cbf90b656abb4199a0f4cfa4b8fc538202540d9b672e7ea5ac9975ae51884b0d

Analysis

max time kernel
150s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 02:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
Size

192KB
MD5

4deb641355a2ced75885248619e7e7c8
SHA1

fe46b1856c51e85ddcb128235085c3b2bd0a0f51
SHA256

cbf90b656abb4199a0f4cfa4b8fc538202540d9b672e7ea5ac9975ae51884b0d
SHA512

e7632732617e8664dc3fd05ee12fad0e258507468b1455007a8bf99f3e0494a1e0681bb6e04254c8da2338c8998cde919c0343fdb4caf14fb569fd5f3afd7991
SSDEEP

3072:PCvM7zZ8k5E8CenK4tYLt65rU3eF5qaNkQbbAppxVh:ppcrR65YObqvQSpxv

Score

10^/10

discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (78) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

OEsAgsgs.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	OEsAgsgs.exe

Executes dropped EXE 2 IoCs

Processes:

DIwMsMIA.exeOEsAgsgs.exe

pid process

4292 DIwMsMIA.exe
4624 OEsAgsgs.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

pid	process
4292	DIwMsMIA.exe
4624	OEsAgsgs.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exeOEsAgsgs.exeDIwMsMIA.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OEsAgsgs.exe = "C:\\ProgramData\\VcYwMcsE\\OEsAgsgs.exe"	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OEsAgsgs.exe = "C:\\ProgramData\\VcYwMcsE\\OEsAgsgs.exe"	OEsAgsgs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DIwMsMIA.exe = "C:\\Users\\Admin\\HcUAQwkY\\DIwMsMIA.exe"	DIwMsMIA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EqIcsAoM.exe = "C:\\Users\\Admin\\sGkYkgcw\\EqIcsAoM.exe"	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lawQAkkM.exe = "C:\\ProgramData\\XOYIggoU\\lawQAkkM.exe"	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DIwMsMIA.exe = "C:\\Users\\Admin\\HcUAQwkY\\DIwMsMIA.exe"	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe

Drops file in System32 directory 2 IoCs

Processes:

OEsAgsgs.exe

description	ioc	process
File created	C:\Windows\SysWOW64\shell32.dll.exe	OEsAgsgs.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	OEsAgsgs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4960 1492 WerFault.exe lawQAkkM.exe
3192 3436 WerFault.exe EqIcsAoM.exe

pid	pid_target	process	target process
4960	1492	WerFault.exe	lawQAkkM.exe
3192	3436	WerFault.exe	EqIcsAoM.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cscript.execmd.execmd.execmd.execmd.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exereg.execmd.execscript.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.execmd.exereg.exereg.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.execscript.execscript.exereg.execscript.execmd.execscript.exereg.exereg.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exereg.exereg.execscript.execmd.execscript.execmd.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exereg.exereg.execmd.execscript.execmd.exereg.execscript.execmd.exereg.exereg.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exereg.execmd.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exereg.exereg.exereg.exereg.exereg.execscript.execscript.exereg.execscript.exereg.execscript.execmd.exereg.exereg.exereg.exereg.exereg.exereg.execmd.execscript.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
1604	reg.exe
4024	reg.exe
3096	reg.exe
3680	reg.exe
1016	reg.exe
2052	reg.exe
4404	reg.exe
2936	reg.exe
5024	reg.exe
4356	reg.exe
4416	reg.exe
1924	reg.exe
4588	reg.exe
2732	reg.exe
3436	reg.exe
1140	reg.exe
780	reg.exe
3652	reg.exe
3304	reg.exe
3016	reg.exe
1304	reg.exe
2008	reg.exe
3440	reg.exe
876	reg.exe
3088	reg.exe
1584	reg.exe
3628	reg.exe
2396	reg.exe
2200	reg.exe
1780	reg.exe
3592	reg.exe
3628	reg.exe
2064	reg.exe
1492	reg.exe
3036	reg.exe
4140	reg.exe
3148	reg.exe
3456	reg.exe
3504	reg.exe
4488	reg.exe
208	reg.exe
1604	reg.exe
2780	reg.exe
4512	reg.exe
2004	reg.exe
3264	reg.exe
4388	reg.exe
3904	reg.exe
5060	reg.exe
5100	reg.exe
3812	reg.exe
216	reg.exe
740	reg.exe
4792	reg.exe
3148	reg.exe
1728	reg.exe
3584	reg.exe
4064	reg.exe
2056	reg.exe
2280	reg.exe
4220	reg.exe
3588	reg.exe
2984	reg.exe
2964	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe

pid	process
3904	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
3904	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
3904	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
3904	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
4060	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
4060	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
4060	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
4060	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
212	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
212	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
212	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
212	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
4632	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
4632	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
4632	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
4632	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
4972	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
4972	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
4972	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
4972	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
1808	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
1808	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
1808	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
1808	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
4548	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
4548	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
4548	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
4548	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
1376	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
1376	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
1376	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
1376	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
4064	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
4064	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
4064	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
4064	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
1752	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
1752	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
1752	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
1752	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
1380	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
1380	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
1380	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
1380	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
1624	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
1624	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
1624	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
1624	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
1448	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
1448	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
1448	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
1448	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
3884	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
3884	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
3884	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
3884	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
5060	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
5060	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
5060	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
5060	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
4960	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
4960	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
4960	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
4960	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

OEsAgsgs.exe

pid process

4624 OEsAgsgs.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

OEsAgsgs.exe

pid	process
4624	OEsAgsgs.exe
4624	OEsAgsgs.exe
4624	OEsAgsgs.exe
4624	OEsAgsgs.exe
4624	OEsAgsgs.exe
4624	OEsAgsgs.exe
4624	OEsAgsgs.exe
4624	OEsAgsgs.exe
4624	OEsAgsgs.exe
4624	OEsAgsgs.exe
4624	OEsAgsgs.exe
4624	OEsAgsgs.exe
4624	OEsAgsgs.exe
4624	OEsAgsgs.exe
4624	OEsAgsgs.exe
4624	OEsAgsgs.exe
4624	OEsAgsgs.exe
4624	OEsAgsgs.exe
4624	OEsAgsgs.exe
4624	OEsAgsgs.exe
4624	OEsAgsgs.exe
4624	OEsAgsgs.exe
4624	OEsAgsgs.exe
4624	OEsAgsgs.exe
4624	OEsAgsgs.exe
4624	OEsAgsgs.exe
4624	OEsAgsgs.exe
4624	OEsAgsgs.exe
4624	OEsAgsgs.exe
4624	OEsAgsgs.exe
4624	OEsAgsgs.exe
4624	OEsAgsgs.exe
4624	OEsAgsgs.exe
4624	OEsAgsgs.exe
4624	OEsAgsgs.exe
4624	OEsAgsgs.exe
4624	OEsAgsgs.exe
4624	OEsAgsgs.exe
4624	OEsAgsgs.exe
4624	OEsAgsgs.exe
4624	OEsAgsgs.exe
4624	OEsAgsgs.exe
4624	OEsAgsgs.exe
4624	OEsAgsgs.exe
4624	OEsAgsgs.exe
4624	OEsAgsgs.exe
4624	OEsAgsgs.exe
4624	OEsAgsgs.exe
4624	OEsAgsgs.exe
4624	OEsAgsgs.exe
4624	OEsAgsgs.exe
4624	OEsAgsgs.exe
4624	OEsAgsgs.exe
4624	OEsAgsgs.exe
4624	OEsAgsgs.exe
4624	OEsAgsgs.exe
4624	OEsAgsgs.exe
4624	OEsAgsgs.exe
4624	OEsAgsgs.exe
4624	OEsAgsgs.exe
4624	OEsAgsgs.exe
4624	OEsAgsgs.exe
4624	OEsAgsgs.exe
4624	OEsAgsgs.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.execmd.execmd.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.execmd.execmd.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.execmd.exe

description	pid	process	target process
PID 3904 wrote to memory of 4292	3904	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	DIwMsMIA.exe
PID 3904 wrote to memory of 4292	3904	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	DIwMsMIA.exe
PID 3904 wrote to memory of 4292	3904	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	DIwMsMIA.exe
PID 3904 wrote to memory of 4624	3904	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	OEsAgsgs.exe
PID 3904 wrote to memory of 4624	3904	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	OEsAgsgs.exe
PID 3904 wrote to memory of 4624	3904	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	OEsAgsgs.exe
PID 3904 wrote to memory of 2000	3904	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	cmd.exe
PID 3904 wrote to memory of 2000	3904	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	cmd.exe
PID 3904 wrote to memory of 2000	3904	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	cmd.exe
PID 3904 wrote to memory of 2936	3904	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 3904 wrote to memory of 2936	3904	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 3904 wrote to memory of 2936	3904	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 3904 wrote to memory of 3884	3904	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 3904 wrote to memory of 3884	3904	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 3904 wrote to memory of 3884	3904	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 3904 wrote to memory of 3652	3904	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 3904 wrote to memory of 3652	3904	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 3904 wrote to memory of 3652	3904	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 3904 wrote to memory of 3596	3904	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	cmd.exe
PID 3904 wrote to memory of 3596	3904	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	cmd.exe
PID 3904 wrote to memory of 3596	3904	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	cmd.exe
PID 2000 wrote to memory of 4060	2000	cmd.exe	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
PID 2000 wrote to memory of 4060	2000	cmd.exe	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
PID 2000 wrote to memory of 4060	2000	cmd.exe	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
PID 3596 wrote to memory of 2832	3596	cmd.exe	cscript.exe
PID 3596 wrote to memory of 2832	3596	cmd.exe	cscript.exe
PID 3596 wrote to memory of 2832	3596	cmd.exe	cscript.exe
PID 4060 wrote to memory of 4552	4060	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	cmd.exe
PID 4060 wrote to memory of 4552	4060	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	cmd.exe
PID 4060 wrote to memory of 4552	4060	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	cmd.exe
PID 4552 wrote to memory of 212	4552	cmd.exe	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
PID 4552 wrote to memory of 212	4552	cmd.exe	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
PID 4552 wrote to memory of 212	4552	cmd.exe	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
PID 4060 wrote to memory of 1924	4060	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 4060 wrote to memory of 1924	4060	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 4060 wrote to memory of 1924	4060	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 4060 wrote to memory of 3036	4060	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 4060 wrote to memory of 3036	4060	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 4060 wrote to memory of 3036	4060	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 4060 wrote to memory of 780	4060	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 4060 wrote to memory of 780	4060	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 4060 wrote to memory of 780	4060	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 4060 wrote to memory of 220	4060	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	cmd.exe
PID 4060 wrote to memory of 220	4060	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	cmd.exe
PID 4060 wrote to memory of 220	4060	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	cmd.exe
PID 220 wrote to memory of 4864	220	cmd.exe	cscript.exe
PID 220 wrote to memory of 4864	220	cmd.exe	cscript.exe
PID 220 wrote to memory of 4864	220	cmd.exe	cscript.exe
PID 212 wrote to memory of 3556	212	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	cmd.exe
PID 212 wrote to memory of 3556	212	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	cmd.exe
PID 212 wrote to memory of 3556	212	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	cmd.exe
PID 3556 wrote to memory of 4632	3556	cmd.exe	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
PID 3556 wrote to memory of 4632	3556	cmd.exe	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
PID 3556 wrote to memory of 4632	3556	cmd.exe	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
PID 212 wrote to memory of 3628	212	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 212 wrote to memory of 3628	212	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 212 wrote to memory of 3628	212	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 212 wrote to memory of 1616	212	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 212 wrote to memory of 1616	212	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 212 wrote to memory of 1616	212	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 212 wrote to memory of 5060	212	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 212 wrote to memory of 5060	212	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 212 wrote to memory of 5060	212	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 212 wrote to memory of 4640	212	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3904
- C:\Users\Admin\HcUAQwkY\DIwMsMIA.exe
  "C:\Users\Admin\HcUAQwkY\DIwMsMIA.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4292
- C:\ProgramData\VcYwMcsE\OEsAgsgs.exe
  "C:\ProgramData\VcYwMcsE\OEsAgsgs.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:4624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4060
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4552
    - - C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:212
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        8⤵
        
        PID:4920
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        10⤵
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        12⤵
        
        PID:3156
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        14⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        16⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        18⤵
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        20⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        22⤵
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        23⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        24⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        26⤵
        
        PID:3608
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        32⤵
        
        PID:652
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        33⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        34⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        35⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        36⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        38⤵
        
        PID:780
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        39⤵
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        40⤵
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        41⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        42⤵
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        43⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        44⤵
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        45⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        46⤵
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        47⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        48⤵
        
        PID:464
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        49⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        50⤵
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        51⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        52⤵
        
        PID:3020
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        53⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        54⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        55⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        56⤵
        System Location Discovery: System Language Discovery
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        58⤵
        
        PID:2880
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        59⤵
        
        PID:380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        60⤵
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        61⤵
        
        PID:904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        62⤵
        
        PID:3344
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        63⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        64⤵
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        65⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        66⤵
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        67⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        68⤵
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        69⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        70⤵
        
        PID:232
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        71⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        72⤵
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        73⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        74⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        75⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:2352
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        77⤵
        Adds Run key to start application
        
        PID:4024
        
        C:\Users\Admin\sGkYkgcw\EqIcsAoM.exe
        
        "C:\Users\Admin\sGkYkgcw\EqIcsAoM.exe"
        78⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 224
        79⤵
        Program crash
        
        PID:3192
        
        C:\ProgramData\XOYIggoU\lawQAkkM.exe
        
        "C:\ProgramData\XOYIggoU\lawQAkkM.exe"
        78⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 224
        79⤵
        Program crash
        
        PID:4960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        78⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        79⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        80⤵
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        81⤵
        
        PID:924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        82⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        83⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        84⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        85⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        86⤵
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:4608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        88⤵
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        89⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        90⤵
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        92⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        93⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        94⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        95⤵
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        96⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        97⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        98⤵
        
        PID:208
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        99⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        100⤵
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        101⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        102⤵
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        103⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        105⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        107⤵
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        108⤵
        
        PID:3332
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        109⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        110⤵
        
        PID:4364
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        111⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        112⤵
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        113⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        114⤵
        
        PID:712
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        115⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        116⤵
        
        PID:3372
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        117⤵
        System Location Discovery: System Language Discovery
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        118⤵
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        119⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        120⤵
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        121⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        122⤵
        
        PID:1888
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        123⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        124⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        125⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        126⤵
        
        PID:712
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        127⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        128⤵
        
        PID:3372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        129⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        130⤵
        
        PID:2280
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        132⤵
        
        PID:3680
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        System Location Discovery: System Language Discovery
        
        PID:1084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        UAC bypass
        Modifies registry key
        
        PID:4064
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MUEUUswc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        132⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3584
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        Modifies registry key
        
        PID:1728
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        UAC bypass
        
        PID:2776
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yggIsowI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        130⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        
        PID:864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        Modifies registry key
        
        PID:1492
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iOQEIEgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        128⤵
        
        PID:3884
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4760
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        Modifies registry key
        
        PID:2004
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        Modifies registry key
        
        PID:3016
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\paoIwEIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        126⤵
        
        PID:3692
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2564
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        Modifies registry key
        
        PID:3904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MEIkkUEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:5056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:4208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        Modifies registry key
        
        PID:2964
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\soIMwoog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        122⤵
        
        PID:4592
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        Modifies registry key
        
        PID:5024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        
        PID:3584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qUkwcQcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        120⤵
        
        PID:1440
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        
        PID:4320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zAYoYoMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:4380
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:3520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:3692
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FIYEUYIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        116⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        
        PID:220
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:1552
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AYUIgcgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        114⤵
        
        PID:3852
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        
        PID:232
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:3396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        Modifies registry key
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uCIoAgso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        112⤵
        
        PID:2032
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        Modifies registry key
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SUkYwYAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        110⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        
        PID:5064
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nGgkcgQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        108⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:4260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        Modifies registry key
        
        PID:2064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:4960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PegwsMUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        106⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        Modifies registry key
        
        PID:3304
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        Modifies registry key
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\acIwAYQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        104⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies registry key
        
        PID:3652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        Modifies registry key
        
        PID:1016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        
        PID:4388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jYMkYgEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:4372
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:3108
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WaUYUgcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        100⤵
        
        PID:4648
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        Modifies registry key
        
        PID:3148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ieAwQsgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:3316
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:5004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sWQkosQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        96⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:1780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:4272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QAocEIks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:2528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        Modifies registry key
        
        PID:4388
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kSUkQQos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        92⤵
        
        PID:232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:1744
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\swEggYkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        90⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:2536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        Modifies registry key
        
        PID:780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4792
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qOswAMgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        88⤵
        
        PID:3692
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:3520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:5004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eMUkEIwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        86⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:3944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:2528
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        85⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        Modifies registry key
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zkcEAEww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        84⤵
        
        PID:4732
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        85⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:3852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        
        PID:3480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HCMAQkAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        82⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:4436
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\auMEEQgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        80⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:4872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        Modifies registry key
        
        PID:3812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vIQEAIgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        78⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:2832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        Modifies registry key
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pmgkgoYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        76⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        Modifies registry key
        
        PID:3096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iqkMoEQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:2068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:928
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        73⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RGEIEUIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        72⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RAUowIQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        70⤵
        
        PID:5076
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        Modifies registry key
        
        PID:5100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DkEkYkkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        68⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:4976
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HwIQkUII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        66⤵
        
        PID:652
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WEEkUUws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        64⤵
        System Location Discovery: System Language Discovery
        
        PID:876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        Modifies registry key
        
        PID:740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BOEMwggg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        62⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        System Location Discovery: System Language Discovery
        
        PID:2024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LcQAwYEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        60⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        System Location Discovery: System Language Discovery
        
        PID:2464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        
        PID:3472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uakYsgMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        58⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:4512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VoEoIsYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        56⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4232
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        55⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:3584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CsAgYYQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        54⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        Modifies registry key
        
        PID:208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aiwQUQsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        52⤵
        
        PID:408
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:4864
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:4196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MsEoEYMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        50⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        Modifies registry key
        
        PID:4488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        Modifies registry key
        
        PID:3504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dkkEQQok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        48⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        System Location Discovery: System Language Discovery
        
        PID:988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        Modifies registry key
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FegYgUoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        46⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3456
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        Modifies registry key
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\igIYkIUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        44⤵
        
        PID:652
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        Modifies registry key
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JaQEYsQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:2392
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        System Location Discovery: System Language Discovery
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        Modifies registry key
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SyEIMQcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        40⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:2988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gkcwoMMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        38⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vqQEgoEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:4596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:3788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:3496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VCkAsQMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        34⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:5012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HEYAAwIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        32⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2008
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        Modifies registry key
        
        PID:3148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JAwoUYEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        30⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        Modifies registry key
        
        PID:2732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        Modifies registry key
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YscAwIYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        28⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        Modifies registry key
        
        PID:2200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:1840
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hkQkQYcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        26⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:4648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RwYYgsMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        24⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        Modifies registry key
        
        PID:3088
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        23⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rIgcIcwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        22⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        Modifies registry key
        
        PID:1304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:876
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        21⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FQkMMkEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        20⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:2780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MgYAUUUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        18⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CgksEYMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        16⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NEwoQAkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        14⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        Modifies registry key
        
        PID:3440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RqAYMwoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        12⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:4228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ToMgYEMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        10⤵
        
        PID:636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:4028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wEgUswIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        8⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:4636
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3628
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:1616
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:5060
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fAssYQow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        6⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2284
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      System Location Discovery: System Language Discovery
      PID:1924
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:3036
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:780
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SOIgwEgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:220
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4864
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - System Location Discovery: System Language Discovery
  - Modifies registry key
  PID:2936
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3884
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - System Location Discovery: System Language Discovery
  PID:3652
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hkwkcskg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3596
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:4888

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:4928

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3436 -ip 3436
1⤵
PID:2880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1492 -ip 1492
1⤵
PID:1840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

Filesize
315KB

MD5
59581f0cca0833ad90b7a75385fa27eb

SHA1
c3134784ebb3852f4ad8c75cc518626f4413c93d

SHA256
96302a449990f2705db2a8a371de7ec8018f5066d2b3e4b05aada80179661e60

SHA512
fcdfeb3ef16dd2a895da9f8d7a854205bffc078ebf740b5f4112caa3f3d3b8f6c07dfd2b1fbe2f7a9ff2289613d6b71ddda06febc93974bbc211801c102e8dfe

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

Filesize
331KB

MD5
e7ca59ac15e69092f640ca9439537d87

SHA1
abaedb46634ab8428184e2e1d8a1be3f1d463fbd

SHA256
4791fd11db1f3fd2f065b4e4f647bf8ea618f968cfca298596c1849a667658c6

SHA512
3f4eb2f41e45ebada9b55a017ce70e4379d2735e8c70bba1b3da57d204aa2e4c93bb3fa4d1bb811e34f0a118530b95ef5793e90ae10ccab309548127507989db

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

Filesize
334KB

MD5
5fea5fd1b03826962b8a0afc7248b711

SHA1
59c1636780aa248226a0dc3ef3e69ac23a6b3f52

SHA256
15842f25f91ec17bdd5d5527965df91814a3e243fb68a0f44a7fd7275d4ea5b3

SHA512
d5c7c6ddd45e7c3e9a2b71dc86942d97174b8bba044b2519d8fcf49f95e71cc0418b00101118f6167603b54f8ad2b244b20c39937d293ff6711982407c61fa98

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user-192.png.exe

Filesize
183KB

MD5
d48af2687ae6853e7814401aa47a731e

SHA1
1cb5851284f72e8c6796272ec950574e535f7636

SHA256
1a48ad667a27338e16dd90a2ae300ea4b9e90f7a1b37118a91c4163f8436ab09

SHA512
300476e39866870616b7e740cfb56b71b6380334fe822a03d606f83e8e1342225997d4030974aa451b567b6507ec2c5850b731d939466f043eef698792d9110d

Download Submit
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

Filesize
827KB

MD5
91bbf4bfe102df63a4b6c3ef84a8a547

SHA1
8113916f74c8dc9ebb4c46d59410ddd77ad76203

SHA256
4ccc77bee8214a161fd910604109832ec6ccbc1bd37c37bab68942db71997253

SHA512
8745f9de85df690ab4ee664214d39f65b6829f8d021a62afa0d59a8226ea13bd2c22e83877ece8504f3967f8fa75ffebb12c25f2244755877422da72110d3e02

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
626KB

MD5
6e7986b65146c0ba38bc88ddbaeac1a0

SHA1
47e24a837b6244fe3c212e557a04e0456e5b7a34

SHA256
99501129f2d5a3c188034891f713b2ca673f01303335e3056c2a1f898767b8d0

SHA512
12ae543049feeb05697b0ba88a62dc89f9f965505bb565b9c4017725d01476d33cb6ae748d02766c0a9d258243ba8f866c0c9f4eb44ab3e6a749d262596adf22

Download Submit
C:\ProgramData\Package Cache\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\windowsdesktop-runtime-6.0.27-win-x64.exe

Filesize
792KB

MD5
f32f379a197de25b491eca993e1567fa

SHA1
4ca4d2bd106dff7a0c1c8856c6bcff3e5475ca23

SHA256
4608f2b2e941b263d0bdbef8b26adc2b56c624327c7f4607873e317a379416c1

SHA512
315a147b9aeaffc85cb08ec41451593040ef877f6440a031ccdab575c9aba0a79077b948ad9230f9f3fb9fd6841603b5a88b6534a12cf1c6f2a372cf0e450fb6

Download Submit
C:\ProgramData\Package Cache\{ef5af41f-d68c-48f7-bfb0-5055718601fc}\windowsdesktop-runtime-7.0.16-win-x64.exe

Filesize
796KB

MD5
190cc736503a849274ec202c6eb88bce

SHA1
c773e40efd3a0b6f67f0c31e058bbbd5f4f94940

SHA256
5784316c82425987ada75aa9e1992e5fcda0cfe0095a14c304526b1cc69a80cd

SHA512
7552c24ce85a178ef1314e83b77d03056c0f625d3c43c96899551e5f6c4814060562bd83cd52306042cf83cc42c434c264b0ff6e81d038b03ba0ac3c1d1f818d

Download Submit
C:\ProgramData\VcYwMcsE\OEsAgsgs.exe

Filesize
180KB

MD5
8fea76aa859bfdcbf8e5d7414954b516

SHA1
3ad306b0a68f8ff68188d24ac90e3ca073d70885

SHA256
e1cb19d7112d024b26a420eb51fa48c95060c6d1c85f9120a4d1726fd3ce28c7

SHA512
1fd24f4fa36aaf4b47a644ee6e94edf8969eb02abff8a9cfc911905f41b5bd541f842c2292f5d6f0fd28fca28c3ee0193e606821b8400705eb7f8c62ac3c322c

Download Submit
C:\ProgramData\VcYwMcsE\OEsAgsgs.inf

Filesize
4B

MD5
d26032df2e9ca735f0cc075825b2cbbe

SHA1
20c98b54fa8925ed55dd6028e30eae27f73de729

SHA256
2a7cab252474aba1a0bda63ff24af77f697a4e416f6e214dd4beb0ae886352e3

SHA512
d88156c7e96c522f03b54970facc8430a4aed70126899f60588b555b746eaa9c7967f78bbc4debcb9c181b18c148be10822b3d360b9d2c79a462693ab1bfc1a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\96.png.exe

Filesize
196KB

MD5
658e90a9d9e6fb03f49048290fc1daaf

SHA1
46fa0b92326a65e30cda124ac83e0ee094c15bbd

SHA256
8ce0d7931a197a4ce5772472bc2fe4c5487b46aff4212b1bd829f15afde3d411

SHA512
c2512a051f7718af77a7451cd252f7db34fba4595332ed1bfe282495eef14b74fab1f18527055010930ae8ae8026d35d76c03a182e927c0f67e11cfbc205985f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\96.png.exe

Filesize
180KB

MD5
93f9ae77ba18ad9015f8fe5028dc989f

SHA1
dc01eda1510f48d541c8010e7b5d690655e02347

SHA256
3a0c053b0dbd97f3288898866ebf36100c422c7e8261cb76e0ad15825a1722f0

SHA512
317c5c725d26d371583446216f2c32b27354a5a3a94cba43cfe2e648a36b62e1c3a643b2ae2d531c46a732d26c8408002c7a2eab09463a72f8460990b0d1750a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\256.png.exe

Filesize
214KB

MD5
10b7f86e591eb32d20a6906c7899813b

SHA1
675c10058c29c7abf4ad6543b175bd3ad4e41665

SHA256
c506859fee68ee3cdb67a71f9cd612bb118f48d4d93008b590f91fd500ede3cc

SHA512
e79507551a04cd1751d7575a1e6cb9c4f66fac65a36ddf300dbca3f38eeeebd59cb1d7c02a908f1f4c11246863b3543578e72999c52973a8a6d41b0828404844

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorWhite.png.exe

Filesize
202KB

MD5
298fb23adea3dd4d905a84b4194e1e40

SHA1
e3500766c7e1ef6bc103ea0793c2b9202faa6ac9

SHA256
03414f703b9acf3c194de3853327bece2059f1d8380c40374385d8fb2d63d372

SHA512
45b9c4ba2f2e11671eef6031f211fd4994654b2df9863fd6617e4881eb22d5d8ddeb48e2ccfe013cb3ae7c53485ef5d63fd59370dad3e479fe70f7268e7cdbfc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppWhite.png.exe

Filesize
191KB

MD5
3a0e896a102050a7f8d3fedb266569af

SHA1
bf576306d0c5841f8f5c21b6d218a2a8f9e5f7a0

SHA256
0e487cfb5d2ac5755dc53536100cb5dcb127db34c4a62b0ae36e32d3f9bce629

SHA512
6781793659e8b3a593943a1b8ffaf212fdb6d2e9584b9d3301f5b11182c8e024596c6e427b7b4787fe13f06c07f9471daf702f40b2260165c7037bc0993eb4a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaNearing.png.exe

Filesize
188KB

MD5
6cb41707c49840fe1ee1f3c2653b83b3

SHA1
72e2400c04e88fd90972956dcc601ec6874a0e85

SHA256
2d74b0d538ff48d6810894fc1545bc40b5571bcb5041c1bbba947d63435d7a47

SHA512
a904eda9bb288d1cd4d2ec13d057263b1a09e4377e9552776df820bf96100a81cfb616d87f022c3f1b9e6cd25bf06c14252b694c21f8d5890fe411b719739e1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-400.png.exe

Filesize
194KB

MD5
a6e973854a3823246118bd1037b0a03a

SHA1
b6ebe3c1373a45304101a14d8b9bab0b92929b7b

SHA256
8c12f39194a5f05c53f1c2ce09c4244bad32c462c025bdc69c276fcb4421437c

SHA512
535ab91c20b82f60b8005612d37633e447667dc99c1f6441ddee23652c3189d388fad62f7a0fc8a587aa9eb64b8e42f6062d3f487b8f5408d3614a8179394af8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-400.png.exe

Filesize
189KB

MD5
26c87f12005b409ff44188eb99f7f1ba

SHA1
1a2c19f659b47ab2c4da52c1635bfcbebb290e04

SHA256
bd935f9ba3c2aac7fcbc4b8141d1bc7252851cc26cdf278f212868afb9773abc

SHA512
1ed14d403c5144c161c4c6220ce4b16a07264a35adf8c6e360f95f7112071001741921ae56e58e3d1bdbc342bcb813b7f16cecb656b3b66fc4576228cfcbedfb

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\squaretile.png.exe

Filesize
186KB

MD5
ccbd15b4cfc59860284235d940a4fa2c

SHA1
5b85a9af908e42d7a2d5394fac8c4c869d26f265

SHA256
0d06bd0fcb7aade099900e51240b52c10216506b06121c19c9f1e19795e23791

SHA512
3a14eb618a961ceb897df51d12a050b1b557bb3b5ee9bc40ea3af034c4691519ac6861e6b305c3d9bc2f66e0fb7cff61555d516f5962fb54c653fab2df9d82f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\tinytile.png.exe

Filesize
189KB

MD5
217143a3c2d808218e3ce335360ae169

SHA1
8b089ea4fed5224bd95577fd1d6e361771e2a384

SHA256
da59fe1bff9be1133b682541c3e2681e7695c25d4eca738bd38fc41ed6fbd49b

SHA512
f2109053c50142e77794409f75cedf2f96b3efde2b6eae8b432ec00619185ddf0d02f401a91b7d3c7f4cb0d82d9c31ab77cb7b99d741ec913bb79f2199d2dec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock

Filesize
7KB

MD5
6bf9826f979c572d50358be89bf08021

SHA1
4dd8ea39f0f453b502e1490eb274aafc66ad3a8b

SHA256
e8527f554c14335fd26725ad4c59e5e305fdd64aeb251adcf96ac8f3ed64b70d

SHA512
e65b13e71f3b8e17c8175d537af111c9b74bd9b12ad5130270e093800da3bf1a257a7371aea4e50504f9af581315d0d29b06e1926e25f92510afdb5207d45556

Download Submit
C:\Users\Admin\AppData\Local\Temp\AgEY.ico

Filesize
4KB

MD5
d07076334c046eb9c4fdf5ec067b2f99

SHA1
5d411403fed6aec47f892c4eaa1bafcde56c4ea9

SHA256
a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86

SHA512
2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\AoIY.exe

Filesize
211KB

MD5
31403c759d39a633b95f182bed1e046f

SHA1
dcb280a280a2db746d70b8f1778b4c3c6185e024

SHA256
06e0f38d3e9dddcb7839d9eaf1e142cdf4d76ece003ae2dac431b0b9b1926d1f

SHA512
aea774691b5c71518e139afb8a1f4e8b38b297339b8813a74ce66e6edda1ff1aeac7fcc0839cfc4f3579c4d4cf863429bc652998436865a91c0c7a2ef6d60208

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cocw.exe

Filesize
671KB

MD5
a3a2f109333710c655f4a290855160ac

SHA1
381570aa51dcbdb1ca87d676b01bf0049a9d974f

SHA256
465fb8f7bcb671e501676d62ca1b3d58ec10b6727e15b9f9e769fa1c5fd428d6

SHA512
6afe7fcae01ffe298cb903d7a0ec1ffa1ecd0c8b3afd51e79f5a60c262fd5e0f8c095166f22e7f39e830c3ce9d7086734deee527a8eba3d2d3984500580c471f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DIgG.exe

Filesize
210KB

MD5
84c84a667de310dd66207d219190a0e3

SHA1
614d07bb6987f1afa325bc9fd73c6cc897ecf503

SHA256
cbe865c7afca51c630b0feb7db53e0e7c1075302b3013a8d7682cba32fe860ca

SHA512
3451bfce58f34c06bad44ef09cfc79b9e0e801de9be4691ed216cda51a36780bec7a5433da3e1bd096a494a68789e3ac0a99a0b9b9950f339e1ea57033ca8eb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DQUu.exe

Filesize
191KB

MD5
1a4a5dd5441d635b3a31d0d839835da2

SHA1
f9c6e46a228b5fc2c394cd272a53f075b44258fe

SHA256
2cfb91386ade30292308c0db6b6cc5858bcfc7197079a91e0cc491a91c121686

SHA512
cb4fbee997cfdf8601e1d625f0e775efbd0bfc70273648ced63cab6b53a7010a97d724243957bbfb994dd289b82539e359062ef6ef9096fca986a1701582dc71

Download Submit
C:\Users\Admin\AppData\Local\Temp\EIsc.exe

Filesize
191KB

MD5
d25a91de5d69f510586ffe6400620ec6

SHA1
a5d5b9b2fe49770e0ec9e671d62d5211f90d0733

SHA256
0c21be50bff50680562559442d25d04af7bfe30a00c166b7dbfea298ac20dd15

SHA512
465598ee9eec8a39392abc8465d8f44101b796480753f5b30291db4a481319d8a9949e7c56110752ca07cfb5590210699c9aff2769d7dd4c3734183da8bbbe6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUQM.exe

Filesize
219KB

MD5
c6335195e2892c892e547f54f896fc4e

SHA1
b7a975c5a0512749e0c1c7a340f7743466bea3a7

SHA256
1b0b8bfdc661e9f6bf08fb3914c8f37fa0555409a46b32aa40b61efa55b06fe7

SHA512
5e709377bb62cb90201e92caabf298b7652fa3ec5354e6f26e190a96664a030a718ce551c5bb386ad73b5822dce4ab7fcf4b7140b0793743f58365056e8a3084

Download Submit
C:\Users\Admin\AppData\Local\Temp\EgEu.exe

Filesize
208KB

MD5
ed0ad808ad062327f2c13173cd4bcaac

SHA1
c2fc2b41796151d5380a592ef9b47566eadae5be

SHA256
1a402cf2400ba7149043ef8de837619d8b007b6b3199c99ea1d8fc6765acf605

SHA512
6f4ee340b65830788e0b66758eef08de4897bba4c4ded9f84271e02067ec28888ba2b5f65b16f89e71532bac24200ddaaa55c57de72ac834e40ea81d1999bd49

Download Submit
C:\Users\Admin\AppData\Local\Temp\EkEK.exe

Filesize
208KB

MD5
0a458bb737ea6d43e72272257897ae6e

SHA1
5393bb120e7dfa771afbe895488f5698f835af57

SHA256
a54d9f626c182c4f7d4ad7bae8e5e29cd3cadf02b8a4ca4f40e6ee9afcb4badf

SHA512
db61fe40730d76ff2bf3463c83d6e9a6cfcecbd6ca2c8f09c6da39e06216f58181b62eea7a7d42e99af881d55e3de865769bfdbe23d5564347f040e3a5785173

Download Submit
C:\Users\Admin\AppData\Local\Temp\FIoe.exe

Filesize
219KB

MD5
a593a4b834cf3499d7d02212153f98df

SHA1
2514200160233eac6a3b3532a3852339091fcac9

SHA256
ff9ee83cb92a74ae5a11a1f357cf904ceb4fa1275db03b2ea793b07a6f31a23a

SHA512
7b9cb7f73615a847207e6a9acb18c377d895c4ca8fa83799366433c187bc200fb8917191457ddbd0112ee1f49e73a05a6b02857686e3eaab1997b8b526d0980a

Download Submit
C:\Users\Admin\AppData\Local\Temp\FksM.exe

Filesize
219KB

MD5
ab15c3f29ac44c49142ef47a7deca032

SHA1
cab437ee4dcce09341aa429b679c6f0e8defbfc5

SHA256
a61ff3b38f9250145025f6654256d658ab3f7e3e2ccc2ef21e0e58f4a41bc582

SHA512
12439668b62b59467af3dce83d6e245bfda6d0d6f3c18da4147cc55d1ae01de4c68981bc3b00ac5c51431d6699ef47abcb8571aca1a39cca0017a2693afe67fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEUe.exe

Filesize
206KB

MD5
a688ca31c169b54ee5d2d6fbc7757269

SHA1
5cb1cdd867a9b1e001aa076b7e9355a954d6be6f

SHA256
bc225eb4f9b41c506d75fc3ce7ac92eb1f9f1c86a13a0f492130876533ba99df

SHA512
1a1de4e423f326a476eaf5eb3b2c94f242f1c6b3a2f91262f33c8b4dce819365f2153bbf34416d3a848ef7c6d94ed27d2e99c829a1cd79c0e2e2ef01e5348f69

Download Submit
C:\Users\Admin\AppData\Local\Temp\GIcY.exe

Filesize
636KB

MD5
0c5e70d2750e22d53118cf7b8d442867

SHA1
7a6f42ae2dfe958187af95b07ba37abc29c2b87b

SHA256
5fe8caa6ddd934fed8467ca324c4736a5cfe6a9199bae615faf89daee81e135b

SHA512
68a88a7c937e4cb0bd7fab06c25085024e43dba165dcbc53785c39da5bda58d53dbcd8590570fc3dd134bd3e3953a8e200800a758867c6ca4dfb4b015b835fe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\GYkg.exe

Filesize
197KB

MD5
42a7497026976c67f16e1be43cfcbbb4

SHA1
5fcf7d94457c8a3768f12959f66fca185fd38c0c

SHA256
892330bdc6d5a65513567751ec76a72cf04f53107b7a56fc1dde0ad2f1376ea3

SHA512
dac4306a46da07a475770f637db1cbf6e42a3a46b9335a838cff76c16c3aa782b9cf113f30cd9007ae67046e03d32f776aa67ca84e4418ec675fa75706bc3715

Download Submit
C:\Users\Admin\AppData\Local\Temp\GccY.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\GkwC.exe

Filesize
191KB

MD5
515f8abf6313fb183f18b74a78ee908f

SHA1
f8ca1db6b48c4d67d46875e4acafdf4f521b41eb

SHA256
b83cfb6d9f836b636e1a4fb5bff40fbcfa21d9d3ae77b8b388fbb302aec6944a

SHA512
e2457af5f4743cc79d022145f950b439914b5711724b556856632534cce36c427310e23e22e34377c4c41c3ac1427f00ea84a011729625ce34b1104269d89553

Download Submit
C:\Users\Admin\AppData\Local\Temp\GwoY.exe

Filesize
199KB

MD5
edb7e1fd08b295c2df2ce1a262e87782

SHA1
04f7c7cf67bb3368176d83f4aefdefb631242765

SHA256
fef5004566f2f8191e9607a7672df51e24cecb32a1a7d6ec15682f3e8322287d

SHA512
c5780e92a9ceb07ecb7b16ac8f43401a2ad0816072665d60f9c0169d5b01eef0813009b156189da7bf7cc8aceebba8cb85e9ba85eeb9cdfb43e221f038075f4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\HsoO.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMoc.exe

Filesize
5.9MB

MD5
b98962101384f32e953be2b3f567a2a3

SHA1
37bbed1419af128db5f8e07149d57f51cb1ad544

SHA256
ee5055d8121274b61fcf61d7f282afc6f18169b37c17feb36971a82aac974415

SHA512
bd1f49fdf2d1dd01a55e8e4fa72c6a294340ede9747fa30501c5eb3f0f007c11724fffb0e3701c2ddfbb6977f57f3a02326114bd16d6b88757dc52b94d939cb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYwE.exe

Filesize
5.9MB

MD5
87bfb34f7558df87318c404ec189134d

SHA1
9825e55c2e9c433192b6f07967ec9a423d9d1c0a

SHA256
847268c54ac3b8f630719ad7815bedcd966ce5df93cd502bba237581bb730a85

SHA512
ef307ad24e837610c2fb174601838eaff1ad71f1c00ca51d0fc69e29a0b176af0160d8ea20a6c62b1881f8445f04d78609f42beacce459e344d4692e226e5ea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Joka.exe

Filesize
320KB

MD5
fcceb0c7aa5f970414b6d284630d0836

SHA1
55d6ab7227fe9f7bc0e8e4c70342d4019fe70b8a

SHA256
10aacbf1fcbe5aeda56947c6079e5388da4770548a6f698948c00790d807fd18

SHA512
855a783af153e4f5ce3fe9730802e2b04866ecc34f3d2b8bd07b2f484ae750e4dd68dcddbd50234124cd9585adf2314e179326b6dc861db5722a1af350390fa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUcM.exe

Filesize
641KB

MD5
f4435e4130607254dc6b6aca2bcf6a68

SHA1
97e7551ae9450bcbc11443b78992f367f6eec95f

SHA256
0a5f07624c52876bec4362549328123133ab5c988047549aabe3eff83c8055e2

SHA512
96c487fce0ee835467a073782e7c087a19d35d6aebf84f165b1ec30d6b636f3c0f871404c97fff80b6fa58a2ac96b9abaacf898379152cf45886b0bae65b7c24

Download Submit
C:\Users\Admin\AppData\Local\Temp\KoMm.exe

Filesize
189KB

MD5
167a318780f54ac81ea94863ff66c5c8

SHA1
8d4e2605399a2d58e5b819b5eb1f266fb71b52f7

SHA256
ebf590163cbc45fb5935421fb9a057c1da16d9fd5ac1c026eaa39735144ab65a

SHA512
8761205693140b921266e51b925f82f24b5e16b8894476bc82fd7bf2d4508851cacc9ea405b7bd10f373137515ccd1b17b9175f27c06a27e36f39ab9b7e078ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\KwIe.exe

Filesize
227KB

MD5
a21aae6c05c9ee408acef7a1de2012b0

SHA1
0db8dd4457a515f9149307802dda6eda0c0a613f

SHA256
19a2f5c52d483ed6a7047f44acef335661072e5b07659baccfff33353edfe174

SHA512
f0ef8ed3f17074cd785899782be2c5b54e440bce4d5081bd7f09028b9719ccdfced4f00ff5e516f0e094a0cb2bc55fb078b714b908c3adfa6dd6b86ad742a3e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\KwQm.exe

Filesize
828KB

MD5
f8885bdf60c54c18314352142cf252e6

SHA1
ee1a7d8fc6e2570612f46ef3bb55eeb7b2ab999b

SHA256
00f34655f57e70400d376e1a28526d655d09727e41ea041b578c156ffa75438c

SHA512
9b89aeb5fc4f74df6092b73b701a9c276f20d2e5bf97a68803b684204408dd03e16eaad0d318e9817ff9f3d203f449666c63168ef26c84c351d8d983725e0f9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LQcI.exe

Filesize
555KB

MD5
7645d1775a09aaf64c95c854c1df7105

SHA1
473c5001f2450886fd1e6d32d4aaf9d2c6124376

SHA256
d2177ef75a21a8d7a59dfa260c052fe35c76bda45f8751ce3e8a65413dff66a4

SHA512
d2b7e947dd0700cf0caa595b9c1752f9c884f5e6d9f7f6c6e500fc7357a465dc0d710d60be9b8ef230f7245dafb0b007dc0f096d17d7f7a295c5093581d2e633

Download Submit
C:\Users\Admin\AppData\Local\Temp\MoIW.exe

Filesize
192KB

MD5
9dd5fe43afec944a523532d3e471558d

SHA1
cf8bffadd480b142acb012d160a03b9ad961a892

SHA256
81aec775982dbd312b7a7bb9f55e580d8cb41fa442fcdd9a2296d362d773be68

SHA512
3f12b144aaef427d07e8e8653a1aae31921e496d9895d0627231c509b94f66d1e9b4da3fb554d9fbfec99a310774893a2dd0d95202a02f9e0af598ed24953ce8

Download Submit
C:\Users\Admin\AppData\Local\Temp\NQAw.exe

Filesize
199KB

MD5
d7430edfe5d574e558353f3be6e41a1c

SHA1
8c09e66eefd975403d718ec505a7865c01e32a5e

SHA256
11a8a23fc452b24d91c0bd9c5da646509ef9c94428c410eff233f863bc8b656a

SHA512
a6cdf5b31feb15f08cac0e1f0f5dd53c214574a8fb5a478e5a93ca4c45d7489023af38f9c2785980a1840baf7517045cd24b9bcc6e2bc322ba9fbdefb200150a

Download Submit
C:\Users\Admin\AppData\Local\Temp\NQIQ.exe

Filesize
190KB

MD5
cc8a01957c60bb80be0549a50232ca68

SHA1
8a361b33d67f7de5dcf402cb6422ea817d63b7c0

SHA256
f2abc7a00bed428e45f40d675c2cde425390639f67523cc6f79aab1775c80e9b

SHA512
31cfff002816b790ba383257a1d3c0b06cef3b3cdba126a906bf38232eb41ae752751601890cf3c765903ae54fa2be1cfd69ac8ea2d5dc3b95faaba165256845

Download Submit
C:\Users\Admin\AppData\Local\Temp\NQoQ.exe

Filesize
189KB

MD5
b1f5437b4f370c7675b0ed25449d3598

SHA1
0834c18ced3f6f5d09c9f44599aa97f8f35bc7d7

SHA256
78451d2b53ecd3c695178b9b0c6fcef954ef5e3dcd7fa341af57e8b821c8531d

SHA512
2749ede6997d378869e76138090f8c5572b7d6b2e456ce77ae87d93d7f52211af70da1b77beaca1e9b0ff6890254b6c135ca77999c75224895be84505bd30640

Download Submit
C:\Users\Admin\AppData\Local\Temp\OIsQ.exe

Filesize
195KB

MD5
3f98ac4f387aae94a1f5bdce0e7321b2

SHA1
8822c25a000f5c7d43febb7c0c1485f8345c12b6

SHA256
1f18636216176d700bfa20ef2556d185f47715a31cd891c214605416b34e49d0

SHA512
eb67e9ba6e733be4a751df44379f9b793c6fe38e79625df63541d1a1451f21a9d8c7913d05ef8c2804502e35d925df001cbc3873cdf2d05af176c5877a6f5cc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\PcIk.exe

Filesize
199KB

MD5
3fae05a282d9a6e3b1e3173e90230c39

SHA1
f6b7189792f5c9487efb6602b1bdc940fd1b898f

SHA256
24cb4d6a8a9d59c5b3d008efcb98a49dbb8e7d039a020edbe54ddf72e001851b

SHA512
e6278bcffde071af6b4210f965a1916953d62397cebacc1a0c09e6615d5b2066ceab52b3e6e5e359f29bc9128ff735e19c44ddd61836e49bdd1447a6b6aa5478

Download Submit
C:\Users\Admin\AppData\Local\Temp\PcUs.exe

Filesize
643KB

MD5
48d64f522d69331da36f2514bfc96b72

SHA1
cda310d8f2a0a6662f380a3efe6ba74ec900b19f

SHA256
f5197e4ad449b089250fd56b1d3f643d4ac2cd3ab8f09d9feaf45bf0c275237b

SHA512
92492912cf7c5873fdf129d9b0df8259a4295b7a702fb0900cc108677c2f6aee7ae419d40a200bd969e5784debb0f8b1bdf78ac4a453bcb0c589b919ef1d730d

Download Submit
C:\Users\Admin\AppData\Local\Temp\QEIS.exe

Filesize
684KB

MD5
d7b99535f13eacf72118d44b5d457570

SHA1
8b8647afd6ed21c376d38a60f42e38fd9927cce5

SHA256
bb1e772e54e071a6128c2711012120a8cee80b92c0510f1482b353c233966259

SHA512
411c5ec355438074c0ba47c9963225036d0076d9bdb21301ab0fa474a755d984e7ec469f3c74b836dc76e31fba12e6116f16b8fe63d5640ba220fc26b55f6420

Download Submit
C:\Users\Admin\AppData\Local\Temp\QMUq.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\QcAO.exe

Filesize
218KB

MD5
fe4577ac7a6d639a5ed9509811166a94

SHA1
e638242dff578bbdabccb159dba6195d21c23167

SHA256
4555159a715a8af889776fe72774c1220f962d9d21fc9f19348b862c0ed26532

SHA512
3c5c07f1fd08517ebf516f27760531b87a7bf641be2d3cfbf844607ab2452c85f230e523515e87fe7efc4f5324684d072e7e023be27683170e4ad919774fde48

Download Submit
C:\Users\Admin\AppData\Local\Temp\QcAS.exe

Filesize
211KB

MD5
fc341bf21a0507449b054cd40acdb789

SHA1
36e130d576c35a6d71fdcd0df8eab2a3df9b2e0d

SHA256
bd12ed375c6dc6f4879db0657a9f029fc824dda441eac9625ff5d8e2756ecc9b

SHA512
e0e93715766f70b844d33945fb886f8f2c08078232c45e115ec84dac42acc6ae6ef397acda65b3fc688011c93765754cbe80eb37c794e8663d2cc2b9b3d9b43e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RMwe.exe

Filesize
201KB

MD5
aa067d5bb84335f6fac3f329f67f5e88

SHA1
50328884fac3063cdca770bdad260a5b0a8c05e5

SHA256
67e40a215664fcaf08fe6501c667ffd7a2bf7de8b17008012083c37d89f02ebc

SHA512
e5a7b83dd0bab485fe468fa676f7433030d70c865c500cf1b410f4dffd7529afe444c1ba303e59a8b1db6da4454c612e82f096fe419fe502b07c63f6ee0d2b74

Download Submit
C:\Users\Admin\AppData\Local\Temp\RYEU.exe

Filesize
226KB

MD5
ef41a9e54f58b8e301819cfcb736972e

SHA1
2497819713f5728ca0b3efe1eed91c51edda42d6

SHA256
ba0ba16186788c94ed122b02d784a4d0cf4986821a042e0cac187ccd85cc3782

SHA512
7c2a98c09fb283164721c857e9f5c4863ef437a2743bb4f122d4cb6b374bcf02438e4d949ebc7a0b77b86eaeac97f8c986817220456304224fec3b2db17ae9ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rcwg.exe

Filesize
1.8MB

MD5
4479437e2fbd0ec32cbe978a44c3a11a

SHA1
b473d3c15286fe2531da0fb0a8dbd049c0f36b94

SHA256
19fab0fcd5406d7adddabc14579854ff82b95d949df5eec1e3d6489a76e941db

SHA512
bbc3272bbb8880d5b6a47fc069fb045755df15ae79e886563a23f5ea6233d1371df721e86451582f35dc4da98d24c569904625afc1040f23abd2b01c67dda777

Download Submit
C:\Users\Admin\AppData\Local\Temp\Skkc.exe

Filesize
205KB

MD5
615a9e29a829c055b0da95cb0a7c3ca6

SHA1
3e3e10b58825eff1f5ff8d485c481c0807520881

SHA256
d2c3da7812c99b08f043580d30770d16b9d47e01a0af57518c15a782860738c0

SHA512
cf6169d889d25ef997e7ae81f1c592892bf43f76c1719757afbbe2518f8568bcc027128ef86b863bcd695911878ecd3697113efef7e541ce5922fee970d4d493

Download Submit
C:\Users\Admin\AppData\Local\Temp\SooO.exe

Filesize
196KB

MD5
9a01cfe37fa4358ab5e3695e403eebf9

SHA1
10770be9264c3b701008f7312bbde53ad521f15c

SHA256
55ca9bdc3ddafc4f828a56ec8ea2e836c5bc2e788563919e72026452724fe2b2

SHA512
2fd6eb4ff3372eab476990bdba635846a09163862b7e1adda04760a502aca3a3542beb60013c71b642c0e58ecaf89713d7ff2ffd34324176bd9c6c8877f3b373

Download Submit
C:\Users\Admin\AppData\Local\Temp\SsEy.exe

Filesize
204KB

MD5
ca1e066a4ab53d82c68baa381aa5c689

SHA1
06865b41d0b1ed0879f54b920dbac9344dda8ab9

SHA256
db58454c281d0320ef215ea59e5bd958b3d511ab4683bfb874476d82526876c9

SHA512
2c06ad32edbb4fae5948e1c8dd24e344e6c725a402727c7a0475a6b3ccd6c1421fd33e27bd8e1426ecbbbeba06b0c0ad78db13aeeee28cb162c4b71c247e7436

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIEa.exe

Filesize
231KB

MD5
433c47884214eb09e24a933cd2836cfb

SHA1
0cfb340822d490e3d3f7b7e508029e109c9fe2ef

SHA256
0fb9c681660e5964b1ecfbafbe874dc91d7a06494a3992709e4ef007538ffa3f

SHA512
84bd483cb92733e0fdf6eff223a1f2e29a4de08278c649479e7b93c5887406385412961891e86720d9a2824165956d940c5a92d4aa5ae14946dfa98232dec426

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uggc.exe

Filesize
5.9MB

MD5
78ecfd5ee674b9e9881524f7407cd3f2

SHA1
c66cd39b7d9fcd701a89a4c9fb433eb583da5c8f

SHA256
b32548bc00e0863540e6074173ea8dd4200e7497dee2683dcac552215d3c70fd

SHA512
e5ca8d65171665691ed1ce30e3f02c03f09138bf0933e180c61fcaa86034d6ffa5e70d257419b38b0214b7e993a6a2c731f35c4637eb9c2dfce07cd332a8d042

Download Submit
C:\Users\Admin\AppData\Local\Temp\VUoC.exe

Filesize
770KB

MD5
ff28e3f310e269a8c072271e9ff90dba

SHA1
c9babda9509ef581dc82fdb42748ae5658156300

SHA256
7854df82c5bf7a10c6d19baba97ad846bfbbd51b5a812398e5c9d4463befcd8e

SHA512
3031c40a533efdf1556487d84de6285d3865d040c9dcc686fd317a8986c4961182bfe2ca3aa0a7eed129abfe26bd5c8e0f97a75d92e166a3f132992a5b646c82

Download Submit
C:\Users\Admin\AppData\Local\Temp\WYsM.exe

Filesize
787KB

MD5
bdab095c47722224330506bfeebddc1c

SHA1
509f197cf215a34cecc7913024b8c68894cd1a82

SHA256
9f2f3e2b4bca8a8ea00362a451fa20dd185a80f649d6913cb9099947e3da5806

SHA512
fc1536b3e0f9974014839b806ecff8a6ca4c7bea6a1f042862fd8e2f2910d4d2b2958b4724f84f8c63f71e13a269f6e32fef7d51fb87d957e4a312ee12ce999e

Download Submit
C:\Users\Admin\AppData\Local\Temp\YAEO.exe

Filesize
1.4MB

MD5
52d3aaea31a760e486e0088f6c2fef1a

SHA1
8680c32e57496a44a0531d90a1abd9ebb332ce16

SHA256
c06723003d07b57fb19a37ca4c7394b767ce72f23aafdcec0ccabc1c06d61baa

SHA512
562e11b54419d98880ca79dc4e4fece3efaa1cae7c39906d1bb0881426ebc37cf67aeabb0f165904baf01144411bb5897e2ddd91f0d9636fdfae7ec9f8d81819

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZMEE.exe

Filesize
203KB

MD5
778da7273ac7b1ebb5fb685651dd92f5

SHA1
17577a1fe9874330297496175487f2c65ad4c3ea

SHA256
33668e15c626b76c59d5dba1a91bdef860dcaefa5ca48c491d946e712d71c3fa

SHA512
cda17ff5969b86dc4e9c16ebb0f0b586abbeb5e31617b4f70a09673a5f83078168d8d8aa1bbb0a27152ff7916c3a006a837fd98864a069680e01a97d0576a45c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZMcc.exe

Filesize
204KB

MD5
a83c09960dfcba18658cf35d2a084d0c

SHA1
c948a4f642b0dd113eb269bc0ab87092054b2d41

SHA256
3b3859245f990412c148cab585ec5936a13330979c595095fe410329c5025dde

SHA512
ea7d512807786f15276a0c75c5bf51b1cdcdce6ecf53ca5cd80fa5dccb19486430722a2f98794fbd5f36b63d3fa4403b426da933513fd512b5d799c4b0250ba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZYEq.exe

Filesize
197KB

MD5
5a3010ae7988feeddb5df8854f4cf14a

SHA1
1b0b21b6d3c7bf0e508c6322a5d8dae541c79a48

SHA256
6ca8b7d186d19d3965f0b0d3b93a3ec419aa6579e5de9c0946099f9d8372e7c7

SHA512
b67fc2060ad484c4afc445b0dedb8599d5e7ca36feed83aa49119a26370889f52da03420edad1c3523c9cf8ba7e38204daf457baaa367231dc5bb59f823e472d

Download Submit
C:\Users\Admin\AppData\Local\Temp\aAEQ.exe

Filesize
226KB

MD5
9c153e4b61e7932fde65fcdccbfc913e

SHA1
6045c41846ee04b35ae488fd8549427d5aa4be09

SHA256
45e353f13ee015931b904dec94fae0d6380d41bbfdf71b3085a3bfe1fcfd3fd1

SHA512
24ca7ff58203e402a21983edd5616bc9b628e6ced209e1a04afbcf277dd2942dcad93052ef57c4e0a2b66ae31f212d7104832b6275f5b33510f27ce55b422055

Download Submit
C:\Users\Admin\AppData\Local\Temp\aIQC.exe

Filesize
190KB

MD5
5bdc8496d0750bca5e06cda558658997

SHA1
08aabe45264851185fcf466f8d1929d5d852ee82

SHA256
e50305f69e7ab4f1e315750ca71a90e064947f150ee20c597e521cfe4e29211b

SHA512
430182430ec30fd512baf560738d3083e61b22abd1705f6ddcf8d60405969bae589d007c5e0563383a2837a6320c8f8e75720b3a84d314d3d0ca542f0d9c6257

Download Submit
C:\Users\Admin\AppData\Local\Temp\askK.exe

Filesize
196KB

MD5
0b3038269b64b33523f71c982b57cd4d

SHA1
b0ae88d6478b40dcc2717c4372c27cd03ce865e5

SHA256
8bf01982ccbff2fb2a889d739aab9b386803df11bb57cb009ef3b1b158d92643

SHA512
88f82c198c64f822682dd2b3f65484c8e7bf9f1b91c1a907076ecafc142e3a62888cd3b940003d42ba196b5e00b33c0d8202b18cd0eca7a885758c0641d6540e

Download Submit
C:\Users\Admin\AppData\Local\Temp\bkoO.exe

Filesize
214KB

MD5
a9df61e7db129b948eb5f6993dbc373a

SHA1
ecf0255b1b29bc2ab2948a26af0c61b641261560

SHA256
88f5423a078d9752c919f7858ae8905b81396b9a65f71ccc4b7b3634ab082172

SHA512
5a266fc39bef741fc78a3736141baef9474a9b2bcfaeb1037c8ccf7972a561e39de3ad9f1bb0dc5efb30a14fa47f6ceaa579c1ae619d0281bbbc9aee92479dec

Download Submit
C:\Users\Admin\AppData\Local\Temp\bwUS.exe

Filesize
195KB

MD5
012a139537206744d4d86b5e58e189f1

SHA1
3a23c14c450b3c3a261aa0577ba7a96ef0e4e9d9

SHA256
791bc7e74292691bbf5806e3840b29e2d07eb84c1b11f437803aac209b9cf3e5

SHA512
d06d00061bf7c58ff99bdac3bad8472ef59b614ec5bb42689e9de8d817ddf81d87d18c211f20c3ae7b44d660b3cee31b1ad4b46663202ec85c6e7ef370458081

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccIK.exe

Filesize
205KB

MD5
813a3137c0cc8288dd6d59929cff704d

SHA1
d866fe822bdabeb791870c3c567287f1bad9a292

SHA256
2e170d6bfd34b72c084c2520a236874dd50aa553cd3cc2cc9945bedcfce916b6

SHA512
1183eda8b42ca92cfbeee96f4d0de35c9740f79e3089545613fdf9c559f99108b3cdc568b39e062fdadfed94fe3c48f135ea1e83454b9a75c8ad9aa5341b16f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcQs.exe

Filesize
189KB

MD5
fdde55aae59f8d50ccef6c94fb928319

SHA1
aacb9898c93b51e2eae55000a50437450ad454c3

SHA256
58a0b6d853dd41d084ea2bff98175cc893ce486908e28ca75336322fcb12145e

SHA512
3e01533e496240df83f21b39343ec0a05e4da9c5d358ae3a3ea814e592d3f19af06987b0e2bce75ef2c02a880cdc62335dace8f771dc38b9ff9856ce5500723a

Download Submit
C:\Users\Admin\AppData\Local\Temp\dkkK.exe

Filesize
473KB

MD5
c2319f55999a88579c77cd95028fe389

SHA1
cc8b89c414049e035fe335a88643c2461722cff6

SHA256
3c25c073caa58e4a8c064c60b843dadb4fe88eaa41f2dc2962500130c0695b02

SHA512
4ae1f61b5bb31bc8e5b8ddb1ab09a2693041bc3781ac261a9559d7b607d5c999810e41a27b59bdde005326cd0377f70aa26483fe1181fdba136ba5fd9e37a89b

Download Submit
C:\Users\Admin\AppData\Local\Temp\doYg.ico

Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\dscq.ico

Filesize
4KB

MD5
7ebb1c3b3f5ee39434e36aeb4c07ee8b

SHA1
7b4e7562e3a12b37862e0d5ecf94581ec130658f

SHA256
be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742

SHA512
2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\fQwa.exe

Filesize
421KB

MD5
eccb4610a29a710d9bfbfa28be752984

SHA1
469ce43da4402586f84108b7357b53a913cadb13

SHA256
f0772307c49edc04298a7aeff99055bc62c3f1cfd0a249b8b8052a849ffd19ce

SHA512
b668fa7acf33eb68d05c479ab0f1eb597b839559bd5713b152ec6329faffee17a28dae4395e76dd950b25f5ffcc6ef87786d4d118fc9427777fdba1a678d8872

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\hkwkcskg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\igEm.exe

Filesize
211KB

MD5
c7ded1400f21ee163d68d6828fdd3451

SHA1
cd23522efd955af0f1b2245361128691bb57a340

SHA256
241cf3418ccdeb1f93e45203a970dc317cc8070b9f8a5050ce5b21198a097c1c

SHA512
0280e43365a09ad2e0106de53f13d662f82e2116d75f8d1c6959e2acc8d55eb3e4adca4fbd15fd1dc26249595170b228ddac7ec006cffd7292789a2cc06c4622

Download Submit
C:\Users\Admin\AppData\Local\Temp\igom.exe

Filesize
813KB

MD5
c152c6ebdbdad61bdda16d5bd79e7d5b

SHA1
6b4237771efd4dda96a02709e41e37ac914b2ed3

SHA256
469ca6ab14049b91b9b45481cd00596bdf88ae089719fdd0d0dbf197adc58aaf

SHA512
6a987b3f894ff7433448f02751952fe9b7165f1b3858cfa75160a76d6af40d7c23f28ff9fcbb74d417527f3f6433d164882e2fe5ca77f3532df983d57d6742d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\jQUM.exe

Filesize
221KB

MD5
1bcc8bc64b704b11217c8d9d959fc19b

SHA1
d36917fc15e1c61fea2ebe6e6121d72dd39731c1

SHA256
c33e3a7bcf72161c253fc4e145704f2cdbd9553941a1aeb0ac0cff3125bc86c1

SHA512
bd9b4c6fef41956a38d89d89eaff563205cc5c5d84589096ce4e7f38c3266bb32ccf2fb0e58c1695150387c925571cbc504491b9e36ff85e3f8ef6dad2f35cdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\jYYW.exe

Filesize
462KB

MD5
59a95baa27e17442743c2c423c595016

SHA1
346c1dbeeca3fbc31ab90337abaed31ea1c44201

SHA256
c122715e361959bcf24cecb79e5038ef3659f94431452c08a2375b26cfcaeb24

SHA512
f7d1b16b98e3c2d06c0129ce289863c1dcffa5516a76775dd36dbd56aabaa9428aa67058f249ca7ab5287268264ecff84c8ad0be3c4c809f6366d2c10e344fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\jwso.exe

Filesize
267KB

MD5
3737d574fd6e0430cb138a32311db9a3

SHA1
97bfa4292d89e12d2583476ccf014cbe5c4760ef

SHA256
8ffa58b19767f495b969be55af66016ee681f67cc2bd53e2ea236730077dc894

SHA512
4d4c3066a6db8fbca10db7761594da8dae4ac469b28b7eaecf299c3195b98fecf036c70b4a318f8ea84d89b6c465153bc02924c2fa1b90d6593284bc9dba5c86

Download Submit
C:\Users\Admin\AppData\Local\Temp\lQME.exe

Filesize
209KB

MD5
f0a162e710101bbcfeaf705f1b749de7

SHA1
26c287931ad04f1518029ff45cc662799a17e586

SHA256
7aa610cf2bcbf2c5242be57bb07d70229ee7c1817ea02cbf4a470ca7164a0352

SHA512
7eec9c97e0c9287ba01ea2bad0ef6d6f77c41346857a6a8942866924c69e006219267a044df5cbde06a9a5d0b82981a7be635fa3b38805f3465ebefcd2669e9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nooM.exe

Filesize
197KB

MD5
95c46eb498dacb0b2e174a931119a6e4

SHA1
070dc654ba188a6bdc9af2f8a1e39095649a54ae

SHA256
d70fb61d6d04f1c95d461e93756a42d8a2e69e36ff7099e4b73c1c87c2e88255

SHA512
b234c1017add394dcf37349b99d41a94802f79921aa03bf4a2727f3c00d7e834f55c6ad815267b18ed343d4981c66b6590b326df998ccbf6d315fac237a495d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\oEQc.exe

Filesize
5.9MB

MD5
22e100a3122df7deb854bf584b95f275

SHA1
2d809e5672459b72b2f02905f32a3dc2196c897e

SHA256
b0fd3fce3e3d2a85f7b81817cdd4d824bca72546b5bb645c33da9eeb0e0bf952

SHA512
4a7b0458a608856ee2c728fe16143d91c551b0d3be2ee0e1d5c7d7750c145b8db63b30217e0c89211ab2f468a8a9e4f29b5934157fe2a0b20f62a4371f3fb16d

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYQW.exe

Filesize
190KB

MD5
ac3c75106f9bb9dab230e5184d501021

SHA1
63a533d9e71af463ad9ba2cf1f68dab598069509

SHA256
edfb1b390219eb6b411787412f611e55001450f37835bd0c4f3a08637731a371

SHA512
e022ce12e583ad366fd0e34750500ef9e914a4f91974e40c8d331b26045dfa7a26c97bb6cf23e26b5ab64fc10c5e7380b19b9649e2723b2fb6c66eb7cf51b079

Download Submit
C:\Users\Admin\AppData\Local\Temp\pYEk.exe

Filesize
199KB

MD5
fe26954cddd50adeb4dbb509ea25adcd

SHA1
61e44471a4efa7a30100b25c20f8bf3b73a8229d

SHA256
d845bcea588a42c829a4dbeda05249591b7708f74188737c418080711f256a07

SHA512
d21d8b11337b36574b8ffed6e231e61c651590da31d85a9ae5204bff53c04df2d4073de42ad68488081dcbcd5ded269d13eba58ce81ed01342b3af10d648bd52

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkMY.exe

Filesize
204KB

MD5
4b076742dd8275c0ee0f33d4e45aec78

SHA1
1dac15a55db5b8a54d3b97f0274a71a6feb94cef

SHA256
7b9606b439ddfb864680379b2b71547bde228239c6ca20c72e139f9f4e6cc777

SHA512
7676668deef3959cb380d884d3fdc196191bdb39e83c0f4c4e5780207611bf2d720dc9262c4d90549496f81087096d41560dcae54230d9cd46af6478a88b907f

Download Submit
C:\Users\Admin\AppData\Local\Temp\qsgu.exe

Filesize
200KB

MD5
a3ef5a8c177816f2fd19cbe691ebad04

SHA1
0f367dcf6c63524a5c6a6868b7fce571f7e2eb7f

SHA256
423174f9e24673dd876ef38f5bc8921f305917cc7d4f0b839246b97d483928ad

SHA512
2993a6251e1f8fdf9b62bb008a196bdfe4fac9bb3e1a02aa1eb4f3962ce0a840f2f603d1c93325063e01eaa08808fbef6215970837aa517b22cfc9d53cdeaab0

Download Submit
C:\Users\Admin\AppData\Local\Temp\sMEm.exe

Filesize
192KB

MD5
7e3e08c5e604d770ca6f211d865fd8ce

SHA1
cfc4ccaac4f84aa7a8ff78bf8b0ca62a9a4a0915

SHA256
0ee8c4aa46b0d9c9c898a054e6f4ad2602a2477378e6e15bab90f3e70c7f6a55

SHA512
429aa4ed6a015d11eb4f00c781bc18af0654705463018a920030cf2c81e639f50326d956bceb50a082a7008c7548228913df28006dadfa4541649aa8bc115ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoy.exe

Filesize
228KB

MD5
f83d05c1aaabd97a98b3e1e97324e707

SHA1
f85cbeb82c2b152228c4dc04c98185fdfefd940a

SHA256
bfc0c6c549b757cecd33deea447f94322e842348f1ed91d94a3f69cb5da8d68f

SHA512
d82988f92f020ec84162eb6397e1c5eacb931b81d930b4db6591a42966577577d06f48e0463c18620e09b4aede19fc86653c81bf73f8c2559242a8c88013055e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sswm.exe

Filesize
641KB

MD5
0567d73d7a19e1054855a390cc99eb42

SHA1
00bc2c02e6a2c219b3af600f4f7bd80db8991355

SHA256
0eb957afd37616a681e6dc3867577367773236e6ec73a29b29e44be6b64f29ed

SHA512
b57968d8f129374be6caff67727962d9d1ad42fc67a764d31674392e83569c1c470afb01bd4dc447f8ff3c3607462fca98603e37548a0b9509506bf40eba5a09

Download Submit
C:\Users\Admin\AppData\Local\Temp\tAIm.exe

Filesize
198KB

MD5
792fb010142b01a808b2f10e387d36eb

SHA1
933a7bed5bc7fdac6b1831fe63cddad651184c7b

SHA256
a05087e7dc93d7cc5d96ad472983e2a23c6cae53e384c68b9c5aba8c004e2cdd

SHA512
992171d02be0aa028abed818b70a766f822096928743b6390763d2e36ba72873c424ed48ec6c2c3b56eed0dbf7d78e3751d8e6cab9f8fe0c0a1d23e0d155ddc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vIMM.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcgu.exe

Filesize
5.9MB

MD5
a91e2315a112a0688e7315922582be14

SHA1
b6c3359fa0141d8e1e0b76c28dd1c37b7233f7fe

SHA256
4b2caafab2fd3192c87f93a3c9636f7ca330540d8c1772d28ee06331c8cc4a88

SHA512
bdeaec5bbd1b5c3bda2796673502a470065eb2515a15f920534a86f7aeec05e64835cbb13b807e95da5225a4e912d440c8808f1259ef45e933a71df3d160521c

Download Submit
C:\Users\Admin\AppData\Local\Temp\voQo.exe

Filesize
204KB

MD5
de91ac1c64cc15318de4a0eaea470296

SHA1
419dcb818c33b49562b8cb1a0206f586af75c1df

SHA256
c8a5ed8ab3352ef8e71d2fa40e457ab18dcbd1a48bbc968da440dec02f38180e

SHA512
53550f96d0c0519f151038cc481e9684e5779a50d220577729a449a45f330d7de3e8281fce3999a77f1665c0cd077d659640f7d42a7d491a3333a83010a88cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\wMEK.exe

Filesize
211KB

MD5
071aebefbcec4d7d42ba18d23c3c93e0

SHA1
26bdce84c794bc3c7f8e24c52789cd4ea3b9e353

SHA256
a69b1b996575a1132102a239caf85ed9070ad5df177fefe4df20759f7b3b7c2a

SHA512
bc5023c55a10b2a64939a05a57d6695f38731fb7c8ce6d1f51f963d8f64dcb21d9540784c79a5e9be18683c921f4dc4e703fc31bf2d380012185a16deed2d498

Download Submit
C:\Users\Admin\AppData\Local\Temp\wkEo.exe

Filesize
547KB

MD5
6bf9b007522ca71953c8a7075a62ddd1

SHA1
fd3adc6bc5c563d856966be58179a3c65b303724

SHA256
95c4a4cd90e97571dda62157e291c0b68c9873892d5744c452d446877b060de0

SHA512
0953c3316f5c50505e6525ba4c43481c9235d1e82f093604567f975f2d95e6bd668055186b65a059b144e5a47cf73f7781675c8d357a1b40bcf774cf72100d80

Download Submit
C:\Users\Admin\AppData\Local\Temp\xMEY.exe

Filesize
199KB

MD5
9fd99813b001cefa56a2058494c4169a

SHA1
012489f1a947688008eb9c8a22859d002d8d1621

SHA256
db73b7ea8d2af0938159cfbeed2b8310dd91051ebb174acbd149d0ca4ef9042f

SHA512
20a91339d104a6d63ea2a2ff637f90a33cd46b6c19868270968bd9ffa249591ce6f9f944e006dfa36540fba3329af2e151216e7b6d7c57f4e5fe5a32e6def960

Download Submit
C:\Users\Admin\AppData\Local\Temp\xgsQ.exe

Filesize
231KB

MD5
6c61d5751e16fb02161ee30dd7e2a18c

SHA1
067372926c793c260c259ecb1e60b2dc62688ee2

SHA256
627de9a51da15a886f0964d4e985a99e196144b2d261bb92f1c6752ae1fa8b5a

SHA512
7fec619eaf6975a48370b97bd87189b8a74af9b52ce2d4f98a5b99fc8b5e38f6daad786c61a8f88ebc29e02a6554676eca8a225f342fe997de7fd8210d2b698a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ygAw.exe

Filesize
187KB

MD5
0b1b62cadcea48ea246a06a4d0e8c183

SHA1
22e730bc16c763dd679ab25cfa8061cd65e19d2b

SHA256
3ea97b41f16a93e40017dc6294535c9ff9c07b53d1bc7ddae9409d1583858ca6

SHA512
756c49c7ddc8d6014000205e8ccabab027fc582f99cffa755dcb12ac3dd6ec4b338dd5162abc5b60098f49462b0c81aa64db170d4b78f8ce6bc48c7e30fbd32f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ygcS.exe

Filesize
190KB

MD5
6f76d73131c5a8c4cb21d474861caf7e

SHA1
7191e2c04bfc27b463f0b610b0e44568ae5f3752

SHA256
e530571e0f8a2dcce692463b5e9b2a7a2f85486c8c2109a7c489b57c320a5d27

SHA512
3dc00620a1415dbddc1fc3ad63d1a3f62e66d47f3ed6cec420077550008bab72d8d3a11209a7d7866925cabbefef4dc4567a349b7ee020f82861e62df9488ef3

Download Submit
C:\Users\Admin\AppData\Local\Temp\yoUG.exe

Filesize
5.9MB

MD5
50fcab85c76d2ae48b470c8d0123d8cc

SHA1
96e602013cc2109f2d4a87b7c9015f5f1ce67410

SHA256
aa48c4d2d9d222c26e9990cfe9a839acde0309430cf6edcbd0882c4a35fc65c1

SHA512
ff26a8c94ed8933ca5112343cdc81a189f166ff334f20f7183161274a47d7015e7d1e9704c0f953c5f2e1caaefc6366a78c9ac9883cbdc0849e5d358e34ab653

Download Submit
C:\Users\Admin\AppData\Local\Temp\zgAy.exe

Filesize
199KB

MD5
c45e9ac110743524f30a065203163ccb

SHA1
ec804ed039e650afa55634a89ac5e3cfbb60d0ba

SHA256
cdaccf62c20e8a588515f96d1bbb9d856e32f2a4576679cf64dc038b27d705f4

SHA512
c21f9c3c6103a0e5d9b57c2f7d75edd7ab1231014c50e1dbef5c0474d07e0cb9316ec2f445d1f8bfde4fda2345e8e5cc8ade0769c7e765fd131680b87e4f19a0

Download Submit
C:\Users\Admin\AppData\Roaming\PingClear.wma.exe

Filesize
413KB

MD5
b319dd9fa8c6540290c6c8a976aeb330

SHA1
a0c352243e506bda7d85250003f7877bc74a03ff

SHA256
8b25e8e59da51d37fe0110ef6bfa8bc8662ba0e122325c106c789d29fec22fd4

SHA512
257cf1260b8a6d3cfa13631a483e10c90b3fd0fbcb70b6fbfb2fb092f0b744172ed66e9daea8cee50a7b4a51b90a5696081d1f98de5f97e6816670670a2dc29d

Download Submit
C:\Users\Admin\HcUAQwkY\DIwMsMIA.exe

Filesize
194KB

MD5
b79c3c5aefbe448b784d67ecb32ef16d

SHA1
10b5c6c1c45d606e4fea03ef7e7037131842f1ad

SHA256
4da7f7a8829df11d06e1a885d6e9a3243648c1196408b5be61580bf832b2d462

SHA512
408fffda803959bec9e08a8f87ec7ee17060dd4673772aecd22dee4e497c5b27b73c11377a35643dfd03129f34f0a8a0b7f39f1fcf363152343ae975b596dde4

Download Submit
C:\Users\Admin\HcUAQwkY\DIwMsMIA.inf

Filesize
4B

MD5
3247216d972da669a75aa6db84aa37d9

SHA1
616ade66204ef2e32b773dfafd6f4cd7b60d029f

SHA256
6403921d56166fd9815551a819643dcac581b457485c358f8396bcd27dd8f6bc

SHA512
75989e7f8182b246af8ea26251f6a24a3fba35937d7713b9a9014db041df9123d9be3a7108f531152cc8067e613e2b074c5957aac986acb61b7cfdd511feff5a

Download Submit
C:\Users\Admin\Music\ConvertToMove.rar.exe

Filesize
464KB

MD5
83a5d29ca320d84eb753491a504de8a6

SHA1
dd86b159d0bda37e57fc1d7d5eb130f0bd507ec1

SHA256
73d875d8db0c79a856f8a4fc430a13aea6cc4bfad2515655fe519c80043caea4

SHA512
2cf256acb97dcc723b2c78b3bd540428b573651fe91756bf2d98a665c5aac5d248a8ed28366fca3e3b11bda94992f5f8a3e89f250231be9db507caf27637fb7a

Download Submit
C:\Users\Admin\Pictures\DebugSearch.jpg.exe

Filesize
695KB

MD5
9fa863813c21fe1ae2a01958a5177c27

SHA1
4c37c406ad7588982c9dc62ce1859a6e04221f9a

SHA256
e2e3cf15639a77e0279ac4912a3bf793372b898f775a998612a13b2104e47f48

SHA512
9563aa94704cfff5651b0e17b22b53dd489fd4e1333a5f470acbd688800218d1dd3b3e54e54950e98e082aab6bfc638b16a80ba28ccfaf5ed2bf89bc05b40b75

Download Submit
C:\Users\Admin\Pictures\HideUse.bmp.exe

Filesize
618KB

MD5
f265dd0f422e44c7b4d5835b5f990f29

SHA1
7bce2ef72df3340e29c7b316f00b381666854f01

SHA256
9ccdc17edfeb5f7aa41b84a04bdcd4caba2d47cfcab5140c362f2a97718a3cf9

SHA512
6c742227462a52e7af8dde95a305297d1938d0a2685c1135037ac14749144af3aea8679d1210af72b232eaa1916d96dff6d844cdf40a7fa9ef307a083a64ccd5

Download Submit
C:\Users\Admin\Pictures\SyncDebug.jpg.exe

Filesize
564KB

MD5
5636d1bb7ccad3f777454ad14541dac1

SHA1
a89098ebc8293584f3c50cf5aaccfe9c3fa0a879

SHA256
6607cdc2317fd17cb44363eff3c81ded939472feeeb2a1067b8fad49e879d6a3

SHA512
e29d91c04a0c4c958dd7bc8c26774bb3fb7574bcff16fd2d1825cad4c6a71271e25ee22eee75b3a5ce055a53ce8c8eac41c230b2af65a88c0782e3d4749bbdf0

Download Submit
C:\Users\Admin\Pictures\UpdateMove.bmp.exe

Filesize
610KB

MD5
4da4c6bdf94a69cf877bc68195fd287b

SHA1
c070a1905f5e453ea1a9531f2c013ad5ff6305a8

SHA256
f14e573782e944fb4ca307909707d1ac4b96357e9fcded41d09264ef25515af3

SHA512
72a7e61f4f877e8d9be5d5403f32d95321edab1803470848a783fb3cdb517fb4d47bc6aa8581f76ceae2a25bce8845debf416447bf5770c20373fc6f5d891dcd

Download Submit
C:\Users\Admin\Pictures\UseUnpublish.gif.exe

Filesize
479KB

MD5
4f9bb20900d1adadf0fb70bbff0a0fa5

SHA1
6aff0eb8aa89aa663ee70ca4d50a3029245b1b95

SHA256
36165901db4b730562634d1b1c43af16f8c90c8249b66438b521b42a4d839fc7

SHA512
51f32e860698945e9a5274f8e860c52187ea254b5b7001fc57318d6f6d25557acee4b3a261d286adb9c5e6ae1236d5b358cc83d7cdce7d06bafde5506fcbc17c

Download Submit
memory/212-43-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/380-341-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/408-550-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/408-542-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/872-251-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/876-499-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/904-351-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/924-437-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1056-587-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1056-596-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1056-640-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1376-101-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1380-138-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1380-127-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1448-163-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1448-152-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1492-417-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1492-428-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1492-333-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1540-473-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1540-464-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1624-151-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1752-126-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1752-114-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1808-79-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1948-489-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2044-314-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2112-262-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2112-270-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2184-386-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2220-523-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2348-569-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2348-533-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2348-577-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2380-515-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2520-560-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2596-568-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2640-658-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2768-240-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2768-225-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2796-395-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2796-403-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2868-585-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3052-413-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3100-604-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3156-426-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3372-279-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3388-325-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3388-315-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3388-378-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3436-416-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3496-368-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3524-445-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3596-252-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3596-261-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3608-298-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3608-288-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3756-197-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3756-212-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3812-287-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3864-306-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3884-175-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3884-164-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3904-541-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3904-0-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3904-19-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3948-360-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3948-612-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3948-352-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4024-414-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4024-418-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4060-32-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4064-115-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4276-453-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4292-1499-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4292-7-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4436-394-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4548-75-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4548-90-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4608-462-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4608-454-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4624-1611-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4624-15-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4632-54-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4664-632-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4852-507-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4892-648-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4932-213-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4932-224-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4960-201-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4972-66-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5012-613-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5012-621-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5060-178-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5060-189-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5076-481-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download