3b91d82a5858cdecbb1a108570b061ddc81b79910f0e19c08e7a984c7f0c32b7

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2024 16:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
Size

140KB
MD5

ad7bb4d0b054545954fcdec26bf7bf7d
SHA1

bc046bf7bce6a468fbc1758c0bc726fef522e232
SHA256

3b91d82a5858cdecbb1a108570b061ddc81b79910f0e19c08e7a984c7f0c32b7
SHA512

0d2b3d3703cafaa334b7b1021e8f78e058633284d704cff0c9aafdcc2a234fb7034d06d3b827e3d112f9a20ca094fe641bf55989c303bf053f28078b36d46697
SSDEEP

3072:CBehCANLxmj42ycaA3NSUp7TndGfR89B+/2K4Ka:CBwj32ycaA3N/pc58v+/2K4Ka

Score

10^/10

discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found

Renames multiple (56) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Blocklisted process makes network request 5 IoCs

flow	pid	Process
28	3064	Process not Found
32	3064	Process not Found
34	3064	Process not Found
36	3064	Process not Found
38	3064	Process not Found

Executes dropped EXE 3 IoCs

pid	Process
2032	EyMcAQYM.exe
456	SQQwMQgo.exe
4264	EyMcAQYM.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EyMcAQYM.exe = "C:\\Users\\Admin\\JIIYgsEw\\EyMcAQYM.exe"	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EyMcAQYM.exe = "C:\\Users\\Admin\\JIIYgsEw\\EyMcAQYM.exe"	EyMcAQYM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EyMcAQYM.exe = "C:\\Users\\Admin\\JIIYgsEw\\EyMcAQYM.exe"	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SQQwMQgo.exe = "C:\\ProgramData\\lsIMUYgY\\SQQwMQgo.exe"	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EyMcAQYM.exe = "C:\\Users\\Admin\\JIIYgsEw\\EyMcAQYM.exe"	EyMcAQYM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SQQwMQgo.exe = "C:\\ProgramData\\lsIMUYgY\\SQQwMQgo.exe"	SQQwMQgo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GuUUsMMU.exe = "C:\\Users\\Admin\\FIkcAwsM\\GuUUsMMU.exe"	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aoEsQswU.exe = "C:\\ProgramData\\BqowMcYg\\aoEsQswU.exe"	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
1692	3488	WerFault.exe	785
4236	2756	WerFault.exe	784
4088	2032	WerFault.exe	86

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
3180	Process not Found
3968	Process not Found
412	reg.exe
3168	reg.exe
4100	Process not Found
2924	Process not Found
384	Process not Found
608	Process not Found
3376	reg.exe
5052	reg.exe
3644	reg.exe
2056	Process not Found
2640	Process not Found
5032	Process not Found
2752	Process not Found
3452	Process not Found
3988	reg.exe
1520	Process not Found
2260	reg.exe
1968	reg.exe
916	Process not Found
2252	Process not Found
1560	reg.exe
4372	Process not Found
3168	reg.exe
832	reg.exe
4820	Process not Found
4620	Process not Found
1416	Process not Found
2376	Process not Found
3720	Process not Found
872	reg.exe
2924	reg.exe
2040	reg.exe
2640	Process not Found
2824	reg.exe
4876	Process not Found
244	Process not Found
3140	Process not Found
4840	Process not Found
2668	Process not Found
3840	Process not Found
4664	Process not Found
2352	Process not Found
4836	Process not Found
2872	reg.exe
2176	reg.exe
3240	reg.exe
3944	Process not Found
1356	Process not Found
3492	Process not Found
4972	Process not Found
1872	reg.exe
1884	Process not Found
4828	Process not Found
2196	Process not Found
5108	Process not Found
2452	reg.exe
1688	Process not Found
3108	Process not Found
2600	Process not Found
4672	Process not Found
3936	reg.exe
744	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1996	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
1996	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
1996	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
1996	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
3964	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
3964	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
3964	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
3964	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
3936	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
3936	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
3936	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
3936	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
2116	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
2116	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
2116	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
2116	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
3100	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
3100	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
3100	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
3100	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
8	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
8	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
8	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
8	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
1396	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
1396	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
1396	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
1396	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
1940	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
1940	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
1940	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
1940	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
1660	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
1660	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
1660	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
1660	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
2444	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
2444	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
2444	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
2444	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
1924	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
1924	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
1924	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
1924	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
1448	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
1448	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
1448	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
1448	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
228	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
228	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
228	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
228	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
4616	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
4616	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
4616	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
4616	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
1060	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
1060	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
1060	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
1060	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
3972	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
3972	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
3972	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
3972	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 2032	1996	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe	86
PID 1996 wrote to memory of 2032	1996	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe	86
PID 1996 wrote to memory of 2032	1996	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe	86
PID 1996 wrote to memory of 456	1996	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe	87
PID 1996 wrote to memory of 456	1996	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe	87
PID 1996 wrote to memory of 456	1996	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe	87
PID 1996 wrote to memory of 1992	1996	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe	88
PID 1996 wrote to memory of 1992	1996	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe	88
PID 1996 wrote to memory of 1992	1996	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe	88
PID 1996 wrote to memory of 2636	1996	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe	90
PID 1996 wrote to memory of 2636	1996	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe	90
PID 1996 wrote to memory of 2636	1996	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe	90
PID 1996 wrote to memory of 4060	1996	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe	91
PID 1996 wrote to memory of 4060	1996	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe	91
PID 1996 wrote to memory of 4060	1996	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe	91
PID 1996 wrote to memory of 1832	1996	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe	92
PID 1996 wrote to memory of 1832	1996	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe	92
PID 1996 wrote to memory of 1832	1996	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe	92
PID 1996 wrote to memory of 1404	1996	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe	93
PID 1996 wrote to memory of 1404	1996	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe	93
PID 1996 wrote to memory of 1404	1996	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe	93
PID 1992 wrote to memory of 3964	1992	cmd.exe	98
PID 1992 wrote to memory of 3964	1992	cmd.exe	98
PID 1992 wrote to memory of 3964	1992	cmd.exe	98
PID 1404 wrote to memory of 224	1404	cmd.exe	99
PID 1404 wrote to memory of 224	1404	cmd.exe	99
PID 1404 wrote to memory of 224	1404	cmd.exe	99
PID 3964 wrote to memory of 112	3964	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe	100
PID 3964 wrote to memory of 112	3964	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe	100
PID 3964 wrote to memory of 112	3964	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe	100
PID 112 wrote to memory of 3936	112	cmd.exe	102
PID 112 wrote to memory of 3936	112	cmd.exe	102
PID 112 wrote to memory of 3936	112	cmd.exe	102
PID 3964 wrote to memory of 3828	3964	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe	103
PID 3964 wrote to memory of 3828	3964	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe	103
PID 3964 wrote to memory of 3828	3964	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe	103
PID 3964 wrote to memory of 3744	3964	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe	104
PID 3964 wrote to memory of 3744	3964	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe	104
PID 3964 wrote to memory of 3744	3964	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe	104
PID 3964 wrote to memory of 4176	3964	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe	105
PID 3964 wrote to memory of 4176	3964	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe	105
PID 3964 wrote to memory of 4176	3964	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe	105
PID 3964 wrote to memory of 1972	3964	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe	106
PID 3964 wrote to memory of 1972	3964	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe	106
PID 3964 wrote to memory of 1972	3964	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe	106
PID 1972 wrote to memory of 4088	1972	cmd.exe	111
PID 1972 wrote to memory of 4088	1972	cmd.exe	111
PID 1972 wrote to memory of 4088	1972	cmd.exe	111
PID 3936 wrote to memory of 4104	3936	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe	112
PID 3936 wrote to memory of 4104	3936	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe	112
PID 3936 wrote to memory of 4104	3936	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe	112
PID 4104 wrote to memory of 2116	4104	cmd.exe	114
PID 4104 wrote to memory of 2116	4104	cmd.exe	114
PID 4104 wrote to memory of 2116	4104	cmd.exe	114
PID 3936 wrote to memory of 3488	3936	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe	115
PID 3936 wrote to memory of 3488	3936	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe	115
PID 3936 wrote to memory of 3488	3936	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe	115
PID 3936 wrote to memory of 4976	3936	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe	116
PID 3936 wrote to memory of 4976	3936	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe	116
PID 3936 wrote to memory of 4976	3936	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe	116
PID 3936 wrote to memory of 872	3936	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe	117
PID 3936 wrote to memory of 872	3936	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe	117
PID 3936 wrote to memory of 872	3936	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe	117
PID 3936 wrote to memory of 4376	3936	2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe	118

C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Users\Admin\JIIYgsEw\EyMcAQYM.exe
  "C:\Users\Admin\JIIYgsEw\EyMcAQYM.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2032
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 1292
    3⤵
    - Program crash
    PID:4088
- C:\ProgramData\lsIMUYgY\SQQwMQgo.exe
  "C:\ProgramData\lsIMUYgY\SQQwMQgo.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:456
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3964
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:112
    - - C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3936
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        8⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        10⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:8
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        12⤵
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        14⤵
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        16⤵
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        18⤵
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        20⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        22⤵
        
        PID:3840
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        24⤵
        
        PID:880
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        26⤵
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        28⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        30⤵
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        32⤵
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        33⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        34⤵
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        35⤵
        
        PID:368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        36⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        37⤵
        
        PID:912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        38⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        39⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        40⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        41⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        42⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        43⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        44⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        45⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        46⤵
        
        PID:3684
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        47⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        48⤵
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        49⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        50⤵
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        51⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        52⤵
        
        PID:4532
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        53⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        54⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        55⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        56⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        57⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        58⤵
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        59⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        60⤵
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        61⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        62⤵
        
        PID:3116
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        63⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        64⤵
        
        PID:3680
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        65⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        66⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        67⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        68⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        69⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        70⤵
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        71⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        72⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        73⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        74⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        75⤵
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        76⤵
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        77⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        78⤵
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        79⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        80⤵
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        81⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        82⤵
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        83⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        84⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        85⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        86⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        87⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        88⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        89⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        90⤵
        
        PID:3096
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        91⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        92⤵
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        93⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        94⤵
        
        PID:804
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        95⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        96⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        97⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        98⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        99⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        100⤵
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        101⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        102⤵
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        103⤵
        
        PID:544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        104⤵
        
        PID:744
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        105⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        106⤵
        
        PID:608
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        107⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        108⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        109⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        110⤵
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        111⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        112⤵
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        113⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        114⤵
        
        PID:3096
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        115⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        116⤵
        
        PID:4820
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        117⤵
        Adds Run key to start application
        
        PID:2200
        
        C:\Users\Admin\FIkcAwsM\GuUUsMMU.exe
        
        "C:\Users\Admin\FIkcAwsM\GuUUsMMU.exe"
        118⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 224
        119⤵
        Program crash
        
        PID:4236
        
        C:\ProgramData\BqowMcYg\aoEsQswU.exe
        
        "C:\ProgramData\BqowMcYg\aoEsQswU.exe"
        118⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 224
        119⤵
        Program crash
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        118⤵
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        119⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        120⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        121⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        122⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        123⤵
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        124⤵
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        125⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        126⤵
        
        PID:3840
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        127⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        128⤵
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        129⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        130⤵
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        132⤵
        
        PID:728
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        133⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        134⤵
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        135⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        136⤵
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        137⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        138⤵
        
        PID:3520
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        139⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        140⤵
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        141⤵
        
        PID:808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        142⤵
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        143⤵
        
        PID:728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        144⤵
        
        PID:4004
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        145⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        146⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        147⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        148⤵
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        149⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        150⤵
        
        PID:4672
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        151⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        152⤵
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        153⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        154⤵
        System Location Discovery: System Language Discovery
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        155⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        156⤵
        
        PID:3808
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        157⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        158⤵
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        159⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        160⤵
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        161⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        162⤵
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        163⤵
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        164⤵
        
        PID:4264
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        165⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        166⤵
        
        PID:404
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        167⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        168⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        169⤵
        
        PID:972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        170⤵
        
        PID:4144
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        171⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        172⤵
        
        PID:764
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        173⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        174⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        175⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        176⤵
        
        PID:3372
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        177⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        178⤵
        
        PID:3352
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        179⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        180⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        181⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        182⤵
        
        PID:2236
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        183⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        184⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        185⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        186⤵
        
        PID:3384
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        187⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        188⤵
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        189⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        190⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        191⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        192⤵
        
        PID:3044
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        193⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        194⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        195⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        196⤵
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        197⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        198⤵
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        199⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        200⤵
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        201⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        202⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        203⤵
        
        PID:964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        204⤵
        
        PID:3116
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        205⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        206⤵
        
        PID:3512
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        207⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        208⤵
        
        PID:4620
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        209⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        210⤵
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        211⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        212⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        213⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        214⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        215⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        216⤵
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        217⤵
        
        PID:440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        218⤵
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        219⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        220⤵
        
        PID:3076
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        221⤵
        Adds Run key to start application
        
        PID:1804
        
        C:\Users\Admin\JIIYgsEw\EyMcAQYM.exe
        
        "C:\Users\Admin\JIIYgsEw\EyMcAQYM.exe"
        222⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        222⤵
        
        PID:3316
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        223⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        224⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        225⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        226⤵
        
        PID:3408
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        227⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        228⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        229⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        230⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        231⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        232⤵
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        233⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        234⤵
        
        PID:3112
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        235⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        235⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        236⤵
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        237⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        238⤵
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        239⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        240⤵
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        241⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        242⤵
        
        PID:4068
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        243⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        243⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        244⤵
        
        PID:1236
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        245⤵
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        245⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        246⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        247⤵
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        248⤵
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        249⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        250⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        251⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        252⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        253⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        254⤵
        
        PID:3108
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        255⤵
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        255⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        256⤵
        
        PID:608
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        257⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        258⤵
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        259⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        260⤵
        System Location Discovery: System Language Discovery
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        261⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        262⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        263⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        264⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        265⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        266⤵
        
        PID:2300
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        267⤵
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        267⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        268⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        269⤵
        
        PID:388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        270⤵
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        271⤵
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        272⤵
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock
        273⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"
        274⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        272⤵
        Modifies registry key
        
        PID:832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        272⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        272⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LWQIwMoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        272⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        273⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        270⤵
        
        PID:1356
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        271⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        270⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        270⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dEwYMsIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        270⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        271⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        268⤵
        
        PID:808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        268⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        268⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QAwIkEUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        268⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        269⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        266⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        266⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        266⤵
        
        PID:3684
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        267⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GcwIcoQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        266⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        267⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        264⤵
        
        PID:3452
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        265⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        264⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        264⤵
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GIMIYosE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        264⤵
        System Location Discovery: System Language Discovery
        
        PID:1884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        265⤵
        
        PID:912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        262⤵
        
        PID:640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        262⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        262⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\swscMEwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        262⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        263⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        260⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        260⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        260⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JOEgcoAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        260⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        261⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        258⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        258⤵
        
        PID:3640
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        259⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        258⤵
        
        PID:672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bswQYcgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        258⤵
        
        PID:1792
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        259⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        259⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        256⤵
        
        PID:4528
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        257⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        256⤵
        
        PID:4268
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        257⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        256⤵
        
        PID:1460
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        257⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RccQAYYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        256⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        257⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        254⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        254⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        254⤵
        
        PID:1892
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        255⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UsMQMoIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        254⤵
        
        PID:5008
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        255⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        255⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        252⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        252⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        252⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\awoQkoUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        252⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        253⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        250⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        250⤵
        
        PID:2584
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        251⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        250⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\msQYAYEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        250⤵
        
        PID:2640
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        251⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        251⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        248⤵
        
        PID:4764
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        249⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        248⤵
        
        PID:4760
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        249⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        248⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vmIIwQgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        248⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        249⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        246⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        246⤵
        
        PID:1828
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        247⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        246⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HYMccQAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        246⤵
        
        PID:3668
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        247⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        247⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        244⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        244⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        244⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XAgcoUMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        244⤵
        
        PID:1516
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        245⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        245⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FuAcUkIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        242⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        243⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        Modifies registry key
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        System Location Discovery: System Language Discovery
        
        PID:2216
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cOcgcsQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        240⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        241⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4440
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        239⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        System Location Discovery: System Language Discovery
        
        PID:440
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        239⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IQAcAoAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        238⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        239⤵
        
        PID:232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        Modifies registry key
        
        PID:3240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\quoowYEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        236⤵
        
        PID:312
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        237⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        
        PID:3808
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        235⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XYsAIkoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        234⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        Modifies registry key
        
        PID:3168
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        233⤵
        
        PID:884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lWMwckEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        232⤵
        
        PID:1560
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        233⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        
        PID:4004
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        UAC bypass
        
        PID:4704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JUAMksIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        230⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        Modifies registry key
        
        PID:2176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SwEccIMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        228⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        Modifies registry key
        
        PID:2872
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        227⤵
        
        PID:672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mmEcYgwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        226⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        
        PID:2668
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        225⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AMkUYosA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        224⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        Modifies registry key
        
        PID:3936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OEcQcIwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        222⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5028
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        221⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        
        PID:220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GQQIUUsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        220⤵
        
        PID:4924
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        221⤵
        
        PID:964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hOAwckAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        218⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZAkAQoAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        216⤵
        System Location Discovery: System Language Discovery
        
        PID:4176
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jgYwAIAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        214⤵
        
        PID:3968
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        215⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        
        PID:608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IwEMsIUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        212⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        UAC bypass
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IIAMkUwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        210⤵
        
        PID:4104
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        211⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        Modifies registry key
        
        PID:2452
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        
        PID:4928
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GCsoMkkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        208⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        Modifies registry key
        
        PID:744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:2176
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        UAC bypass
        
        PID:3852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EmoIcswY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        206⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:5052
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        System Location Discovery: System Language Discovery
        
        PID:1308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RuQYMQYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        204⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:316
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lmQsUMkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        202⤵
        
        PID:4456
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        Modifies registry key
        
        PID:1872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vGMYYIcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        200⤵
        
        PID:912
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        
        PID:388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hUcgwMgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        198⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\swgcMgcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        196⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        
        PID:2196
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cugogswE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        194⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZCEwscwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        192⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        
        PID:540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        UAC bypass
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LWMkocoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        190⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        System Location Discovery: System Language Discovery
        
        PID:2596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LkkosIkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        188⤵
        
        PID:2480
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        
        PID:3352
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:3344
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QUUMEwcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        186⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EiEUAwkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        184⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        UAC bypass
        
        PID:4436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OekogwUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        182⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        
        PID:964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:3820
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oiQwMsUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        180⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        
        PID:3052
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        UAC bypass
        
        PID:2328
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pioIscgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        178⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vUIMUEcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        176⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        
        PID:2040
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HasgUQQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        174⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        
        PID:3680
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\liYQcUkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        172⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        UAC bypass
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ecIoIEkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        170⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QiAAsUAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        168⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MGMMYMYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        166⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        Modifies registry key
        
        PID:2040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fQokMcQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        164⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zQscQMck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        162⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        UAC bypass
        
        PID:556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XEwsAUwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        160⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ISsokkos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        158⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\emQwgMYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        156⤵
        
        PID:220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yGMgYUUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        154⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        UAC bypass
        
        PID:728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NMkwAkwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        152⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vSYYcAYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        150⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        System Location Discovery: System Language Discovery
        
        PID:1828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        
        PID:4368
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NeosMEgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        148⤵
        
        PID:808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PkssYcoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        146⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gcYIMsoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        144⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oUQwcQkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        142⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        Modifies registry key
        
        PID:2260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        UAC bypass
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MSEIUYcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        140⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fwIcsUIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        138⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZoAgkQkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        136⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NwwMkIUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        134⤵
        
        PID:384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NsIIkcwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        132⤵
        
        PID:864
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        System Location Discovery: System Language Discovery
        
        PID:4456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies registry key
        
        PID:2924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UkcQAAUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        130⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        
        PID:964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QsgcIEQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        128⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iuskEskY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        126⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        
        PID:636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FIUgkYAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        124⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xIgkEccU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        122⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        
        PID:264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        
        PID:4944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HAQsIIAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        120⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        
        PID:412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ekwQAYYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        118⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QCAcwQgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        116⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AEgYIYIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        114⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        
        PID:748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tEsYgkIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        112⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BqUwMAQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        110⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        Modifies registry key
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BEUIcwcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        108⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:1320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cwkggUAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:1060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UgIoUAEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        104⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:2412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        
        PID:404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iuMYYows.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        102⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bEAIcEQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        100⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LKQMgsAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        98⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZEUMAcwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        96⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IMAgEgcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        94⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CoYkoYcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        92⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:4180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        
        PID:376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sEkwQQwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        90⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PWEUIgII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        88⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xgcYoQok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        86⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        
        PID:640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nksIUkws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        84⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FQgQcskQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        82⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YwYAYcAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        80⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OCIUQMoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        78⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OacYMMAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        76⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        
        PID:116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TQMYoUQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        74⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:64
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JickkYUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        72⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hccAUEYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        70⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pqAwcYEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        68⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gKkYEQYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        66⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mKwgowsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        64⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GCIIAAIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        62⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gygAQQgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        60⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies registry key
        
        PID:3376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XCQMMwUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        58⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JMsgAIsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        56⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JYAIIAkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        54⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IsQsQUcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        52⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        Modifies registry key
        
        PID:3644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KEIwgwcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        50⤵
        
        PID:316
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        
        PID:220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AuEsoUoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        48⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        
        PID:376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:4856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LAswMYUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        46⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VWQckcEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        44⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies registry key
        
        PID:412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        Modifies registry key
        
        PID:5052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HYAcEoAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        42⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AOIIcUgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        40⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\migkkYsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        38⤵
        
        PID:112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cKAkwAEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        36⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        
        PID:860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        Modifies registry key
        
        PID:1560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mscgIEos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        34⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        
        PID:116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TCIEMkUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        32⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PgIkEQgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        30⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bcYYMcsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:3196
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:4384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SwUAEQsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        26⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OcksUoso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        24⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\egMUoUgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        22⤵
        
        PID:548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TaYogoAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        20⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PowAkMcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        18⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        
        PID:112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JCoEwcIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        16⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        Modifies registry key
        
        PID:3988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vckMgMwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        14⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GegAgEcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        12⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cSoEQsko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        10⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YwMMMEcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        8⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:3384
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3488
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:4976
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        Modifies registry key
        
        PID:872
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hUckYIsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
        6⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:3012
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:3828
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:3744
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:4176
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JykQMQwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1972
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:4088
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2636
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4060
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1832
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bQsUIUYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1404
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2756 -ip 2756
1⤵
PID:1696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3488 -ip 3488
1⤵
PID:1060

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2032 -ip 2032
1⤵
PID:3368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

Filesize
762KB

MD5
fd95674b512c6bcb83610803f8b40635

SHA1
ca45a37bd1ff97b85005c2c4178a9a9017b8f192

SHA256
21e238c20dc7c6ca75d011265ee9c1779efbfc1bee659a8e4f206de4dd63556a

SHA512
ba39a3d72b2da136440cdf9556a0abd095664dfeb04d3e3474cb54071473f1ed06b9e87983385b9479b0d1401afea96c4ca0c4790d8487fbee27befd1ea689ca

Download Submit
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

Filesize
598KB

MD5
08de7018d877c2e31ec2103cf21bff90

SHA1
018079c19ccded8e021c648cb48350a4f81e52b2

SHA256
a87ef1f8f73b788b5ad6a46ddfaf476f9a81bc225714778f30469bb712c518cc

SHA512
a3fbb01904650625971bddfb523c47ceb6c87b0c74cc383d6e63e2313b230e84c26191269b0fc5331e0b40cb01b4666dfcc7605cc1c40e3e28a6cc9cb32163ba

Download Submit
C:\ProgramData\lsIMUYgY\SQQwMQgo.exe

Filesize
124KB

MD5
f06e8f4fb33d505d75bafa52d5234855

SHA1
8de1fc717bc7bd6ac7a7a0de043f505348b198e1

SHA256
e1b76f0ee94457d067e009ca7c62f29c87721ca8783945e3074cb9723629a695

SHA512
6c8f04b565f5ec48e6d043080929582581ce6fbb5fd7cd1a641bef6bf848b838190093300da0c1cfd979e2f2cd3cd2719a987969b7d06500f6944662d5f027c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\192.png.exe

Filesize
140KB

MD5
e697437ca396cd5db94702d6c4437862

SHA1
80746fe0f3b21b44fc885e6631dd13555a06a2b9

SHA256
e36caa732b180a95a99c8bfdee168f49c55e52b77b955e90067427f53b2981b7

SHA512
fcc30d549674734c7848396e205ae32eb6c0cde0313fde67f9051b98b69ec7d53c79a6e2813c1eb0acf95e675f380bd85d90ae3f19bcb20723b4f91eb318d80e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\192.png.exe

Filesize
140KB

MD5
b86419cd16de73b93285bc8ebf146433

SHA1
e563c090d0498152a8009ef2590c6d8d52d3c3a6

SHA256
59daef203a301241cea326b7028017f5b6afc4b4dfd7c7f8d6c86867ca193a2e

SHA512
7682308d9f787e7a54bc654fec6d3d35a7f92fc3761b4fbbe3c73bf17c13d9ce5d37335afa6c85bee2e97b373687c3acb7789a1e15652aba28442bb596173e1a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\128.png.exe

Filesize
144KB

MD5
e04df82104fd0a376cb5a2931838693b

SHA1
d60f8d6f147b2fcbe280eb3e5d64fd4d743f513d

SHA256
51631a97a3ffbbf5762a9365fb795cbb3004dcd7c168180e9ea6fea2c7ca6215

SHA512
cbb79ddb3c34e2e86f68b107021d34d52c7387756ab7c85fee717c95f281f0aabe7f6c572e44fd37434d3ad8e123a0acd318cb8d780b0af22f46d0776dd0b35f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorWhite.png.exe

Filesize
150KB

MD5
ad47f31be567f73a5af7b85b895e4333

SHA1
cbb07df367a38f7fd435049935670d6750116283

SHA256
51e3a4781c300f38127bc521b8dff72a13f9a2905ade6bf9e2bfc6aac9535256

SHA512
6901d6208f558692c1e5114ec45d01855800b82a777de98fcb309af89db815593b7e28ebe33c8f70b9ea4e80cfead738cd68bf638fc6120e9b5275b4a3572035

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ScreenshotOptIn.gif.exe

Filesize
385KB

MD5
1448c53a757393c2983c2501a1889f24

SHA1
5317bfdcc8739b8c491e762f9b507cedf7409baa

SHA256
af17d1931cfb5b36f59509fee6fd40d4912aebb0644ce57e9d36842816c7ab27

SHA512
3dbbb907bd4733cf4187cb1d965b888ebb69b276b9d4f599ea51d09c0d790c80617c32974f025522d0eb398430f01c431c49f01c8ed1e52bbf3f17167c9862e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock

Filesize
7KB

MD5
52c4f9991ede014fd90d2543c6b40a24

SHA1
0759e5123de2ff08b84da1ba6ca88a67c3b147c6

SHA256
a51d958b716606ed8f62dd326f9b20428160ce29e6ca3a00c78115a080ccd025

SHA512
2d73eda77aaf20b8b9549375d9bdba70c1c1567248a3b1923ecb51244973f9cc9a4d5db0816ce97072371bf81d50f2f30bfcd29538a6e564c5c97cb69f01a4ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQoY.exe

Filesize
133KB

MD5
91395e2d9a1ab97a51e116db1955c3e8

SHA1
5bbe3e0bbdc6a52810e826ed0a9cb1850fbf9d78

SHA256
1292173b3403b945af22c51cd47e0640a96ea6c052fb13a10ed43a704478118e

SHA512
70174240bb9100e51b1e11bd26ca5bed706bf4a5e6e49836c753b5c02186bc1843070830a8a1f10335fdd4628908dd27d9ee5670fcb748af6173d54af5b7f985

Download Submit
C:\Users\Admin\AppData\Local\Temp\Awcs.exe

Filesize
136KB

MD5
02808adacbc6aa4875d46dd819863b65

SHA1
531ab37e557e8a305fa6e6a1d03031982811a16f

SHA256
ccc8f92772304f69be81feeb374998f334a26fd0224c8a7cedbdf977d9ec9421

SHA512
19e5384f4b43d1643939b83c028d3818439f0e6863e5dfb54d49ab2e510907d1dee806a844e7a8242662855c9dae7102c0f9b904fd4530cadeafe1bfe834df20

Download Submit
C:\Users\Admin\AppData\Local\Temp\CEsu.exe

Filesize
137KB

MD5
c94cf8c81f6c48f0556bc113389ffdc3

SHA1
f454b2d0e636a9f7c0dc7877d24647d1c6de33a5

SHA256
1406c2b325d373c74e1ba8e3ebe1e218a1f0a6fbc4f1fae8407fa42cefea5551

SHA512
df8d82591e203721fd856d920f24049d3d13bf3ff366d8c214032994f75981cc5cc35b6027154b0fa1642f1d8691a4ed466a2b19fe0b3a6175ee73086bba3803

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUci.exe

Filesize
135KB

MD5
93f5c693278d20982ce609f1dcb9d47d

SHA1
aca457e0dfd2221a4210c39444f922bd69153363

SHA256
93e9efa321acd0bea7af95ab28bca3e1fbf711330af6dde4f5803bc2ee5098df

SHA512
dd895fc0fe2ac643a4006056e534ef4ece2c6c1ffca334f7ab10f16e28381de389215167b09355ca0498841e22ecc2885cc99a4809e643232ca3cf60b928bedd

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYQg.exe

Filesize
129KB

MD5
72d1c0bb3fba9dc27ba14f245311e0f5

SHA1
b0c94923927313a8cbb2a746462bd5bfb6c1b974

SHA256
bce9a8c8d3b51e41d3bc504ee330bad4a14e31deb554110ab478a32092b2628c

SHA512
5841168e233765388ea43d854a9cad52ac296024a313e229f572d6207698b6cb05475f1737a3edb7fdc6b2d06ad26faecc8be0d110b78678978890043c1fbc3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CcsA.exe

Filesize
134KB

MD5
ca1b2495230e3a8def8314b1dd301019

SHA1
9e34a8ed172dc0c47ab66221295a7165bf0eddc2

SHA256
22dc54079fd469cde2f9b970b42d32460f14d696594557769b939ba236a209a6

SHA512
b84fa0d24a603eee0537e0cc6e72bed38ff0d68e58e77d5e50944587e6817165720f920e471137d4dc1e13b2cff8be34deeddb8bced02786f1a9b75f456a74ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cgsw.exe

Filesize
749KB

MD5
d1e38fd39d51714fb4bd81d2eac98ea5

SHA1
9c6e53b608a3d3a59c70d6adf58603ab6a87a8f5

SHA256
67af85b8d79913669c4ecb0cc830aa042919be9eab4df21267c304ab32aea073

SHA512
a62e414f753d97544b96909193c1adb270f8bfed565b26e925f0010c944a168bdf971f7c9cdf7f05b71630b920e3513a6e85d1887182a2953fa5ade85373c36e

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMoK.exe

Filesize
581KB

MD5
a6b61a33c6865cb385ae6e112fb55eac

SHA1
5742fb9af5b7cb59599bdea34439bce8164bc6ee

SHA256
f541fd7a196f9e07bd8e7297c5f1ea72544c3978405254a4369fda8dd485d7a8

SHA512
945e87c70283ae7824636a61e07b39181a9ccb86bf341fe48facc06b06f1bd9a171bb38e30f90b8dbed462345308189548b302a858f81608f7d3f3ba432026fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUIO.exe

Filesize
146KB

MD5
180395dffe3c156ec4ae064cc790fcd7

SHA1
8244b8c321e2b6c001bad879fb276f36f100c4b4

SHA256
933f957ae003750d236fdbf6b02ad1ba576414439fc383c85a06877f30510d8b

SHA512
5337627ffc6647bc04927be015d36f029b57b053189a45181bacdcba375cf84b95b3efba073539628590d92cf9fac80d4cd178078214753bc22c647234a84724

Download Submit
C:\Users\Admin\AppData\Local\Temp\EcYm.exe

Filesize
596KB

MD5
1b4ec7d4634979618ecd1d05df232595

SHA1
17346fcc8417656b7dbca4c15ac79482a7557762

SHA256
73a39e8706efa94ecff4f503495e5d211ee20be0ae5035a03b6b9bb8f0821f31

SHA512
fccf554e06fe555916c89b3c0f2dd047e217c8ac7097c65ff538ea17211b7f5af2f442ce061a780f910e9b5dd007e6d96f81ebf791046db77ad05679c797fe4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\EcoO.exe

Filesize
132KB

MD5
906a4e2325ce8e97e976d61609cf6ecc

SHA1
3c0d20f8cf2506a3991ef90918fd5d841fad9dcf

SHA256
4b8b6c960b6c47d37f2f6350c12ecaec6ccbf06ed9069b387b282da4d75c30b9

SHA512
5d0ddf531a5854f80d94a96d8991d486ca426187e4e4aeea55236e733e2a9129e61d5c4d65d69fd593e3454253ce2eaa5e3f54eee99f84544a1980bf8de172b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\EsYG.exe

Filesize
160KB

MD5
483d4a865a27e6acdcde970190446f24

SHA1
c356b0a815c5840d69790e2c5ff86ae86e0e027d

SHA256
a4180f2532c4f9ff00458d38c7e30bd0cc5905c1951a73d6305dafe12e8608ab

SHA512
2955d7dc12bc62edc269b5dce53e23a19506f61d9d7d1e94cfcfc0dce5cc73fb2b48a6c29a8cf671308fd1ad59c49abbb2a71fd862758daa8885c9be51d10cb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEcU.exe

Filesize
731KB

MD5
e2bbb259ac3f649ec109a668adaa3fc1

SHA1
308874f89da8333a4ebbfb510b3ac02f4d1a517d

SHA256
d925de426bded5090a47e53c5444598ddc9c513252ed5b39820c8835b82ca141

SHA512
8066875f0688049fb8a70628614aa4e33d458454809479fd8d803cd66c049362bbe8eb6c6dfbeec424ea8e6c6af0eb1912cc5e8166399b85c6ab09816ce16c6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUcq.exe

Filesize
134KB

MD5
6af51d9fc6af0c183b88cc6ad5b4ecd9

SHA1
ca96579b3f6d5007008216ab13e319e9b6627de5

SHA256
cf27bf4b6e9d913f5a98a354f43899c4c944b69e3a9958bc7e2591c75f5618c1

SHA512
ef4df66250a5b29ef267ef5e5ea3fbca4e58b8f1a819360ea907cf42ad1c28371fee937ed943d89b755ef0800fcccbf1bc4c1a1787f427fa38b09fc065b5e6eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\GkgE.exe

Filesize
146KB

MD5
41f731375f40f12944aabc896fc082ff

SHA1
62dd3839c6024c2298214040cbcf47a4a7108bd4

SHA256
e32fc89c93595f5cbbffcdbc697b33d60416ed8d3907879cbeb6dee204ec7362

SHA512
fbdb17473fcc9d2393df14bcd937806d74f547cd3cd2cace0e238ef1e9f326bd69a8e66d3275040f7883475658c53846bcce4490e0ce49089e5f1070ad1f0460

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYEu.exe

Filesize
756KB

MD5
0f54c4781b7878ab8a9d357d1fee0a7d

SHA1
3848f229cf7912f9ff7f1873764acb73959ec4ad

SHA256
04926b56e33fd571900c49e9793f24ed3e83614aa1b4db06fb3e9b500e1f521b

SHA512
0e3588b09d98bf0c8761df3588867ca028e0abaa73da55161bec5572d5b2b9d4d4861f33045e2570add6251bace03704f8438d115bcf7bd578279e13f043543f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IkMq.exe

Filesize
750KB

MD5
4cb513935425b876e38b66a88fb39c9f

SHA1
33af651bfc741f8c02ec4f9e13682d8db9579e5a

SHA256
678597765fd053fc24340f6b2aaeada8aa20b4c78b74846e5474e155d4564716

SHA512
dbef028589793769eb429f418aaeadd3935068003f905e7f39b15103a943d1c7110eb8eb47eef51d5dac4e0ca2a4797bed507e3c85d9738b150bf40517eb371e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kcki.exe

Filesize
140KB

MD5
bb145efd531aeebf130114d162aedcf7

SHA1
304fc2b697b3e22bc07c27f70ab2543ba8ac7aa7

SHA256
1a9181823c0fdfeb641c71cdd7c68be04bcca11434232ff803b1257d45dd280d

SHA512
cca758bdf9ebad0ff5cfa9c370346a134a3a40a41760e94fe02eaec3f6eb5ace6c97e96986463742d1fb66b712a214e1b272eaff0971ec26c95aa10cc9611313

Download Submit
C:\Users\Admin\AppData\Local\Temp\KkAS.exe

Filesize
131KB

MD5
63c1d380d4969c9bdca04f9c4d9140cd

SHA1
f5995159769cda23e153441af9825bde7f8f18cb

SHA256
23f1cfdee0e3631ccff699e6e1d54e65a8e1c19e218b33324dd2468811832f52

SHA512
ec9157dfb921a1a3f7fdc4f1e5a741244688b4f916409db271303ae373da8567ca158a0a0ea5de2cdf6f8be7a02d502ced216ed6111f78f45d45529a5c464593

Download Submit
C:\Users\Admin\AppData\Local\Temp\KkEU.exe

Filesize
145KB

MD5
490c1fc09648c8cfac8748a88197afe9

SHA1
75e68afc71f35c44d187cc32564cdd6504372b41

SHA256
f15877feb427ebf352fde7558b937a8e7abd4f39afb4b35e23f603c74d289464

SHA512
b25ca2fe6065ec882ffc249863bb2c1d57eb2f1eeb49ac3a3781e9191ac4f9c9df7230dc35217d6d25e9bb1e5992de6d0d1978ddad61c04f45cffbdc9b7133d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsYS.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mscc.exe

Filesize
139KB

MD5
fb0bf1a962ccc5054f7942b9c23639c3

SHA1
f98c397f45dbe9b9dc329208cd3c91136fa4b68e

SHA256
2f517de3eef2a8cad1aee099ca7e88c476d4d6ff576d57c5224590f1c92cefd3

SHA512
177c181991460b5a4a501f8cbcf4d72d4e70b65ae2a4be2527ed6f08e3c67e4306e48743dec7ad12acf11922add25ad53a0020733c5a5976bcf5d1b6b9384247

Download Submit
C:\Users\Admin\AppData\Local\Temp\OoUQ.exe

Filesize
156KB

MD5
c7ad4d19e914727a5a1bf93c6290cddf

SHA1
97ba65d35544f2c4c692e32524a5cb6d25bf9474

SHA256
04fe29e4c551c2d273f5be48fd8706d1a27763567b60f3c6bb00917187b9c9ba

SHA512
fed750af36e7eeb2275344850d8fc80ad7a65bb595fbef8ed567ca914be9ab9a4c265748b735900ae852e3c77fc5f2546f28cf3dabbcaa80905cea53491b1d1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\QEok.exe

Filesize
150KB

MD5
9fde06929286d72522233bccf4803760

SHA1
6644dc92e7bd3cb7f84a141bd0c3447aafbe2805

SHA256
3732b9248441b03af0923682e5c7fde358de9d76d887237e393fe9a846c9700f

SHA512
63fc2fefd0678c90344256ecd5c393e37133f0acd0251949fc9b66885278bd70acabe119b0e041bf4e419ab1ad5afdf7a3d9f992d3901f3031f0e194cf143fa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIYc.exe

Filesize
182KB

MD5
be9e36f8a1be6515d7fd5e42163cad6f

SHA1
b9fd2ba99436fb2bcb7f4a309f9e94dcd933b125

SHA256
eede13fd7e9b9475419de39663c55441b21a2137a13a936d189812fd19902a58

SHA512
627cae26d63f8bc0b6122f6b4e0c773a07c76e34b469da3dac700f9a5484a0bba1323c7b127998b5e41c2882b90edecdc0de28ac6a602ac6f38f08b1df1d8608

Download Submit
C:\Users\Admin\AppData\Local\Temp\QoAi.exe

Filesize
265KB

MD5
c785f0d69c0f117aa2732eb27fa78858

SHA1
64807226125eb697578ae556065e85aeafe5eba0

SHA256
343aa3768f9860db82f654856fa42851976dd03119b7bda0cffe1794369606b9

SHA512
5fa63d71b6df2eba1ef5e60d17482412ce6e37b35067a4e4eaf38485941255f4f70d08214e73eb521cc7cf689e3b3ad2c7fb58de28321def5e4a0b3302fd9768

Download Submit
C:\Users\Admin\AppData\Local\Temp\QsYi.exe

Filesize
131KB

MD5
08c60c5611545260bf534f9df033a2b0

SHA1
6879b2d41a1d41faaed5cfab32dd6e6aace417a7

SHA256
148fc4c5a52e829f508d92308acb7d72da0b417775fabe14448601abb7a68e5a

SHA512
2170fd6a4c5ad714c36404edadb723019f563d585f478f6b0e35743635d3aa39e8a289f449e16385ad63f944150a78304c5de86c22539d4e46be5fa42c56ae51

Download Submit
C:\Users\Admin\AppData\Local\Temp\UEcg.exe

Filesize
154KB

MD5
10e05523e00463594720c0ddfb6e1641

SHA1
0e717743fd305ec78b4ff30c6584fbe14cc3c5e6

SHA256
dbc1ef4d747e30b188dbc9644ba128f960b979baafd7a31c1a42797409d1500e

SHA512
38455d5d319e561cd4346e327ffe454ac9ad89d284991c44e98558a917e9462f57eec4b3f1d7ac7ba906cbd8936398e8c1a1eacb1afbaf38e82239b6b13f189d

Download Submit
C:\Users\Admin\AppData\Local\Temp\UccU.exe

Filesize
185KB

MD5
0444858d20d04ab289402a6661ffd740

SHA1
b80a10991c84daa982394317fb3bfb7e88bcafcb

SHA256
2c96e0cbba4da0a399591cb1d512934caf98d3b7d55975a0607c7954212a03bb

SHA512
81e5cc0e50b6ac934a65ce55d7bf134b88232f201f9dfbf82e2eccdfe58d92c2348073da4ba17a9131e911e64e9574dfd94f1a4f127fe7a3cca2f123a42bf3dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\UgAq.exe

Filesize
579KB

MD5
0e5dd9aa75c3ec97f786b623471c6c31

SHA1
1dc1ca94bb8b69268b9bf9c02db05b5ff78da629

SHA256
4c6a73601bd3f24b49ae65a10f40633f2226e25a949e78985e183f5b378c7ad1

SHA512
9b51ee341df447516a1183a13855ee4a931385ead48c3b37db73cd638c61d93eba05293ea53eb3f258780653cb9c41ed6a698617d96b83752ce4676d645a87da

Download Submit
C:\Users\Admin\AppData\Local\Temp\UoUc.exe

Filesize
773KB

MD5
5c91daa84a464543486957b893a9a1df

SHA1
82c1c09f40f5419c2e0ced496951fb744acfd32a

SHA256
9a3b4f4ea87e0515759aaee7d64b7be37a3889299557fed3e4c441a2cd44de57

SHA512
a5ad5081c7cf9c26520c614e868401ba1bc5f01acd3234bcb866eaf2954d10fb4080fc15cdb1c0d35bb859cc9032ca2f05b5f24257a4b50406539b79fe0f595f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WEES.exe

Filesize
718KB

MD5
857cb0709070b71ffa06d249e6f0568c

SHA1
20329c3206c6d7e00804cc18d8e8724fc8cacc84

SHA256
a01a4666f57452b235122d41b52860bb80552adcaef4a2fbb283548c387f656e

SHA512
7c402cba1b6fba015cba1d3d241b4f6bfbd2bb51f30b669b1fc30ba602920e5e81680a9e121818af7b96bea5977af91cb9ea1ab82e799bb0789ae82da0983bec

Download Submit
C:\Users\Admin\AppData\Local\Temp\WIQQ.exe

Filesize
127KB

MD5
62045ef6aa5f76d0b3e765bb22830340

SHA1
1b6d212532072067e3d35672d0c6ab3f02856b23

SHA256
b19a1058d4eecbc053fe6587a87ea61fbb9ecd47681a68e6ffdc026020b4c46d

SHA512
c96cd2c759bac57513218ec03fbf3bac99d0d569aa7184a8587a6cbc65e5c6922cd31ec58e71783ce3bc5680583fc5f51df7505f059aacbc289a100b68c1107f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WsIU.exe

Filesize
143KB

MD5
e8f749784c973ef0048ffbaa19f5e8eb

SHA1
8285715a9381bd455dff5bbc184ae1e3c86e88ac

SHA256
1a454d42e0c61ed4817b9918b699710f228b99a6e4f76a07e4ba4fc3e9338eba

SHA512
b5137ebb2076f904a515d0de2e43a8bb7427215b71e945767673952a180a2a00fbc9701b0a74aaebfaaf0edf46ab4f5487529e1db0cfe5c8e132977032125e5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\YwIS.exe

Filesize
148KB

MD5
b17e43ce9a280d02c76cd292e3c51194

SHA1
6d746f162725432ef9dd66803fb5c907671e07eb

SHA256
ceb487f1834167a0b3c5b25a1dfa8884a2ec99f361dad1ff277b5f192685ed60

SHA512
8d7d512d6f34316a912054c5d2c31865256af5f48a09a3bd45bd4c5eeac2a34c8d1d891b0f5719e458c0ed274cd5518324aa23075fd971a43b4a51ff9c784913

Download Submit
C:\Users\Admin\AppData\Local\Temp\aAoI.exe

Filesize
150KB

MD5
25e80527610c607868c336bac465a25d

SHA1
0145d9f0ed4385c5a4d7866ea5d96925ba97ec8a

SHA256
b6912b4e226ada4257ebb00c5478b65d8f826318db04a814549d94a536168e12

SHA512
2984fa275cae832ee342be44770d1dabe109b85068558ac48ff5746285c7f8e2059495807ddbfbbd8a6c0521e82e18fe9268690a94650bb6864e3faa06b3cd7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQUq.exe

Filesize
144KB

MD5
9ab8da0927aa39d0e4c836389054a525

SHA1
f7d8a8f778af924bfd3d412c61248a5ae957bf99

SHA256
594b901539d7ba2366794efea736ca9496850ac108dd1074dc9bf0679affe64a

SHA512
b716d5b0264473350a124dc664db49b431d91c52bd43eb97468948f3148bd9c79eff49af92e23c188d7f946180bb808e5576c9d18a3973dfabe94d2fc2043158

Download Submit
C:\Users\Admin\AppData\Local\Temp\bQsUIUYk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAYm.exe

Filesize
148KB

MD5
abda113aaeb5ecbcc261f1349880185c

SHA1
a75ac2558b414ee45e3749dfa33c4f4ba9a3299e

SHA256
c7e763d3ee8449e34a94a85b4bc177c914664b8583aae0b930a034c7a3231698

SHA512
5f8dc8560783ec5920fc6f2c48081179d8f3295ee3c77c75bc6eac5c5e5ca1dd1d5d15603e39f5702ce2f233da83a8f6cd32560cda18ba1cd83636077300e58c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cEsy.exe

Filesize
579KB

MD5
aca450c87a069ab653e599adbbd9bddd

SHA1
9deb48837e5d3f5881e0d6ca368ad34865f6063a

SHA256
17687d53c71eba9fc4921c877fa59ce3b450b7cdf922e0b320a47837e8a94126

SHA512
dd022de45a0cf2c2e815bdf464ffabbcb16819d684e62aec87107d20b42af3e58289e7dd9d1c0d40c6561580a1229742598a6f94081b8f2e99e66c71cf5a2f8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cMIY.exe

Filesize
137KB

MD5
1bb0fcdcc5e5b51038e2a9b85cb8355a

SHA1
2600df765cd9f3bd6faa1947788ee6a8790ffb1f

SHA256
a7b238b666616677ccccc4ece7f7fb24b234e1d872aa8a8f8b0baa6d23ff54a9

SHA512
ada93c6d448ef2b2f782cff3e1c7d371041ffb14bd5504c28a6749373305527432cd2b24b6b79e3c8105ed3f0c08249fd606a2eea46f84f1086693971fb2b6bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\eEkK.exe

Filesize
140KB

MD5
0fa38c98a8293b467f0001c18ca7220a

SHA1
beee965a1fe8d9325b659872e58d44570daaae1a

SHA256
8f91316d9c98db5427d7f73e2e4e16a0a07d71f8dbc624a79fe15ff3341bf7f5

SHA512
e13adcf593473dc2be63f60866a471f12ce0eda1e4b557a234373b3063c08a1571c7ed13bdee3de217df1d54cf0b4501b1d36da8170d7fd1000f228f8a80eea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIYG.exe

Filesize
254KB

MD5
19d296922dd89795f2a4eb09b180af7f

SHA1
cfb6ee7c3da3e388e76e5d90a5c7e8ec2fef277d

SHA256
ab4f2fcdee492ab00c43d783853d890266750575a1899cf36ab38c3f01c97ea8

SHA512
4e1cb6d6cda3c2bc8a14121f63b66a62fe60b46e24bdabfc96075b6c35473f10b89555e24fd4cc1513983f11205cf5deb89b2d29137d1ed6572e298c9ebe67cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\eMQQ.exe

Filesize
130KB

MD5
428ecdf2e61e69f5113a482f61493e95

SHA1
c116c93291d27b4ceeffd31d1eb886bccaed15f9

SHA256
0af01a27c132ae8c1182912d9dc98318ee7e7f782a76bf2a028f6432c7dccfbb

SHA512
49a62ca7df378d43aa28bf04a56dc7d22fac656fabb6115d96f105cc3006195f9d0941af2eb8a2a4e7048fd819b85df4932fedd4b0478b99dce3e7c4dc242885

Download Submit
C:\Users\Admin\AppData\Local\Temp\eUUo.exe

Filesize
146KB

MD5
68be5fd0c7ad220db6784c8e9c6feafd

SHA1
af367cdb296392e85af298e42de7e1c6d3129b9b

SHA256
134a983ae657d5bf73b1a52ab77701a4dc469df31f382ccb5baae7c6e1bf0c04

SHA512
c56e70d49f3fda3fe1dff138c8c13341b85ad01cb9ff8248c28994a6f3339259e29665d5a92fdef318c57a7b140ad47e27e2f741dd1aafb1148a2288d666db06

Download Submit
C:\Users\Admin\AppData\Local\Temp\eckI.exe

Filesize
147KB

MD5
a3a07123d72ecb8869b4f0d95f8168b8

SHA1
81042e1df8d86796177a41d05f4089ebd25b2933

SHA256
dc9c20290650dad5827d0a7a3f427c58a3b2ff7cabb838758ff96d736aebcd3d

SHA512
29b71172a8695773ed639528b4dae6122109e22ea243cb8b5dbd8cb64ff5057794a59d8bc52540c7c7cb80d953b0a5b189bf686fd6d94b3445dc1890ce9b8199

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gEcS.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcoy.exe

Filesize
154KB

MD5
37dde0d17ab28f08d5c2f2f9a0ed3cd5

SHA1
f15b9eb4cbdbcbd1f01cdc8023746c5c342c6c2e

SHA256
b75149eb06a0bcb294cd8af7415be405b6f6797954be8d642a26e8a793f60166

SHA512
ce1e293748bbb112f3be4a97d493bcf66599a09c9ad6e5cb463e7a928779dbc180b712f68223bbba0504c5b7e974c5f95359cce64dbd287f63ec0f873d574a42

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAIk.exe

Filesize
144KB

MD5
449b1f2d62434a02923fb3e355249c71

SHA1
378327380263f6e4fc3c2f981c5cf0da2c81d753

SHA256
b76138ae1b0683618e7b5cd1bbf3d8937b40e82469115758c8dbc8e305b82d1b

SHA512
ee16ef689a8abcf702d6728114f50cb3eb6a8312b49dc1b3325f75fbc42803191a911c9eee1470f6ac1a666e2fe53c030043e189f81c1123209f034234024b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAws.exe

Filesize
150KB

MD5
8a72bb876f87397e746aefafbac00ac4

SHA1
9f1de4db9f4fb6b40c27ac4e91fde3ad3156388d

SHA256
9e0868e3568a7ad37fb1346f5a3ac5ac70ac9c3e495b275997e4cc6340b193e0

SHA512
2df694d4585bae10e51413327becd6735ab3d162f81d1bfbc7a45b13fb90fb1df171d0f5da94e92daf9d17a71c5e856c41c39b18627cf0cff1bf50e7500a4c2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\iMMa.exe

Filesize
132KB

MD5
70eb22f66aa5638ccd08acc6b28083d2

SHA1
225f39f19506dc970177bbe5be42599a8951a596

SHA256
19e0224c9190d02a2e22e4a3b3a2d4f75ce06c76c45f406c058cc5cdcb1b125f

SHA512
e101e431b96f20a821723790c52227bfc57041cf18fff3b996e2aa09d6451cafa17440a0e0c3364ae9531084da4b303f353c3603144aaf637e5d34d004de2141

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYQE.exe

Filesize
132KB

MD5
5bed9beb407caa542ccd37ee6e4c235c

SHA1
d4442a36c6bfa05b1909e8653bfddc10bface727

SHA256
de22a22116088674b9457e7692be8ab6cd8404c2a8cbc5608e68129f2b61eefe

SHA512
3f503a0c689c1c6658b192d716f75d6c82a6f5b6708423a24dd878356823ef778703eb58bb0b3771f7e1cc3c3a3655c4e18ba43d03ce4dd7f27fb646a9f5e355

Download Submit
C:\Users\Admin\AppData\Local\Temp\icEC.exe

Filesize
501KB

MD5
ea79a09567168b86bb300431a35a2d47

SHA1
05a6a1ab70a9680d0fe06e3ce2d4bb8d614f63bb

SHA256
91f7f62ffa1c9b3fae9181472707aefca71983b432901bbc7a15e1f7192a34d1

SHA512
819eeef9538f0ef8ef72935c5593df24d643e49a881882d1b5f9e736cef82e8edbc04dc6726eafe584bb267b8f888480baa0f930ac31bf5204db77514d1e7e2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\iocg.exe

Filesize
140KB

MD5
6ccafb9a564a36898254c9617d48c83b

SHA1
31cdc2fe61ba9039cbedca7b6e09d2ce5e43d5e0

SHA256
d3536e0af38ad6386c61f7724b9fd26b77d0dbbafa89dbe94c6ee44bac887082

SHA512
f4f31601723b8f330002ce98212028e2bc43052a0cefd38aac15956cf2e16935a99d74a0b6572cfefe3c6f0fdc555d27f7ccb973258c6c1812ec538fcf997594

Download Submit
C:\Users\Admin\AppData\Local\Temp\kYwc.exe

Filesize
152KB

MD5
3cba16a5884d2fc4dc7b103fbbc0ffd7

SHA1
0260dd847732f67d2bcd35775d8b65d5c224342e

SHA256
58e032c682408bdc347b8a480ff40b7b2d1768cfd688b3dd267885e774289f1b

SHA512
d5ebb88e1be1892c1b1cfed7e8a43f0604c73b9606e0e08caf3f318b9f140e6f169ff28482c7b0541884cce99023a33a8904425771be93963c5bb490774720b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\kgIm.exe

Filesize
135KB

MD5
92dcd201800a8a6d912f83b1dc10a677

SHA1
d56cde6741847a18a327aad04432e9c7115b154c

SHA256
27bccfd9fbfbc26332427e42fcaa3d9822b10b2126c50dd5687a495da4a5712d

SHA512
a0905345d2f25f100a440e0ef9ee6365cae2062f367b2aff1ebf8387bb9d63bff6b4408ac6ec4cd20abd12ae19a7e4d802087aac5ff4ddeeddcfc604f879aa3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mUwI.exe

Filesize
166KB

MD5
0293f92c7c66821a714d651fc6073116

SHA1
28b33d971a4cdb0d09949a9b465185e0f6c2079c

SHA256
41b6c7e70903525c8a69536b59158c572e8f7afbc467639f8a30330556ff2178

SHA512
e7d76b8838ac3b1d14dc2311c5bfa070fe5621b03eeffbd9de9ef49ff999c206deed89e0d6eddbb06ca8433e9e8fbce0d72eed54dfa0fd2b74beb485bee37923

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYcK.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkcU.exe

Filesize
134KB

MD5
382a6f7328b2c3b8f360b27835e48198

SHA1
73f42b0b71f95011a0fde8055cde51bdbc5c6c3a

SHA256
d1d028716bec05a6bbd896469699e02c77e117df5f14cfb6027831b97b614260

SHA512
7e4079410070b3311f9ba8984cc596e7a61426fb7d93958e4a681f9a25bff06f4e39858fecd656dc9068132b78d11bf0881d7a50b54472be0575394f88c66c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\owES.exe

Filesize
149KB

MD5
9ae8f20e752e2422e8ed6f1e3f462e0a

SHA1
47d9e560a912448ceda72e4a9fa58a55cd41a022

SHA256
8c16985ec1ff1ed71390bd164d1fbc2ff89f997cc92d7631a5d32a46cc4d27d1

SHA512
2dce4ed6d3f8299a25e5863f77729a333bba4fb8ae366f03e7b5793d8ca88c0b4a1111078144856fb5e937f0d3e25e6f3cd18451f56c75285ee2a51ed39c3f83

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEUu.exe

Filesize
213KB

MD5
827772bd398ca99df832ef99aad0dccb

SHA1
1c503f1afb40b4950aef725f1972fde828435603

SHA256
ecbc2e9c090b20e8ec7923ae20e641203b5355bc4e0531720b835042c64dc480

SHA512
6fa7b5388e4d97f07eb5b73ed7650a9479549b74f8805cabc8c496dd0f34c2317e0368ed27bc48d3fdc61bacbbef30fde732e51900a676301c4fcbe3356203f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMQE.exe

Filesize
146KB

MD5
7531d73bb42b9440da4184c92c94aa45

SHA1
185808846a8be681c715ee8c5fea3df74589f704

SHA256
269771f05fe0ac9bfc16aac6494bb0060a0d588c0372bdb2d964d1d866386fe3

SHA512
d640ada9e1710be688892f1297016a78f7b6973a7f7f03cc1ea2a02169a79588dbcfef117c9a88f04d20a5f42c8b420a3bc2201f99ef0c5bf64acadb6d0dc5ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwQG.exe

Filesize
149KB

MD5
1f88e6ae77e82905808c27cb3fd888a6

SHA1
1daca22203b507a93f0115761cd13316c6bbef0b

SHA256
5ca71ea67bcb41888328db9a3ab73e8efdcfc5b07aca104b4519d9732e6a23c9

SHA512
56afc2b66fdb575efeb6864c71a3a2c5e4cbc66644a978feecebc9ecd6ec87fa1c8b2edae5310d234d8cf4feebf4289b742eb69b508e3f1da0b38f2fcc7115a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\sUUu.exe

Filesize
138KB

MD5
aca0ef91df319730ace460d78a96524a

SHA1
927ffee04d1fb27bde195b1dc18e7469d62ba1c6

SHA256
597686a4d9ff3d571cd556ad951888c7759e4b98971f2e92cce9fe97c166c8c7

SHA512
fa4a564111159219d38969865ff59300440e33ed48648bd8022874445835e8539f632e35a0b33c85f2a74645f22834141162b0997e5154b9d7ff69cd6146c0fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\uAgc.exe

Filesize
154KB

MD5
ec5d49df6c3a9ef142bca036f6ee657b

SHA1
84a2c573ef500cfeb1c754580ab3dda80bd7ae89

SHA256
c46f024926335f5cce0f19a7d57a70004e722f12a3986d55f10f8b8caae55cdb

SHA512
1a92d70342f415e27fa3082183da9db7f5510a78fa687f9ff9a637ce05b3082067ae6c8ff44a8419a282ce2bd502055c7c5bc56d112da1fa5ebfd12cff3ba794

Download Submit
C:\Users\Admin\AppData\Local\Temp\uAso.exe

Filesize
134KB

MD5
ce1624295f2622e36322c3de0f0f3ae1

SHA1
2edd2e015201dd389f1d937e5ce216f36af5eed0

SHA256
46ee4161b7e87e6948396db35c0d4f6ee8b53821beb515cc834029aeb945071f

SHA512
9cd7ad3223e2a42a2f37fdc9a699eaf4297c63818e88dd202d78cb28669ef743815326dd7617321403cad8b60ca3affebb56e36867eb1ca489931f20b973648a

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIYS.exe

Filesize
141KB

MD5
8285622b98a2728279e6f15952f414a9

SHA1
65256fa41b97134dd6c7a8b203b693aad20e750e

SHA256
cbed23f2858d2598fecf96ad96f4b6892ea5e6d0b3425c4b9e09616d26e55a99

SHA512
dd28505f8e5530be518a0ea109f90afaf996fbc3777098123a103ff250cbd53c5b4459793342df2d35ef568d0c4263832bc68c40356821f284a3e12a4e6d1f2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwUU.exe

Filesize
147KB

MD5
4b037147727280b32a2cd6a8fc1fc3f6

SHA1
22f84a1266ba1ad8db013d22c1581fe75126fc21

SHA256
848e51f3078e95ab80971b81760da282b0b24d8b2b3f1a5ff2affe4aba543d6d

SHA512
c0075871be65ef47887d524f4a9aef4bca13d1a7ad78aba91847d08aa23dbc3657213e670d892ff8dc46689c14285b6ee60dd546f543891d6d53c1a1c0891d60

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUkw.exe

Filesize
147KB

MD5
bdfc1d8f157c1b0c6da28e5431e2d71b

SHA1
d5b380fbc284651ca7e6ac58c5a672a561eb6a61

SHA256
0199e8523a4d4eb31039302243401a8feb41a9f04e701387473752abcda30968

SHA512
f52946468db105cbfbd097e7fa60eff1ceecd583629b7fa9a8bab6fd079132a5d3b1d6073d0fc9d10ff5ef07eb2fe766fb726c1a3b7c8245e5cbf235e38509d7

Download Submit
C:\Users\Admin\JIIYgsEw\EyMcAQYM.exe

Filesize
137KB

MD5
9b5bb1a0d0e001c598dce8de1c55da59

SHA1
7ecbba5a4c8d5feffb081a69d57bb9261cbea75d

SHA256
51ce831f3777d8321cf685a80c498fddbd4228f421b447ede7b4fdd7dd1fe206

SHA512
d1d01ca5bc24575ad049f1b90b664fee7ccaabb1080474ba249e64317c051a72a3595dd3524d9d54b66befbe77d307e1faa3d296a196f4f09f815d44b8b9a8d2

Download Submit
memory/8-75-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/228-153-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/316-389-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/368-200-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/368-211-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/456-15-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/544-504-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/880-578-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/880-585-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/912-222-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1060-165-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1060-176-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1100-262-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1188-405-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1396-86-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1448-142-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1500-234-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1500-245-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1556-365-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1564-623-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1564-635-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1608-315-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1608-307-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1660-108-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1716-529-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1768-332-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1924-131-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1932-470-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1932-462-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1940-97-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1996-0-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1996-19-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2032-5-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2116-53-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2192-421-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2200-558-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2208-199-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2424-546-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2444-120-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2444-109-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2480-602-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2756-568-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2756-556-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2844-566-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2884-272-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2884-280-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3004-397-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3100-521-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3100-64-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3168-554-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3300-594-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3300-586-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3488-567-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3488-557-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3548-246-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3548-254-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3548-478-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3588-487-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3588-480-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3864-349-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3864-530-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3864-538-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3864-341-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3928-445-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3936-42-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3964-20-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3964-31-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3972-188-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3972-177-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3976-263-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3976-271-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4300-453-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4344-357-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4368-233-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4416-373-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4488-627-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4488-603-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4516-340-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4576-437-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4596-489-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4596-496-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4616-164-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4624-429-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4672-381-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4780-324-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4780-316-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4820-461-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4900-291-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4900-298-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4912-413-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4960-306-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4976-281-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4976-289-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/5012-576-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/5020-505-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/5020-513-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download