716e95623f6c0aa835d04377edad84574d

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAcu.exe

Filesize
110KB

MD5
84902b7f1b046a81e9d8aca0927ba95c

SHA1
462c9a54594c07f533add20c86717e2556e0b802

SHA256
dbc9abb8a7a42d3c43adaa54f78c56b6acda4d249d00cacf51164deea05a8bc9

SHA512
088c275b1e1825ec645429bd79a60511aadb33057608034cd06d1e8941e43e03cec0b0c933b846e0a1dc8b1e5c2b10fdfd95eabec651f579bfcf2d30cc6552e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\kgkk.exe

Filesize
521KB

MD5
953d2f7ee8667b3e263996c72275c380

SHA1
bb0aba335e1a96fd4cd10c4dea4c0964cd8dfa3b

SHA256
4d0125ac73f5c3b92a75a431fba19463398287e9f259c3fcb77ebf4cc11e4832

SHA512
a06db81873699a71c98c7d8018b0b2e121f60e4584bfc2b564324c1402644adddf207bd90d8ea1c059e4c2c2498e76a27fafed0c2a244bf486c4d52571206cd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\kgss.exe

Filesize
141KB

MD5
f6190a6cbdb48755b68c3b5fc3e2c84a

SHA1
50c98af6c2dc81cf1d8c8f958e9e711f7da7bec5

SHA256
4a25d5f8cb1a4842dd86811ee3fb6f4ee24e0efb08adcb0288870f0217646857

SHA512
c3fee776bd8fa3f65c15b2945f7c8e471acb94830f9b7f9cd8909f576e723b873b6084d6c8638de2ca71a8d0590aec4c1f850dd3b3f331fcea36860df12d3581

Download Submit
C:\Users\Admin\AppData\Local\Temp\kssq.exe

Filesize
117KB

MD5
9a6b5c228c8274f53154298e9a97bb69

SHA1
de454ee7d24eb9a4386ec62ca6e8b49ddb3008f4

SHA256
b5b7c19ecdcb0a116594755ac1d7130c2610174fe47cd3e953c00433405ed5e2

SHA512
b67fd713c5b7900ba88a76188379dc631563292cfd3aaf9d416e48da5f4518fdc42acf812791fd225be03d44277b7e39b45903b0c2210d654d175a79eab39201

Download Submit
C:\Users\Admin\AppData\Local\Temp\mEoc.exe

Filesize
111KB

MD5
856dde16591666c99e396678d3ae0360

SHA1
ca9f68bf6acecacb2d4831619e8024014cf25b40

SHA256
15b120805bf1e1a21d63acc3813d0ec9c4424be8a61fc822777134995342f891

SHA512
0bcde49269936c4150901fab9b43106ee3f3cc9e98dd3511ae7522b35956ce5be3f8aced7062ce70f29c1dcfddc69be56d77abe8cd602f2222ccf443bb67e5f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQEa.exe

Filesize
111KB

MD5
31e17c06783610dd551b4395bf776a63

SHA1
4a27b9ec556da2f6a8960b7288bf35dce0299297

SHA256
8e405a1142497d7f701d56be048864ae4eda474f3a8d0ccb7fbfa260cbf21a8d

SHA512
f0832d60638d7453ffe789318ca71a403a8bc586e502498a2773e8b7d8232c9773b887643c313d3e9b9e636eb817c6e63aaf813cb28750049578897ca5c1d850

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQMO.exe

Filesize
119KB

MD5
8407406b02debbdcc06cff82ad84fe73

SHA1
39f01bfde33692e8a34ac51b2079f516ff937892

SHA256
ab72b610967e0972b9794a4b015302343955e0413a31311121d36d64d55c22e8

SHA512
0ec2a750805feedceb4a4b44b5eb1ab140ef4a38e96c83fe89839f41f63bc0fbabbb0cf1bdd37ded80f2e14320b467816f0ac0a7d6f5f1325c2fb48306b1b244

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwUw.exe

Filesize
115KB

MD5
3ae7306eb027920e8dfba6e6e33f4159

SHA1
9b010c5e04238103a8d7e37e01da46d757367372

SHA256
73a4050aae753544c8ffb58131cabc374ad03a658f67316aa92703559aa5a2b3

SHA512
bdf34fd95832a0ac7cece0f101dd9d28b6b2d413b6b20ec3be0f2f357cd3d2889d9a68c7b380b78427009bbc50d79930ea085221adbd16fb18bd955e02e2b9b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ocQy.exe

Filesize
113KB

MD5
87a0574af134d94ff8658d1c9f515965

SHA1
528fb5626f9b97909c52ed810a2f91670ab1bb3e

SHA256
223bd09a8d2e68501f1995a03aebf563e84afbfa637960213718611a00a2c490

SHA512
c95224c94c684e47a30dadecb90b7c3dd295a8e1ca10b2beffbb1f9875d9d60955509b4b6a93fd70e1f8c5298acb082bca447b4b76e00200644dc117abfec48a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ooYI.exe

Filesize
113KB

MD5
d4209609f31d62cc52d530fb3f98fe93

SHA1
ad283413a1102331c4322cc4e2cce132867c8d0c

SHA256
cc79452e479321a34f67276128cd3b6929aa37687bcb3b76c907690e01ab540b

SHA512
2f413dd2d6a98c49120345527b721271295019a87f7f046a9165f315e93ba918483f1b87178866918bc815489ce9c9c3fc1f5737873c0ae7088126cbb4de6cf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\owYM.exe

Filesize
112KB

MD5
35141971469cc439fa1ccdfa6bafa1b7

SHA1
33d90c8d4652c7fad6b7d3510a1c96cb770b27f9

SHA256
3d9cfa7bff40f556c9c29e3ebeb88654a8b9b2c1661c908f6584d3e800a1e03e

SHA512
76be0434a8f5350e313c4b6ae71aaca54d8e7bed8b89927c4e2252745897b2a6f3adce28edcdadee03e5b6bf13c5571151acdb5a20225dfab10b1fa2afb78c23

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEoE.exe

Filesize
237KB

MD5
bca6e85f3340fe1300354036e3682ca6

SHA1
ecce0f5c0f2ede49c2682310fec9d24ba63ffaab

SHA256
ee50b124dc7a4a088009c959bb14c10e62b6dc3cf4f2e2aaa2b6b79470d854f5

SHA512
cc224348f21107994ce7d296ee284d0c4078c090785f54275173ef412e689c911ed1cab4ca6f3056b354e46c7983520e1658384f86b055fcb8db44ab1bb21473

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEoM.exe

Filesize
699KB

MD5
6e3c67a723994d3b4b7eb45b202b8a27

SHA1
7a6ab962cda3bbdeb0052ae3ca64d342c6fec824

SHA256
1536ac26b859bf9ed4794b7ac31a9596b69461ebd4d1e03040e3ec8a60c096f8

SHA512
6310d6da5f39fcd9c4a8d9c3c37be02d01230bd116344ada37aaf40cc67d28bb787452b7e2818e88577c75559feea0c9e070df5dfa04df352b14e9214ab831de

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUES.exe

Filesize
117KB

MD5
0736cf2e96647610e0d2c5204ba30752

SHA1
5c7757f4c71107f5306620a61fb095007fd13853

SHA256
3a042d4482c8bbb3f9e872171b203e971e3fd32c04c04943022292cc021ad623

SHA512
ea8c58f901b30c210a7a7d282ca05743a1dbfeef689afb4f09ed4f834ddd211db10b2768a13cb9761df97e3bee5f12ef44f1b488cd6e7e3d2dd6a32b05bd3d9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgYc.exe

Filesize
110KB

MD5
ba1deade12397213e2780a4fb1ccda3f

SHA1
7a9538b66ebe0b0bd152f19b0e9827835a148ab2

SHA256
9027a26cb9f953feb38aaa3fe2ffcecc71a62e58d01e83a01f3f9b512c04ed7d

SHA512
15b021989457c15b32722b16eb9bbe950661389186fb01f8c0af869d614bc75669852f686ea60fa50af389f35dfa3bfab74fe438534b37053903571b4824958f

Download Submit
C:\Users\Admin\AppData\Local\Temp\qoYW.exe

Filesize
112KB

MD5
2b66f4a3e6692e0cc7c962ee7f55ae43

SHA1
8178e42f1957da9ca0dacc48018e0ae3c0fae5a2

SHA256
d7caa32ea05b301f24b8a1e2f242b57294d3cda26eb4f0201cda7bc12a693910

SHA512
10df3dfcbefa414ab360f82e044562c04d51fc31a5c6671dd85ce88f9b2b294d75a035bc5cf2efd785ae4f3a0d88d9fb33d1fe8967a94ebb9d0d8cbe68244294

Download Submit
C:\Users\Admin\AppData\Local\Temp\sUwA.exe

Filesize
117KB

MD5
e1816658287a4a1f82cb5f8c68dda73e

SHA1
51936f6471032139ec5690af1715be6916de8763

SHA256
91b0d49464d470d15a8cbd70017bdb38ff5c9ff4a42404cd3f3a3aa5326101d8

SHA512
2f5477e6ef8be1316f73d8e9db58cbdbb2f9b6f24a9b73c9800629ad4fa3cb22df447a17fd9fdeafaf32ff961e60aa3bc6a2553bc7f7a2a8d0395e3875d7148a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sckq.exe

Filesize
110KB

MD5
94895c8d7224c179dcb25b22d0b98366

SHA1
461b255ba764a1eba7e49dd60575d889b3f6aaa6

SHA256
82fe57d8b523f34b650ca9d1dd098e3cf7ad0d91754b2d72f587e649a8379445

SHA512
00c5f3a75f82cc62259c81fd650d6df0bb789776239a97896ed1115d73da2c070fd008d998db639aacecc30632d9955918e54dbe82e8f3b0cfbe6a5a28b868c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssAi.exe

Filesize
112KB

MD5
d24919125cd718b6e1557871a1139dd9

SHA1
58884a649233f99d4f700e4fee831a8c9c51333c

SHA256
32d8fa070f6ab6a6391b275174cd9c4a3d4931e5e4cea2f1d96cd7d6ec186858

SHA512
1f6cb8ba22e050a69a1e3e7735e41f225ce7b5dd0ee361158b7bbc9d9c0e8baa17f185491ad385c003a94a786f6518d045a971ea996fd3358a4a759f702b135b

Download Submit
C:\Users\Admin\AppData\Local\Temp\swEi.exe

Filesize
237KB

MD5
70413e83c58e5f76f61eb6fad5b2c786

SHA1
3a193ff2d487ce2af741d08d690c8474b1fc9ab2

SHA256
f84b93b1d241a9c2147b4af0e61bb14bb657b0ef2dc4c9e129842507d38fbe29

SHA512
ed2bd30c516fc4d6ffa9ea7054c7bfc335683c52f39f337298c7130b7cd3ced0752c81b1aaff52ba2d65da333ba8e8459b68d6b288b40ab3d768336748c2ae45

Download Submit
C:\Users\Admin\AppData\Local\Temp\uAMW.exe

Filesize
112KB

MD5
35a11829feab3cfa18359f09ec40fc43

SHA1
a1660ab3945680bc00dadac39ba8727f54f93759

SHA256
3144e256a716eccde8945ae71809a6ae4e545178c995fa44efcf9ba64dfc60b9

SHA512
6aedb68ce70ad473a849051292755e58c3931b68a0db3a5b7bc0ac6f9e79e6f90cead864021278d30b4e3c047cda0f73f2276b2c4fa16a131327217166b691ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMEG.exe

Filesize
887KB

MD5
f5cd2a79010d2fffc31af196b2741f0a

SHA1
550f660f45aa317528d9831812168d3c34953f47

SHA256
70a1eb8ddfeeeec39da4a0f58813e2699be19ab987f5f57f38edae35c2707d31

SHA512
835d4c6de5a941dc071ec97cd892fae654a5d4f260943903df5cc4f651c1a8ab6363fe432220315c18fe5571d5dbc1cceeb5eee7ff4fdfd0278ade2733927da9

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMom.exe

Filesize
136KB

MD5
ee633165d5247b18e0d95a203d0dd345

SHA1
ba8a097092df4aa4e776dc1803a1f89f86dc96c8

SHA256
4f46749e601d7212db9a09f992b05b0b79b74ebe80f03193a845804c2a07bbae

SHA512
5252b50e137aa228fb146c26dc81b5015dbed73d23756af56f498e257b458536730a8bda3228b4b4c75c14938de9a60f991785246e67e785a3944eda27c91a27

Download Submit
C:\Users\Admin\AppData\Local\Temp\uYIi.exe

Filesize
117KB

MD5
a9e59f11a103f1a4b98698f425ecc4b5

SHA1
63c01a2d36ef7eeaf8520ac3c94b95d88727cf61

SHA256
8c3c964c81c21f961c02b4fa2022dcc22cfd2662e2388ac8bbaa1631758c86fc

SHA512
d7eddec153396b358e031c6ea9421180e1443f54802a446746b9e1d46dcee1d4e4a62363beaf0a3eebaf53313e4c72f2b7791908f143baa16339d47fc6df60b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\uoQo.exe

Filesize
112KB

MD5
3849430c35f95c617f4b6772818326c7

SHA1
8c0bad15ee078828698b79c9b7396321ccdf68c7

SHA256
0d3bb4e238f5c5c7140e2aec8b5b5b80d7ddd50de4794263c79ee112df7d482d

SHA512
9e0bec0259715eb4209561e2a9adaa43470dd3a918264d15372f47587d63a5e856aed0a6b3be27a0ac7ce46f265d376c2f91d7afd340d031261c0cb5e86db839

Download Submit
C:\Users\Admin\AppData\Local\Temp\uowY.exe

Filesize
122KB

MD5
dc1ceaa11d7dc61a527fa2f6ddf25be0

SHA1
98797182a534b59a8763eb97b70c8fb5ec4c9b87

SHA256
36f5cf51dd85537f6d884b4a2bde894916e95a940547cf5513864667f04aee1f

SHA512
a1c1a4dc1e618eff083ca6f27f4ba5d8e9a4adc85857a09ec7641d8d5267046471d6ae328239223dafda3a3fa302e446cdb1f29aafb96c8c2d5f13aeb0c8e1c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\wIEy.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUIc.exe

Filesize
110KB

MD5
0d11ea75726b4b513fb1e82b3d10c977

SHA1
542dd6e1afa598d2a75958e60c23d3c216719adf

SHA256
38ee1519d0094bb58cda27fe1d374532fcd238e703f4ef11afdddf451223b6a5

SHA512
b0f5bad4547775fbc1401238b083d7c8acc42413587c1dee7ee39839a405f1780448f773d61b70fa16c6e3ee0686bbf682fe5d88edbd15a2e117f5b7cc211537

Download Submit
C:\Users\Admin\AppData\Local\Temp\xAYsEQkc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ycUi.exe

Filesize
149KB

MD5
d35a24b930b2e06479f02bf7d5998f1a

SHA1
d274bc106a52c65a6dcc3852f3c24c4c2108b96e

SHA256
73a15bd01ae059009d0d88f1e7dc7bd015587cdc75e41303dce1c04001ca4ed3

SHA512
c59c4c389de8555c917976853e95be4d13edd1469cea0218e78253d4cf780b54c4a716874fa72de24df607344286d56a79a0583e96afd4ab71093e7d4a71bd63

Download Submit
C:\Users\Admin\AppData\Local\Temp\ygUy.exe

Filesize
112KB

MD5
25294bb488d3fa047f4166d2b8262149

SHA1
b1c31c29f4d406c42e0eed1da4b4649c327d6bcb

SHA256
b2f7c99b7d5422e59a5852d17beb58fe42deb96642e9b02024e15fb377ee45c9

SHA512
d037fa18813b259ac34242520cf9182aa8cf650c6907f7ffa3ba1c84703a1d8b2a244ec31d4051dc0d9ae980a05cd4aac5e17834b0469161d89304a7ded54a62

Download Submit
C:\Users\Admin\AppData\Local\Temp\yswO.exe

Filesize
556KB

MD5
9b2e1c2d93883415c7d81b570e28e077

SHA1
c626340057e036be4787a1d527a6d651f299904a

SHA256
9af2b95850640caaa7555911042095600442fb18c6587cb6cc432651c0e3ca0b

SHA512
94d9ee068202c48acdecf044b19e82e3acd0e5742993a42870982d97866359ffc0baab383853489d579119efd7f1ab667dcadaeacd9a75cdd5ed3467f28ed509

Download Submit
C:\Users\Admin\AppData\Roaming\DebugUnblock.mp3.exe

Filesize
1.1MB

MD5
d966728a0423f48ae6255de1a84a0309

SHA1
9faf312621762c07cd38fee6bf5fda6d2809d0a2

SHA256
23927f3812abbfe595d1c0354c9db14846bb75e96a6384b7b240191607081b0d

SHA512
7fd5a49f7443f99793b3e0cf9525a7dd53fb879b1dd46392da1a0ee13c6436b6011f9bc09d2b6c828fa7f80417972e3ae8d78bc43ecaa7f3ada78e832f8908ac

Download Submit
C:\Users\Admin\BcYUwksU\AiwwAMsY.exe

Filesize
108KB

MD5
9409cc1225143e10c99d4d2a7b1dcac8

SHA1
318b92ebaa0de5c3e62b0f0606c09401559656d2

SHA256
b59c0e169026d6e917c45fa2c06fba5ebfed60cdb844596022cd716a0f622e20

SHA512
674cdb0ec6daebf9a906ac68a31c513114c6835c5880dc6cae06311fbadd9a9306372ace46c6a1f9843d264fbb49135644152a624eedc52e208da67141c6f473

Download Submit
C:\Users\Admin\Music\ResumeUnregister.wma.exe

Filesize
810KB

MD5
257224f2e99f14882c6bc5e26721b53d

SHA1
dd2851172170754ba64ca32640b9dab80d7a40bb

SHA256
a31384c8a8344c3d7de47513188f568441d226392fe8fbea2c9b49b822494c0f

SHA512
9976f8abee4c7b72adb15749e3f4a0581fb28afce4e69382512b1863b63863361d5a3ec3736cc933c61112263dfef1772d4f839481dcf3667aa7dbccd4844290

Download Submit
memory/228-424-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/384-1125-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/384-141-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/436-19-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/436-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/448-230-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/592-392-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/704-265-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/704-465-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/856-408-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/924-441-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1112-1857-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1112-1790-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1224-41-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1248-30-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1348-289-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1352-359-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1352-368-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1404-1061-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1572-1420-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1576-358-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1576-350-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1592-425-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1592-433-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1644-384-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1724-273-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1736-63-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1756-1316-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1772-473-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1824-882-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1868-14-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1896-1484-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2012-349-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2012-341-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2060-512-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2160-1794-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2160-1738-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2260-249-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2296-52-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2316-1485-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2316-1563-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2316-1907-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2468-576-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2476-96-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2556-257-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2592-219-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2856-627-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2904-416-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2924-197-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2944-85-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2972-1239-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2972-1185-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2976-130-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3036-690-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3036-609-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3056-400-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3056-74-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3120-449-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3148-364-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3148-376-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3168-929-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3168-1011-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3280-740-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3480-881-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3480-947-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3516-108-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3516-97-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3572-152-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3576-1627-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3604-805-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3684-489-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3752-15-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3848-1922-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3848-1972-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3864-332-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3864-340-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3928-241-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3944-481-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3944-314-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3960-175-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4020-1705-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4088-164-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4088-153-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4156-186-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4408-323-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4408-315-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4452-119-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4468-1756-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4500-457-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4540-297-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4556-331-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4772-306-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4772-298-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4808-208-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4840-281-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5112-1189-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download