cbf90b656abb4199a0f4cfa4b8fc538202540d9b672e7ea5ac9975ae51884b0d

Analysis

max time kernel
150s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 02:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
Size

192KB
MD5

4deb641355a2ced75885248619e7e7c8
SHA1

fe46b1856c51e85ddcb128235085c3b2bd0a0f51
SHA256

cbf90b656abb4199a0f4cfa4b8fc538202540d9b672e7ea5ac9975ae51884b0d
SHA512

e7632732617e8664dc3fd05ee12fad0e258507468b1455007a8bf99f3e0494a1e0681bb6e04254c8da2338c8998cde919c0343fdb4caf14fb569fd5f3afd7991
SSDEEP

3072:PCvM7zZ8k5E8CenK4tYLt65rU3eF5qaNkQbbAppxVh:ppcrR65YObqvQSpxv

Score

10^/10

discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"

Renames multiple (81) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Blocklisted process makes network request 2 IoCs

Processes:

sihclient.exe

flow pid process

38 1736 sihclient.exe
40 1736 sihclient.exe

flow	pid	process
38	1736	sihclient.exe
40	1736	sihclient.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ckggEsEw.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	ckggEsEw.exe

Executes dropped EXE 2 IoCs

Processes:

ckggEsEw.exesSwIwUAc.exe

pid process

3908 ckggEsEw.exe
2280 sSwIwUAc.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

sSwIwUAc.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.execkggEsEw.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sSwIwUAc.exe = "C:\\ProgramData\\lyUsIMgA\\sSwIwUAc.exe"	sSwIwUAc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ckggEsEw.exe = "C:\\Users\\Admin\\EWQUYkUQ\\ckggEsEw.exe"	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sSwIwUAc.exe = "C:\\ProgramData\\lyUsIMgA\\sSwIwUAc.exe"	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ckggEsEw.exe = "C:\\Users\\Admin\\EWQUYkUQ\\ckggEsEw.exe"	ckggEsEw.exe

Drops file in System32 directory 2 IoCs

Processes:

ckggEsEw.exe

description	ioc	process
File created	C:\Windows\SysWOW64\shell32.dll.exe	ckggEsEw.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	ckggEsEw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

reg.execmd.exereg.execscript.exereg.exereg.exereg.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.execscript.exereg.execscript.exereg.execscript.execscript.exereg.execmd.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exereg.execmd.exereg.exereg.execmd.exereg.exereg.execscript.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.execscript.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.execmd.exereg.exereg.execmd.exereg.exereg.execmd.execmd.exereg.execmd.execmd.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exereg.execscript.exereg.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exereg.exereg.execmd.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.execmd.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exereg.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exereg.exereg.exereg.exereg.exereg.execmd.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
4296	reg.exe
4628	reg.exe
1912	reg.exe
644	reg.exe
4624	reg.exe
4400	reg.exe
2464	reg.exe
4408	reg.exe
1808	reg.exe
3344
440	reg.exe
4092	reg.exe
4932	reg.exe
2816	reg.exe
2892
3952	reg.exe
2896	reg.exe
2204	reg.exe
4908	reg.exe
3496	reg.exe
1300	reg.exe
5036	reg.exe
764	reg.exe
1780	reg.exe
1844	reg.exe
1144	reg.exe
4296	reg.exe
1512	reg.exe
396	reg.exe
5112	reg.exe
2080	reg.exe
3376	reg.exe
2144
1300	reg.exe
1724	reg.exe
732	reg.exe
4792	reg.exe
2244	reg.exe
1392	reg.exe
828	reg.exe
1220	reg.exe
3028	reg.exe
4516	reg.exe
3292	reg.exe
2188
4892	reg.exe
1268	reg.exe
3348	reg.exe
4604	reg.exe
2700	reg.exe
2176	reg.exe
1592	reg.exe
556	reg.exe
1616	reg.exe
3392	reg.exe
2456	reg.exe
1320	reg.exe
4092	reg.exe
408	reg.exe
2456	reg.exe
456	reg.exe
1912	reg.exe
3480
3656	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe

pid	process
1912	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
1912	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
1912	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
1912	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
320	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
320	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
320	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
320	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
1712	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
1712	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
1712	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
1712	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
2348	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
2348	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
2348	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
2348	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
4748	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
4748	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
4748	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
4748	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
4104	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
4104	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
4104	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
4104	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
4492	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
4492	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
4492	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
4492	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
3032	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
3032	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
3032	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
3032	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
1424	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
1424	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
1424	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
1424	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
4964	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
4964	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
4964	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
4964	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
2196	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
2196	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
2196	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
2196	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
4068	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
4068	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
4068	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
4068	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
1912	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
1912	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
1912	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
1912	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
4252	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
4252	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
4252	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
4252	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
3840	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
3840	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
3840	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
3840	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
4276	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
4276	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
4276	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
4276	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

ckggEsEw.exe

pid process

3908 ckggEsEw.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

ckggEsEw.exe

pid	process
3908	ckggEsEw.exe
3908	ckggEsEw.exe
3908	ckggEsEw.exe
3908	ckggEsEw.exe
3908	ckggEsEw.exe
3908	ckggEsEw.exe
3908	ckggEsEw.exe
3908	ckggEsEw.exe
3908	ckggEsEw.exe
3908	ckggEsEw.exe
3908	ckggEsEw.exe
3908	ckggEsEw.exe
3908	ckggEsEw.exe
3908	ckggEsEw.exe
3908	ckggEsEw.exe
3908	ckggEsEw.exe
3908	ckggEsEw.exe
3908	ckggEsEw.exe
3908	ckggEsEw.exe
3908	ckggEsEw.exe
3908	ckggEsEw.exe
3908	ckggEsEw.exe
3908	ckggEsEw.exe
3908	ckggEsEw.exe
3908	ckggEsEw.exe
3908	ckggEsEw.exe
3908	ckggEsEw.exe
3908	ckggEsEw.exe
3908	ckggEsEw.exe
3908	ckggEsEw.exe
3908	ckggEsEw.exe
3908	ckggEsEw.exe
3908	ckggEsEw.exe
3908	ckggEsEw.exe
3908	ckggEsEw.exe
3908	ckggEsEw.exe
3908	ckggEsEw.exe
3908	ckggEsEw.exe
3908	ckggEsEw.exe
3908	ckggEsEw.exe
3908	ckggEsEw.exe
3908	ckggEsEw.exe
3908	ckggEsEw.exe
3908	ckggEsEw.exe
3908	ckggEsEw.exe
3908	ckggEsEw.exe
3908	ckggEsEw.exe
3908	ckggEsEw.exe
3908	ckggEsEw.exe
3908	ckggEsEw.exe
3908	ckggEsEw.exe
3908	ckggEsEw.exe
3908	ckggEsEw.exe
3908	ckggEsEw.exe
3908	ckggEsEw.exe
3908	ckggEsEw.exe
3908	ckggEsEw.exe
3908	ckggEsEw.exe
3908	ckggEsEw.exe
3908	ckggEsEw.exe
3908	ckggEsEw.exe
3908	ckggEsEw.exe
3908	ckggEsEw.exe
3908	ckggEsEw.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.execmd.execmd.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.execmd.execmd.exe2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.execmd.exe

description	pid	process	target process
PID 1912 wrote to memory of 3908	1912	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	ckggEsEw.exe
PID 1912 wrote to memory of 3908	1912	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	ckggEsEw.exe
PID 1912 wrote to memory of 3908	1912	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	ckggEsEw.exe
PID 1912 wrote to memory of 2280	1912	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	sSwIwUAc.exe
PID 1912 wrote to memory of 2280	1912	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	sSwIwUAc.exe
PID 1912 wrote to memory of 2280	1912	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	sSwIwUAc.exe
PID 1912 wrote to memory of 2108	1912	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	cmd.exe
PID 1912 wrote to memory of 2108	1912	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	cmd.exe
PID 1912 wrote to memory of 2108	1912	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	cmd.exe
PID 2108 wrote to memory of 320	2108	cmd.exe	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
PID 2108 wrote to memory of 320	2108	cmd.exe	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
PID 2108 wrote to memory of 320	2108	cmd.exe	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
PID 1912 wrote to memory of 3112	1912	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 1912 wrote to memory of 3112	1912	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 1912 wrote to memory of 3112	1912	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 1912 wrote to memory of 5028	1912	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 1912 wrote to memory of 5028	1912	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 1912 wrote to memory of 5028	1912	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 1912 wrote to memory of 3620	1912	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 1912 wrote to memory of 3620	1912	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 1912 wrote to memory of 3620	1912	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 1912 wrote to memory of 4844	1912	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	cmd.exe
PID 1912 wrote to memory of 4844	1912	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	cmd.exe
PID 1912 wrote to memory of 4844	1912	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	cmd.exe
PID 4844 wrote to memory of 4412	4844	cmd.exe	cscript.exe
PID 4844 wrote to memory of 4412	4844	cmd.exe	cscript.exe
PID 4844 wrote to memory of 4412	4844	cmd.exe	cscript.exe
PID 320 wrote to memory of 3012	320	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	cmd.exe
PID 320 wrote to memory of 3012	320	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	cmd.exe
PID 320 wrote to memory of 3012	320	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	cmd.exe
PID 3012 wrote to memory of 1712	3012	cmd.exe	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
PID 3012 wrote to memory of 1712	3012	cmd.exe	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
PID 3012 wrote to memory of 1712	3012	cmd.exe	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
PID 320 wrote to memory of 556	320	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 320 wrote to memory of 556	320	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 320 wrote to memory of 556	320	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 320 wrote to memory of 3600	320	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 320 wrote to memory of 3600	320	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 320 wrote to memory of 3600	320	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 320 wrote to memory of 2668	320	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 320 wrote to memory of 2668	320	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 320 wrote to memory of 2668	320	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 320 wrote to memory of 3520	320	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	cmd.exe
PID 320 wrote to memory of 3520	320	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	cmd.exe
PID 320 wrote to memory of 3520	320	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	cmd.exe
PID 3520 wrote to memory of 3856	3520	cmd.exe	cscript.exe
PID 3520 wrote to memory of 3856	3520	cmd.exe	cscript.exe
PID 3520 wrote to memory of 3856	3520	cmd.exe	cscript.exe
PID 1712 wrote to memory of 4496	1712	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	cmd.exe
PID 1712 wrote to memory of 4496	1712	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	cmd.exe
PID 1712 wrote to memory of 4496	1712	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	cmd.exe
PID 4496 wrote to memory of 2348	4496	cmd.exe	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
PID 4496 wrote to memory of 2348	4496	cmd.exe	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
PID 4496 wrote to memory of 2348	4496	cmd.exe	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
PID 1712 wrote to memory of 3540	1712	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 1712 wrote to memory of 3540	1712	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 1712 wrote to memory of 3540	1712	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 1712 wrote to memory of 2188	1712	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 1712 wrote to memory of 2188	1712	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 1712 wrote to memory of 2188	1712	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 1712 wrote to memory of 1620	1712	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 1712 wrote to memory of 1620	1712	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 1712 wrote to memory of 1620	1712	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	reg.exe
PID 1712 wrote to memory of 828	1712	2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Users\Admin\EWQUYkUQ\ckggEsEw.exe
  "C:\Users\Admin\EWQUYkUQ\ckggEsEw.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:3908
- C:\ProgramData\lyUsIMgA\sSwIwUAc.exe
  "C:\ProgramData\lyUsIMgA\sSwIwUAc.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2280
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2108
- - C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:320
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3012
    - - C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1712
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        8⤵
        
        PID:376
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        10⤵
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        11⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        12⤵
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        14⤵
        
        PID:4216
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        16⤵
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        18⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        20⤵
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        22⤵
        
        PID:3460
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        24⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        26⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        28⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        30⤵
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        32⤵
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        33⤵
        
        PID:848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        34⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        35⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        36⤵
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        37⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        38⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        39⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        40⤵
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        41⤵
        
        PID:376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        42⤵
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        43⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        44⤵
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        45⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        46⤵
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        47⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        48⤵
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        49⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        50⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        51⤵
        
        PID:404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        52⤵
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        53⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        54⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        55⤵
        System Location Discovery: System Language Discovery
        
        PID:4832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        56⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        57⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        58⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        59⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        60⤵
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        61⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        62⤵
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        63⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        64⤵
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        65⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        66⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        67⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        68⤵
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        69⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        70⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        71⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        72⤵
        
        PID:3080
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        73⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        75⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        76⤵
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        77⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        78⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        79⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        80⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        81⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        82⤵
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        83⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        84⤵
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        85⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        86⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:3808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        88⤵
        
        PID:3180
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        89⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        90⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        91⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        92⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        93⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        94⤵
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        95⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        96⤵
        
        PID:3080
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        97⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        98⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        99⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        100⤵
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        101⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        102⤵
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        103⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        104⤵
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        105⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:3440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        108⤵
        
        PID:4724
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        109⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        110⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        111⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        112⤵
        
        PID:3076
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        113⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        114⤵
        
        PID:3812
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        115⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        116⤵
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        117⤵
        System Location Discovery: System Language Discovery
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        118⤵
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        119⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        120⤵
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        121⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        122⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        123⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        124⤵
        
        PID:464
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        125⤵
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        126⤵
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        127⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        128⤵
        
        PID:4920
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        129⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        130⤵
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        131⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        132⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        133⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        134⤵
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        135⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        136⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        137⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        138⤵
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        139⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        140⤵
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        141⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        142⤵
        
        PID:4012
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        143⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        144⤵
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        145⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        146⤵
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        147⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        148⤵
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        149⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        150⤵
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        151⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        152⤵
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        153⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        154⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        155⤵
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        156⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        157⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        158⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        159⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        160⤵
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        161⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        162⤵
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        163⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        164⤵
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        165⤵
        System Location Discovery: System Language Discovery
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        166⤵
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        167⤵
        System Location Discovery: System Language Discovery
        
        PID:1312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        168⤵
        System Location Discovery: System Language Discovery
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        169⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        170⤵
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        171⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        172⤵
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        173⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        174⤵
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        175⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        176⤵
        
        PID:2292
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        177⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        178⤵
        
        PID:3500
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        179⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        180⤵
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        181⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        182⤵
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        183⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        184⤵
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        185⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        186⤵
        
        PID:716
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        187⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        188⤵
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        189⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        190⤵
        
        PID:3664
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        191⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        192⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        193⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        194⤵
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        195⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        196⤵
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        197⤵
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        198⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        199⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        200⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        201⤵
        System Location Discovery: System Language Discovery
        
        PID:1172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        202⤵
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        203⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        204⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        205⤵
        
        PID:452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        206⤵
        
        PID:3200
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        207⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        208⤵
        
        PID:4216
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        209⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        210⤵
        
        PID:3832
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        211⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        212⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        213⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        214⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        215⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        216⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        217⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        218⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        219⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        220⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        221⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        222⤵
        
        PID:3872
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        223⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        224⤵
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        225⤵
        System Location Discovery: System Language Discovery
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        226⤵
        
        PID:3752
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        227⤵
        
        PID:436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        228⤵
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        229⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        230⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        231⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        232⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        233⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        234⤵
        
        PID:4372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        235⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        235⤵
        System Location Discovery: System Language Discovery
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        236⤵
        
        PID:3480
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        237⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        238⤵
        
        PID:3132
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        239⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        240⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        241⤵
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        242⤵
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        243⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        244⤵
        
        PID:5016
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        245⤵
        
        PID:3800
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        245⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        246⤵
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        247⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        248⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        249⤵
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        250⤵
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        251⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        252⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        253⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        254⤵
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        255⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        256⤵
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        257⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        258⤵
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        259⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        260⤵
        System Location Discovery: System Language Discovery
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        261⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        262⤵
        
        PID:4252
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        263⤵
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        263⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        264⤵
        
        PID:3084
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        265⤵
        
        PID:980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        266⤵
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        267⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        268⤵
        
        PID:4264
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        269⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        270⤵
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        271⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        272⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        273⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        274⤵
        
        PID:316
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        275⤵
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        275⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        276⤵
        
        PID:2912
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        277⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        277⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        278⤵
        
        PID:4104
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        279⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        279⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        280⤵
        
        PID:1424
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        281⤵
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        281⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        282⤵
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        283⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock"
        284⤵
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock
        285⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        284⤵
        Modifies visibility of file extensions in Explorer
        
        PID:980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        284⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        282⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        282⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        282⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YgMgkgQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        282⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        283⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        280⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        280⤵
        System Location Discovery: System Language Discovery
        
        PID:3292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        280⤵
        UAC bypass
        
        PID:5024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eQcAEwEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        280⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        281⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        278⤵
        Modifies registry key
        
        PID:456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        278⤵
        Modifies registry key
        
        PID:1912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        278⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MEgssgkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        278⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        279⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        276⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        276⤵
        
        PID:372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        276⤵
        UAC bypass
        
        PID:3436
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        277⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZUkEYwwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        276⤵
        
        PID:3464
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        277⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        277⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        274⤵
        System Location Discovery: System Language Discovery
        
        PID:1372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        274⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        274⤵
        UAC bypass
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jQAIEIEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        274⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        275⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        272⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        272⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        272⤵
        Modifies registry key
        
        PID:5036
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        273⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XOQAMIok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        272⤵
        System Location Discovery: System Language Discovery
        
        PID:856
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        273⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        270⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        270⤵
        Modifies registry key
        
        PID:3292
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        271⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        270⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sKMIkscQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        270⤵
        
        PID:824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        271⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        268⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        268⤵
        
        PID:3256
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        269⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        268⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SKQMowco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        268⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        269⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        266⤵
        
        PID:396
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        267⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        266⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        266⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yaQowokY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        266⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        267⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        264⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        264⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        264⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DgccAUwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        264⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        265⤵
        
        PID:668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        262⤵
        Modifies registry key
        
        PID:1300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        262⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        262⤵
        UAC bypass
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\biooMoIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        262⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        263⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        260⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        260⤵
        
        PID:2692
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        261⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        260⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\riEsoUYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        260⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        261⤵
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        258⤵
        
        PID:5016
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        259⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        258⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        258⤵
        UAC bypass
        
        PID:4264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jaAAgkwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        258⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        259⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        256⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        256⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        256⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IEAQQoME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        256⤵
        System Location Discovery: System Language Discovery
        
        PID:1784
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        257⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        254⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:4012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        254⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        254⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aycQcQUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        254⤵
        
        PID:436
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        255⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        255⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        252⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        252⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        252⤵
        UAC bypass
        
        PID:1040
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        253⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CIUAgUog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        252⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        253⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        250⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3860
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        251⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        250⤵
        Modifies registry key
        
        PID:644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        250⤵
        
        PID:1684
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        251⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AMUYoMkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        250⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        251⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        248⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        248⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        248⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FuQEQcUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        248⤵
        
        PID:4332
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        249⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        249⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        246⤵
        Modifies visibility of file extensions in Explorer
        
        PID:912
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        247⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        246⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        246⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lwAQUAgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        246⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        247⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        244⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:5036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        244⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        244⤵
        UAC bypass
        
        PID:3840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dYEgswgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        244⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        245⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OiUYAAMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        242⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        243⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        Modifies registry key
        
        PID:3376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        UAC bypass
        
        PID:4104
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        
        PID:452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qSkckoYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        240⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        241⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        
        PID:392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VaQsAMcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        238⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        239⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        
        PID:688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        Modifies registry key
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JAkkIYII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        236⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        237⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        UAC bypass
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ROMogAwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        234⤵
        System Location Discovery: System Language Discovery
        
        PID:4908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        System Location Discovery: System Language Discovery
        
        PID:3872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hQsAgcoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        232⤵
        
        PID:452
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        Modifies registry key
        
        PID:2456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        
        PID:3520
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        
        PID:8
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IIAYskwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        230⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        
        PID:632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        UAC bypass
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qoYcgYME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        228⤵
        System Location Discovery: System Language Discovery
        
        PID:2608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        UAC bypass
        Modifies registry key
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CcwkUIAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        226⤵
        
        PID:968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SqwcoQoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        224⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        
        PID:8
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dGUsgYoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        222⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XAwMsgso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        220⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        
        PID:4408
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        UAC bypass
        
        PID:372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZyMkAEME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        218⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        
        PID:688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        UAC bypass
        Modifies registry key
        
        PID:3496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TecUsYsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        216⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        System Location Discovery: System Language Discovery
        
        PID:3032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        UAC bypass
        Modifies registry key
        
        PID:4908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qGMUcwwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        214⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WiIQcUoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        212⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        Modifies registry key
        
        PID:1268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\COckIoEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        210⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        System Location Discovery: System Language Discovery
        
        PID:4828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        Modifies visibility of file extensions in Explorer
        
        PID:968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        
        PID:728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        Modifies registry key
        
        PID:828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hoIwUoEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        208⤵
        
        PID:556
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fygwkoEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        206⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        Modifies registry key
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jEokYcMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        204⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        
        PID:436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tkUcIggw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        202⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        System Location Discovery: System Language Discovery
        
        PID:1312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qCcYwsgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        200⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IcgAEAok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        198⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        Modifies registry key
        
        PID:1392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YcQgcQAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        196⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        UAC bypass
        
        PID:3376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qQgscMcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        194⤵
        System Location Discovery: System Language Discovery
        
        PID:968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XSEYoEwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        192⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PmYEckEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        190⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        UAC bypass
        Modifies registry key
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KKcsEMsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        188⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        System Location Discovery: System Language Discovery
        
        PID:3108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        Modifies registry key
        
        PID:732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aackMoQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        186⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        
        PID:4116
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        System Location Discovery: System Language Discovery
        
        PID:4980
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        UAC bypass
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KsUcAMUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        184⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        System Location Discovery: System Language Discovery
        
        PID:3808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UWIYEoEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        182⤵
        System Location Discovery: System Language Discovery
        
        PID:3568
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        UAC bypass
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LiQAkAcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        180⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        UAC bypass
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pocMsQYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        178⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        UAC bypass
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HmUYUccI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        176⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        Modifies registry key
        
        PID:2176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        UAC bypass
        
        PID:3656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PQYoIkYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        174⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        System Location Discovery: System Language Discovery
        
        PID:624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        UAC bypass
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\meEcQwYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        172⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        Modifies visibility of file extensions in Explorer
        
        PID:856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        UAC bypass
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ossMMAEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        170⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IMYIUUEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        168⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iCooIcAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        166⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XSosMokA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        164⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        Modifies registry key
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nKoIYoEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        162⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        UAC bypass
        Modifies registry key
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VysMYQkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        160⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        
        PID:8
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FkkEYQwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        158⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        UAC bypass
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GgsAwwok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        156⤵
        
        PID:536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gaEosUEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        154⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        UAC bypass
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GkYkIEAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        152⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        UAC bypass
        
        PID:3528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NEoIIMIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        150⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        System Location Discovery: System Language Discovery
        
        PID:3292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        UAC bypass
        
        PID:4892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZIYYgsUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        148⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LMAkkkMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        146⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\deEEIkgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        144⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        Modifies registry key
        
        PID:1512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rqQQYUoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        142⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:1084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        UAC bypass
        
        PID:4980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YmkggsAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        140⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        System Location Discovery: System Language Discovery
        
        PID:1220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EUcgAQEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        138⤵
        
        PID:980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        
        PID:860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AqQQUwIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        136⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        UAC bypass
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CyQQwogs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        134⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RCkIgQoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        132⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        UAC bypass
        
        PID:3520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DWgcoQYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        130⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:1140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        
        PID:980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JgoYYwss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        128⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        
        PID:436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AaEQUgcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        126⤵
        System Location Discovery: System Language Discovery
        
        PID:2700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        Modifies registry key
        
        PID:4092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IaYsIYkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        124⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        Modifies registry key
        
        PID:1320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uuUEIYwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        122⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        
        PID:4908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AAEoQQEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        120⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FGMgQMkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        118⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:4424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LqMQwIkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        116⤵
        
        PID:316
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XaggQgcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        114⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fmYIscMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        112⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mggsUAcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:2348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uqcgcgUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        108⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        
        PID:632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CikMMQkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        106⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iUQwwwMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        104⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RosYUsQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        102⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RioMkkQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:1084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HwggUEsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        98⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        
        PID:4252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QCwwQoIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        96⤵
        
        PID:980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        Modifies registry key
        
        PID:2896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EmYgUEQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        94⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        
        PID:824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CuwMoMcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        92⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:1144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        Modifies registry key
        
        PID:4516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SkQgoMEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        90⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies registry key
        
        PID:2816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:1332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FaAUcQIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nWYIMYMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        86⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:4864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DwkcUcQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        84⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        
        PID:768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jmAsUgMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        82⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        Modifies registry key
        
        PID:2464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CuAcAcIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        80⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eqAAIoYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        78⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gKgUcIAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        76⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        Modifies registry key
        
        PID:4628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ckkQwYQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        74⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies registry key
        
        PID:2080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XAcookIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        72⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XcIcwYYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        70⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:60
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        Modifies registry key
        
        PID:3952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rwUAgkUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        68⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:3568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        Modifies registry key
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fmwMkcMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        66⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies registry key
        
        PID:764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AuQMgMgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        64⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OwUQgsIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        62⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:3468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WCYUQoIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        60⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jckgMkEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        58⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lsQAoogE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        56⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:4628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZQEQoYos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        54⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NUkMksos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        52⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        Modifies registry key
        
        PID:4296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:3512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\beAkwssE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        50⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies registry key
        
        PID:4400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:3808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\USIMEQAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        48⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\suIcUQAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        46⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kmkEMgIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        44⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        Modifies registry key
        
        PID:4624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AGkAIMYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        42⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        Modifies registry key
        
        PID:4296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LcYUAgsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        40⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        
        PID:452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        Modifies registry key
        
        PID:2456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zAYMwUQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        38⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PqskIEgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        36⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ckAIsoEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        34⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eawMEQso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        32⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        Modifies registry key
        
        PID:5112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:4712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IesoMAsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        30⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies registry key
        
        PID:4092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        Modifies registry key
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:3952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cEQsocIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        28⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies registry key
        
        PID:3656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZUIkkwcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        26⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JEIossgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        24⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:4932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vmcggQgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        22⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        Modifies registry key
        
        PID:1144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xacooEUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        20⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:4892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cWEIAQwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        18⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        Modifies registry key
        
        PID:440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gmgIoQEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        16⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EoIIYckc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        14⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uiEwwcEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        12⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        Modifies registry key
        
        PID:1844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nmUYkMYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        10⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        Modifies registry key
        
        PID:1300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zAowMAUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        8⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:2784
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3540
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:2188
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:1620
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DSsokcQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
        6⤵
        
        PID:828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:2276
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies registry key
      PID:556
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:3600
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:2668
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aYQYAQkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3520
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:3856
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3112
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:5028
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:3620
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MiEsIYgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4844
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4412

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv QYdizi60V0OzVAdXaUvZnA.0.2
1⤵
- Blocklisted process makes network request
PID:1736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

Filesize
227KB

MD5
e69e1fa6ae7df268957ae43cde0dcb12

SHA1
7dd5d434a6bce2cef0fa3533f3a5e86d3a0393c0

SHA256
761e6916a8dc029183e27683127269dc3a462bbcc9e8e2fd5acb99c0947b4737

SHA512
73d9f56efc7de7dd4dcd2e9fa3d8259f615c43beca6a70524d46b7b1753473412099fa1d8ff2204c21304ad19119c78ea7ef269864cf54afc57a9b413b3ee654

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

Filesize
216KB

MD5
cc025115e52f867b26fdb15e245229b7

SHA1
f69996d64a5dc2b3b79847666b661b845cd9b24e

SHA256
9cce2420833560324fecec21c00e9a03c4e349b67f92f86bc3d299006ae171ff

SHA512
07f392374bf62074669be6136cacf75e83cd4a3403eff22271c6672980437d4524c8308560e0d0b45b72f04f50cee1f070633f971f148c16ae22723e29a601b9

Download Submit
C:\ProgramData\lyUsIMgA\sSwIwUAc.exe

Filesize
190KB

MD5
f16c98edd1c4c26575581b0c33b7b890

SHA1
69feaadea290880c78ea6d987492a4c0d39c0e17

SHA256
8ddaa6934d38fd3798e3489e384841847a8391ff235926c6c56ce892ace8d0fe

SHA512
c687e00b5960390a10320f2327fc4361ea2ff23383ff9e33a372e0b585972f546072d773791053b6824e91f903c2d5f35182d5464f490b850e932118fb17a5ef

Download Submit
C:\ProgramData\lyUsIMgA\sSwIwUAc.inf

Filesize
4B

MD5
7cd0b30b650e6369b46fd164618b126d

SHA1
4832faf52bb1b11f6e0ae64b061c725665de7313

SHA256
3f8f9a1059802bbe88b13162dc2feda43742c847468b29904b27e7294f045338

SHA512
7d139041cc105dfda08ecf7a0077dc9815aad3974d72cceaf3133b589dece324ee36a6e9a01d3e42c412dfe6e7801dd4b23dd1c2334394d39ce71e78772ecf22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\128.png.exe

Filesize
201KB

MD5
54691370068f771dbc5bb13872c87014

SHA1
2ce9e3b0df42b768db3d1aa57538ca6e268c1c33

SHA256
593c97f8b27d97b5e54ce84bc11f83432893ab2c909c206e60588b6d87bc4b26

SHA512
6e46841d4d3d038e13c5f2f73a375bf479399655ef2215ea68e830681a84efad0e5062ba1f2b9a332867ffe5f11d21c9130105c8488e3a2c09f756fba3763bb2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\32.png.exe

Filesize
185KB

MD5
2432b71ec0a24be01c4afd8e021ffe13

SHA1
84bbfd6d884a3e5b9943ce6f1f6d28517f2856cc

SHA256
01110acbe5fbb248d05b12d3c3e267d38c9f6a16a3cc1a900ab680d369cb2bfa

SHA512
fd6cbaa1afa872eb87b3d9839bc3f547d1a9b075685c612ec8a52e39da14da4765d99ab343e4971b1bd9d3a0a5d86aafc46e0110306fa5115c039e3838f896f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\64.png.exe

Filesize
183KB

MD5
fb9c1851bfe0788bdd71428682be44b1

SHA1
2327dbce25add7085c3998aaf789abb055d43b1c

SHA256
0f9f5018edec5e7dd886c862d4250b939145646d54b9aade3cd0954cd5e0fa93

SHA512
6b904b3a9bff31ff6518a5879253450d3e0c661f149d3d266d25d26200148f2bf75499d3ce0b59761f51eddbfe8f517a27394f45682129c695625d4f42e58cf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.png.exe

Filesize
200KB

MD5
0bd85e89b43ce422974b069a8d6c0e10

SHA1
2cbe533ad43642168bb9b2e6021364f1fc7ab1c7

SHA256
54e5c23b07169add21eee3f2317ed8602589dceb99096a661a0cd2f2bf323d3c

SHA512
491a40a21a65b7a60aef5e821ed2c1dbd05832dd4afe1912b23be90d0e6a042144e903311de3c9c5e4368e14ef5f9981ed139476d0a8e0d5bebc61c026c5262c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png.exe

Filesize
193KB

MD5
25b14ef3ef1feaef1758317f0b0fc421

SHA1
e08aacf1451d1a1af7db42b20c0289f7b3895ef4

SHA256
87397e34aeb72f83163016a453725e59e46e80b7e2056e2a465d2ab239de9c87

SHA512
7b454bef8e77e9e8f90653260589891f4418c90fb9061a82ffc17adc6f7276cf52fb0ded28fc60d588dfa1dbd63e8c80a3ab9fcbe1866caa039320dd8c6427d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-400.png.exe

Filesize
203KB

MD5
d3ff036ad66b4e33b7126d3e64c87fef

SHA1
4e05abe150b23cf9ffea3f15cb75fd1c4518dda8

SHA256
bd969a6d28194f42388af617c236620d812e478e18e071786db52dbc67c85789

SHA512
dbe1600385e2c33942b7c5cca2d86bcf1e4dced9f3bdc3bdcea1ee13cd959b09cebf826b4c395c74470f5be2c52db5d4cda1c1b2041b25b820ee944ba0e225c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-11-21_4deb641355a2ced75885248619e7e7c8_virlock

Filesize
7KB

MD5
6bf9826f979c572d50358be89bf08021

SHA1
4dd8ea39f0f453b502e1490eb274aafc66ad3a8b

SHA256
e8527f554c14335fd26725ad4c59e5e305fdd64aeb251adcf96ac8f3ed64b70d

SHA512
e65b13e71f3b8e17c8175d537af111c9b74bd9b12ad5130270e093800da3bf1a257a7371aea4e50504f9af581315d0d29b06e1926e25f92510afdb5207d45556

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAkg.exe

Filesize
207KB

MD5
95bcb1fc8fae78b340d603e337d534ec

SHA1
55f62000461e654ce9c583b7d3e5f4a6cde2675b

SHA256
e5e69a294c06ee4c842431aea0fdedc6cf4d23e8b97c7baeeddeecda6e62b1e0

SHA512
33bb801c23f6bf3323df617213c8bf04e3b74b527389d379d9e1852288fe52da40c64209dfc2e70c9dd043fcbd17bbe58cb52a327f7db3f932026ced67a7c23e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AYAk.exe

Filesize
193KB

MD5
48252e3f21ff3401886a5fbf0fcc1d93

SHA1
44693284907699c2726b75f99cb27a9b69603ec0

SHA256
e98b79770d8a55eee58e7987fc82b813e74938d293f001a6978582a2c4cc63be

SHA512
ede2edde81bb748097f94858683cd33fe04057e94bf95983147858a8963f51f16cd777e84b4f0caf81bcbd0c9dceb8bca995cb2609bee2e78e227517607c9a3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AoAo.exe

Filesize
191KB

MD5
79d8deeeedeb6c563874eed0a58ca659

SHA1
ded6b06f90d893dfd9ad2be5086d04c954524ce4

SHA256
bac9c6361844578e50d9fa7f61d044b7c965295f3c3517ad4770588253a984f4

SHA512
feddc9b1e2be1e563bc7db223b45982f1139b50c0edb6afdf3a38df5550eb53954d88061552dd2f48f08c46d0cbe7dd15f0a4a21d621d271a04240f41e4bb22f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AosO.exe

Filesize
208KB

MD5
87c134d995d22a0b6ce71c165973dd38

SHA1
22f9fb94d8b4fe967189ab610649d33859daead6

SHA256
caf2d70f0dbff2faa5c4d287451c42769764b26572a86ee8ff324ef2fd7bf0c9

SHA512
3af2cc219b997d315a03f0f7458c24b585f71ea7d97001dc30c49d60fbbedd8a8893f9135726100b1940f4ef744becfebd2614c7419050320f0e7d62ecd28ee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\AsQw.exe

Filesize
190KB

MD5
e0e4afd96d09fb004975434e992d3d2b

SHA1
c8a6fa81ce823f0c09943ab1a1c49d06e03a5a28

SHA256
d4ac0456fa9f5437edba8a88bbc457d9455513279ae1c709df65cb1da842fe5d

SHA512
5a8f2151e65b649ec2e85aa1288cc7e8806a9e09f424111c17dc782cbb17f99a9f9e8ae0351a394764793b6ce0044eda8579d8012aa16c1a4df480f32cdddaa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\CEwO.exe

Filesize
210KB

MD5
988afa98e1d7bbebf2eae6d2375d4a42

SHA1
53d1439e8b339bbf1f757722074479da014c5fa4

SHA256
8bf076c3d01d7994fb97c93af272501d0abf13a25169ed08d2046d208eeb3afa

SHA512
9c18ff529cad3de451ce22f8e7b6b097879162319f3f5e18f06ac82468d00bc9cb5c2729451c75cd5fa7e6d778d267474558ffaa70da4a1f1b29e621ea85bfb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMUy.exe

Filesize
819KB

MD5
10c9c65051f351adaabcdde25065fab4

SHA1
2501aede3dcd9a1d0e99676c0bd12b613d95ef2e

SHA256
89c221a27167e7a2e31d836ed26ebf9308e4094e8f6185dd57f9b1e000ee8ec1

SHA512
1bdd80b3cb5f966d63bb1321da03ab3e7c772685c50ea6b0463e9a200617d08f1dc06f8dd7879148addbff34ad3e0bfdc836b3854aa3c3e29a5828da98b8a9d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQQa.exe

Filesize
193KB

MD5
085536a8c4eeb92a9f99f47d60aabda6

SHA1
2a5defd2f0a1c0b7640583f25bfd799bfd6dd95a

SHA256
da2a4442ca6183ad4c878cfb33e30ca09e8be0680cfe454a55e7aee021f6603c

SHA512
4e38e62c09f11eed5a5b7abafe2293cde4f54737d7f56d58701aa8f33612d505ae4fcad3cc497c4ded866dbdc64c52e515501bf0509158d2a7c2de5b49d4104d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUkg.exe

Filesize
189KB

MD5
09ff8087f8cee85b30ea9931f365f49b

SHA1
7b29ef9975e74f2303da4cfc8119d7446c3590e7

SHA256
36e88af79823fde6a46dc258cae373b4118a82da114c19b5d05a11cf4dea16c0

SHA512
25422ce12d0ab066780cf6d8b227f9bc0686da63463668e3708f461c7e854fe4ab85f08d70243849ee2bbaafccd5a1962434afb10fdb33d29eadbfce8e9362a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CocY.exe

Filesize
881KB

MD5
a65a7017885485884189f557f5aeded2

SHA1
8b41a91ce67672e4fcecd6726ac539f2c7075e6d

SHA256
e1fca7a77bfbee6301bec391861c74152e0b68f1acd56dcef81dbae60bcec534

SHA512
2c586698ee55344927704b40630eeb585e09c174ad74a35ae8c108e9c6ece693018edbdd482bbb6d5002ed5769cf643918fd5132a6a608f9465044fc36f03659

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cwgu.exe

Filesize
192KB

MD5
4f5eedd8372676cf12094d531a1a9168

SHA1
66be086a429be5c3594fd227cab707c357b11b2a

SHA256
cd27b6158cc132da03e5a038b0c0928a3efce71ab98c002ddd15981cdc3608cd

SHA512
9e4bdd91e541465b4190260c666ba4c42a538c3301aacd98d64fee6520bc4d978cff0854c95821d224ae48fdcab1589e281065bec9021f32397c7bada182de87

Download Submit
C:\Users\Admin\AppData\Local\Temp\EIcY.exe

Filesize
5.9MB

MD5
067057c4c00245b6ede81649cb79cf20

SHA1
bbb8eaa102d6fd827617606356235ff1cda400c5

SHA256
300dfa90865cf4acfe9c1598150700b78f2beb31736a350a8f3ce724ecefad12

SHA512
beafb62541c6ab88c0e16cc1cfa4af2e63cf9c5c3e900b1f21835d6eab27b2c09ad9d9f21cd2269a9201af2156f3839aacfe5ff56d263a83c56709281e556c9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ewsg.exe

Filesize
224KB

MD5
7dfa93834d7bed307a5dd16888ee5f4b

SHA1
4e73766c67deda96e3ae07203c0edba3666e7c80

SHA256
05a918cb23e8bc03ff50a1aadd34990ffa33f91071e7fa7d6b1c1031778eb24b

SHA512
c7dda6fb618f71f21efc6db92b708d78abc4aa4894be1a2b8400885c38537e25009d4ba2398db0bec81a38720c76ff1594a0ade488c0d96295634cc951e95b40

Download Submit
C:\Users\Admin\AppData\Local\Temp\GAYy.exe

Filesize
289KB

MD5
afd6bc76138cbb206a88e1f887cf285c

SHA1
889b908e2ff883ea304c695beb83094edbaf8dd1

SHA256
9ad3abda46b77b44b5eccd1d07496717645e1b842382449e1e653339a205dfad

SHA512
e1b5f80f030c73abe1b3e4c6df887e39db19c3c752986d4d637e32623017546877c74f345458d5312d5c635d87575de4dedf3bb72b7f1de284c7fce3b9050269

Download Submit
C:\Users\Admin\AppData\Local\Temp\GIgU.exe

Filesize
250KB

MD5
0a7a58efa96ccf8f370c3a64aa5a5765

SHA1
a7beb0da9c4a4b297e8a8b0b1443ceac107a4d2a

SHA256
3ad42e93206d12c89e39f1173f7064a1f4c81da29feb89a4f6e1a843f0c6de1e

SHA512
07b2b22cc3ba8fbba119554765f7f7d04c15ba78e59521fe28da48472c87233fb9d24ca9588246510d479af6a2be1d601be9772f505c2d16260b89ada26c919c

Download Submit
C:\Users\Admin\AppData\Local\Temp\GgYq.exe

Filesize
192KB

MD5
a57b90d52f899f246d24084befc060a8

SHA1
9be8289c8bf6faf47f738c157e217da32a86257d

SHA256
b3d359bf11466d6b8c5b295125c6f36e515031ce21a8369f503ce778a7298cf5

SHA512
308b055b1a4cd40272ccee88b49d309f20f50df6381c2e963f7e3e89f851ef2515aa581e6b74fc66f6683239a8552bdf3f4d33d5e1657eb0f230a2cafae51418

Download Submit
C:\Users\Admin\AppData\Local\Temp\GgoY.exe

Filesize
182KB

MD5
3518c4784181d4ac0aa8e1acb73afc1f

SHA1
a5cbca964fb1a436cc139c215c90115ba0d39641

SHA256
6e26b4afb0e9264c01bf110355d4d2f88e1c89087198f4743170d652bc50829b

SHA512
2b6c2424d14ecde0848356f7e7b4d5abce38ad0ae2c68a96ca837611c8912565f5f2e079675066413ea2632f10003a83e6b4d6305d54191d29a132d52f48e1ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\GkYO.exe

Filesize
522KB

MD5
698fecba58ae623df92c004915ef97ee

SHA1
62c2fe85d2af1bb8dbe6acede751db59cfde2a82

SHA256
d873962ca249ea49e284614a2df8ff3b6a36e969d776616136af456f03627f13

SHA512
f24e421d333d50c1cf364612d38e1447593897f020f6698df225c055adde738121537f5decb71c5391bd5f695015b767a16621ea1aa4219357b8eac1f2626b54

Download Submit
C:\Users\Admin\AppData\Local\Temp\GscA.exe

Filesize
569KB

MD5
7fdabe01cd5a564e96efea244c4a9578

SHA1
c25cc46568c043964190d707a92cc22f587b2582

SHA256
8859bf3046de09181dca8ff5ff10f84fd078988f1077920ad68d7d8e0f5fa3a2

SHA512
bcd51ddecfa65c0b9f9a37a62c37338dcda5b510ad63a78bc48b355ab8edc122832839e071aeebf52b79263fe49175b272f9caaab91f79efac3af48f894e2099

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gskc.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\IAoY.exe

Filesize
484KB

MD5
ef595bd0338b39d65c235ef439cf796f

SHA1
e6d48e970695da9b5c8c661ca030b3038933fd9d

SHA256
afe15ffc1966fbaeb9d62449318cc3f0fca0d1b6a4c7a8bcd760e54374b18f46

SHA512
cdfb7d119c5c0206c7adc7b1476ad159d35b4a18769d236aa6597d3f34d8c15093b27cf8e18ac41097826cff85a18ef8594182837921e44f53e03dd52824b928

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIMY.exe

Filesize
573KB

MD5
96e71462b6e09ba9d51866f1147de7d5

SHA1
8a060737aa90ac005026418f6f8105831f3d1474

SHA256
853d4538d23feaf845575e65aec69345d74d3258d8dfa2eb30c4a3e8c0d371b9

SHA512
03daca3e9bae3350fbca26e62474f4eaa14c5e18e24b154b32da2f9a742acec87d326de4d2a04dc365f494b49240e2673e3159cd63a7ed228279b2fb96163a00

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIQU.exe

Filesize
188KB

MD5
a2af81bf2db640f6d261c87027c50d8e

SHA1
14a4ebbcdf8dbcde981ed408caf60f343cd07a08

SHA256
b6ad37c7b8d33a050d33cc739ef4403399617837d1acac34952cd0ee3938a5c5

SHA512
623ce7cb5dc5ab4b3ef55ca298f1f009ca770e1adf7d37bef83637d55722a5ed9b93fc25be9eaf9ef8a12dc44d1a459df4122eab79139090bac2f2428c6361dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IoMY.exe

Filesize
797KB

MD5
de12562ddecf9910adb85803cc8f3333

SHA1
3b916b29fb3e76125f36ef7e3867a1e9b5f56861

SHA256
84f85f8319c1275eb8cbc8a532c4e2d268ba37bb9594213b85015b5623d9902f

SHA512
b73155d0dd892f6a9a3f5a0e58830382ec8a929dfb5f7c6a012430b38daab3f514e2fe480b61d9628de8aef7de065e06b070db1623e271ac6f9bc3a9ffad4a80

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEIe.exe

Filesize
198KB

MD5
ab8d6d7a35859996552fc591c11bb9a9

SHA1
92e3e12872b4c753af2e3990974037c50ef807f3

SHA256
8279863f8fd213de3d3bd22c773bd9af0cd0fc2b951110f55a31874a34abef34

SHA512
46179e4a72177d155b487f180f2244aa2191a7bec2e5f1183d183ac4cc58edb5fef77531f93ee29eeab8778f3419e3b0fe5213f2f6c03df4624cda47956d8f98

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEMy.exe

Filesize
999KB

MD5
5977232855900d797d1bcc461fd9d7bc

SHA1
68f6f2bff257ff74cdaf0d53bdc0c8ba0990652a

SHA256
5583ab846281bdc3d75cfe73fb58cfbb501302e44d9a28dac6f7bf1a80a2ac43

SHA512
e5705659ba2482fc633225195374a71394d62696042ddcb74b413db5430a5c0a217ae8aea43698ebcde35f96f30daab231cf124d2434e4cede7b3230b2aa4391

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMsK.exe

Filesize
324KB

MD5
b4afc642875aca8584227731c2891eb7

SHA1
5439e728bf1db806ddf666c77793737d1331b9fc

SHA256
77226e751d34b534512f38e898dfc8c0748f0ecaa4aab08714cf406a4f0e5322

SHA512
806d955bc5357ff399d77cc2250a1d921111d16308ef641f853e27b3249296a56cee2c3d335b8548bee3705877c747312f4ac3dbd7ce1f17728fe2fc17b81643

Download Submit
C:\Users\Admin\AppData\Local\Temp\MiEsIYgM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEYC.exe

Filesize
195KB

MD5
1cae2b5fe11d177f07d4cb3aae4903b5

SHA1
ac59d69291e1f8163539c7632af80a47031a92dd

SHA256
1d74fabedcedaf0eb7921d42387aec4990e35d19b93a97fffc9f23ddfd563cda

SHA512
607159b0c50b67657a2672e8accdd3e15cf104a23a4d6af1f2c98ae5a8f073122027f1a4781739c15d754d633fa214a7e5b8f9d4925c3de1893e71987464965b

Download Submit
C:\Users\Admin\AppData\Local\Temp\OgkS.exe

Filesize
208KB

MD5
480f18dd0ecdd95cd43b8fc46cdaef07

SHA1
c08fa9551645b697b1ed9f6b2be28c867a027828

SHA256
91ad19d3c315a94779dda0828b8a91bb2c1c68ecfeddba1da492099b549cf2bc

SHA512
5c77995df8c60fd8083f39cf06d2a64c590f5379546b7327a7032b8023b10d1282a0675ab0019040b3d5fe3138d533cc7ed6e41758c4ad81afbdc974646a946f

Download Submit
C:\Users\Admin\AppData\Local\Temp\QAoA.exe

Filesize
207KB

MD5
6777ab7e9928fb86d219f67033d248fd

SHA1
5ac586289d1aa8ba4fa795388051f5cdda4bd7d9

SHA256
2881f0f7693e5a7bffd96f198be426872d35275fe06f87e5d4f239860f4e3677

SHA512
765266b2028e49f4f50eb6ceea20597f3475acd194263ae622f2b020605b67cccdaf9c96589b544a4abb8938cec90a6c7f9f378bd511108e87a1967696f69a70

Download Submit
C:\Users\Admin\AppData\Local\Temp\QEQC.exe

Filesize
191KB

MD5
c5b9924faf863a8ec9da87565e6c7869

SHA1
bf49740b26826a877f9a4f308ae3cdf48cd951dc

SHA256
c612057b2e6bfc76b46e5cab045d359fedde1aa407d282b01e7128e06c296b0b

SHA512
cb0d795fcfb0474a09f03aa0477e8c3ab2d55f6b7c7a0a47684a237755df2d650ff95c48f1e4ab02d19d448ea3cff5e3e6fa8cfcb1d0ac96342dcc5794ca06db

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIsI.exe

Filesize
439KB

MD5
d9a98917d475af4bb9389ca51290c406

SHA1
e08685e78693fe87b8d60df0d6fd81efa057c288

SHA256
6b22eab6d94d681c97256f19643c128d5fb2a63f7252840906f8522498e2c226

SHA512
fa0b60a861ecea3eeef86177627677df7218e9e59937bba009b41455108ad99222f12ff3aa0a51a45dccca2c12af3621ec9a8eefa12aac76476369a6fd13bdd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\QUQI.exe

Filesize
195KB

MD5
b1011d2ec5c093c6de11709642277367

SHA1
da7db2611cd7362f6395b0ecff0b45d6bad4b844

SHA256
1e308fc46c014dda46f0566c88496a566a31704a1f575a34bf7c826ce4d53f5e

SHA512
32d261417574a6a1fb8c6bb93741d373f7730227c82e4725290d352943df633120565a9af975c08a79e2d5077eb2fea6eeeac292f06e5299fac94b33a289e5fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\QcUi.exe

Filesize
199KB

MD5
ab83a9620f02db97033bacbf75bfdebf

SHA1
faa26877bda6538b98f4c046e8c083a2ac8a6bfc

SHA256
7b1426fa00974bea8a1bcd82d31f052b18ce454e3cd8e1a05e1cc9313893466d

SHA512
489f406334af975187c1b852feff9952b826afa64243a39789f39576e3c9e6836c3a0317d9ba53a212932f3b641e86a7c833926f27919032e053bf605b5eb0c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\QokQ.exe

Filesize
186KB

MD5
446291c171690e3befe7185bb11e5864

SHA1
d02f5051550530364ec77d6a7b8614212f286241

SHA256
59d2f5741fbc07f1fdf41836c180e0cf604caf022b144200a59fc212694e57e0

SHA512
0e9cce587851d117165aae91269f3a8da2ebd3eaff43371e3e6b1e80271d2a5841ba3c1acddedb6fe623b9da28ddfe35c56b186fe89f8585a8796ca25dba87b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAQM.exe

Filesize
648KB

MD5
125b5ae2bff40cf995495bdd5a01a13e

SHA1
e89aa9b40e88b3bed64643b463434f20812eb043

SHA256
820c463302208a66dc2418646684b85c7d80c08ce9fbc567ac7d81601daa2f16

SHA512
4b164b421f51b8c58488f9f1cc827d4f71ab17e367f4bd05bb6d644b6d91d5187eeb66afe2c4258c76b77a88b7222456e41a0d2800ed451e8649f0b3e1ebf0c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SgEG.exe

Filesize
205KB

MD5
9b38a31568481b1a6451a249c2db8cba

SHA1
30745aae617f4a6fbb967ad74cc5a8c7f938a64a

SHA256
1513ab4c04865269f72151591394aaaa3cb15d7fcdfbb7931d24db7aeb58e075

SHA512
f5c92bbe7f97b6c88ade44e2ff21dd85cd909cf46fa6fe3132dd82b7e04d468445eb82c8e9b6027490cf2f637bd574b04f4dd2fe795fd326cf1a7510582f1936

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAso.exe

Filesize
312KB

MD5
7c60b6f636c1059da57f35939a9c4705

SHA1
1d75dac739ac3d77f42f90e51d9aa00e28e59e18

SHA256
c4be9919c533fc0163811a6398c7c25689b18aba480d950f78d72c5a689a71f7

SHA512
c4ecab45567ec1b2965f032c26422d7c612c891fd28b5d6da9a91f6cd26f5e14e78d989a25ce1e656ea66616a6e5e8ada82f17ff8a80072c428b99a92eb48810

Download Submit
C:\Users\Admin\AppData\Local\Temp\UEYi.exe

Filesize
195KB

MD5
bdd42b049245b70eee0a29bd4381c5a4

SHA1
62d12bd79a2599abeb319bda39eb1f1dc308d84b

SHA256
6ec7052d8583391e1b3dadda3c14ecbfdf5d288d89a6c95831080d5c59cfaffb

SHA512
687a08ecd12988eb075b6bd33e5e253f6f5fef260defffab526d81480ba539c7ba519efc77204cc80a68505cc3530f1c455c8614917f7537a120e72ba2676199

Download Submit
C:\Users\Admin\AppData\Local\Temp\UUIs.exe

Filesize
200KB

MD5
05ebcdd979241357d418817b4f3b4fdb

SHA1
51cd7085bb2ad172784c443ec93b3720b6b0ccd0

SHA256
743586dcf813407c93fa90a6f6d72dc0c8567e57e8f70684806eb38d0d229269

SHA512
2a6f3e45b7f4eabe835b46a11da0f9b83614948447cedfd2a02fb684a20d1d818e5ca6e9b2f17a69c07ab65648efc41468848969609183d5b5268468dc363d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\UgMy.exe

Filesize
184KB

MD5
4c66b58e08e6a3f146801dd4d92eb82c

SHA1
115650e9b3381fe94f0e53714540a7d44d6112f3

SHA256
8794a1e5ea74190ac36471aad861e704decd3010139d702c6a6859b52f11db63

SHA512
241be6b4b10437d1bb94277b0bcd2c67d76137d9b8561aa929ee1a5aa1dff8db7e37b588766d3c332d0db9b6fc2e5b608d6a4eb9cb1f41033577ff0f66152899

Download Submit
C:\Users\Admin\AppData\Local\Temp\UgkY.exe

Filesize
619KB

MD5
9a1c536c6a06392b800dad9109346613

SHA1
06c22bf8cfd4d3f2f7d517c33774e7340a7f5d28

SHA256
7a9f7513bae2c9ec346f52f6490e773095bdbed73188e6e9198c883d9f1f354f

SHA512
49cca49721ff413f8e92fb8ede09632c5a235405832c7a8c5f2549db7605e016ae0986b1dbe55aa692ab845c82fc9fe34fbd24ad542d6d3363b1540d0577508d

Download Submit
C:\Users\Admin\AppData\Local\Temp\UkEy.exe

Filesize
1.2MB

MD5
3090f7b19ccfcf02af682c94ae76cef6

SHA1
35279be3a743a99883267a894f0ff2f15f943aef

SHA256
77fbc57a7c6e70c2d3ee2573b198409b2a62fa8e3414d099f69f7a9d3895e7aa

SHA512
a0d04fa977e169dd0f25dc4d089e54cc58e447759442fc35097530bdfac2229cf9f00633f24ec69a7daa2586800f434d8ff564c0c671c0346957c459fba71629

Download Submit
C:\Users\Admin\AppData\Local\Temp\UoUE.exe

Filesize
804KB

MD5
6f98ca520fde08170732e58f3023e7ba

SHA1
015916f895322ee6988cd0e565eec5e5052f8259

SHA256
3fc146658e9f83d250e2d5e6a73575d02dc8acade96765881b773f6d8df3e73e

SHA512
9ed85a2ed7ce6a5d8d1e4fe915a3c6ec3c00500cffb78658e2b6813178a2f4924b11c5c1a86c4b66a5916ed3b8e1d1b8f957f967a98485c149613836ec1f6c73

Download Submit
C:\Users\Admin\AppData\Local\Temp\UwYE.exe

Filesize
205KB

MD5
cde43585108a4b2d2801ef22a4c9eeb2

SHA1
dc7d4e6bb617ba898592d97f62699bd51166b314

SHA256
c824494beff2bf5c13fab271aa859a9e5d61ffad2cfbbd747a5045da2fb9936b

SHA512
035fb3aeef0547430feaf1a26c4ea3b85b6d20a3821cf25cfe72386323d2d1a9796a2ea61edf478fe0ec4f06a036bc329e68c1b5b87ba13d8233627fbb8cc437

Download Submit
C:\Users\Admin\AppData\Local\Temp\UwYk.exe

Filesize
266KB

MD5
d27ce280e8a468bab35a8a145f57b9de

SHA1
7d7e94c46b1c9f510cd695f2eee56b5aaa813555

SHA256
5212ed80771667cbcb802351e25467a3183b37d166ee1f6907383b15b8e0d522

SHA512
2ec0fe2a8cc000deb607714046fc7fbf6f1eebc477ff300667492983ceb29edd3bef6504b3c8837305eec35c7f12adeb415b5b54bfda71dc4f84108c178832bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\UwwW.exe

Filesize
315KB

MD5
4c9aa458cdbec9262d83d22c8daef1d9

SHA1
93a7f9aab4c94d730fb759548a0aa3d78f2af7a5

SHA256
84cf53581e482a7b425fc8c4efbe0882125abed5463de9012293ec7517c151e4

SHA512
e9a3de511af0eaada5f4ed4ef3143c978193b0557983e65d2ab7c520f2774a9a9242609134dd1967e6b9adf643eaace21acef9890ed41571a5eb985e112047df

Download Submit
C:\Users\Admin\AppData\Local\Temp\WMUM.exe

Filesize
201KB

MD5
27f86986ba8e10391f9658ff08fd515f

SHA1
c5338a327d1df3cb32ac2d155b0bfd00b2cbd5ca

SHA256
8d4b298e7e0793c6c7cd414ad7ec403752495941820554473bbe435d83c87706

SHA512
c71bf48448db36a95051017babc52ad3f63e9c5e3c2ed9b8391231c4d6e45ddec117cf580aca5379f270339822705102ae103d7a6c0b4306275e0d4a3c53ccf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WYAs.exe

Filesize
219KB

MD5
f4fd7f53f6606ba645aa330811d448f7

SHA1
7ba265d763af1756a4fc43cf52835fd8bd07ed99

SHA256
03a539a1a9078800c6975e24925735abdb1e362226268d420d711df1b42eee14

SHA512
d1ec97b2c515eb5665ef354cf35fe9f806f5dbee9ad4a601af2a0e08a1190d857dae7f0d7bc9b51bf2a8a50cbc5a3ffe221fa966a9716b808299f411db942567

Download Submit
C:\Users\Admin\AppData\Local\Temp\WkQA.exe

Filesize
190KB

MD5
a0c21c604e4f05a404386934730b46f6

SHA1
521f37505d0a5e63ec4b11bd97759cfa0b262e89

SHA256
0f1ff6c79e669be35f81f609b948c67f3531adb5c3ae4547120b98dbf9b316a0

SHA512
0d81711e30d6cf372b927a37e1c5eb8e265181d036e91291b2e01b6ac987659e4e14e0519c42819b065283401f542c616573beec45f62e776ba0ac607acd7ec7

Download Submit
C:\Users\Admin\AppData\Local\Temp\YAcM.exe

Filesize
200KB

MD5
d1ac93419fa02ab50b8858810af528d1

SHA1
fd75954130ba87d28a4442440461775f49c46376

SHA256
2c4fa290bdab140b755d4e4ed4923156b41dd73906b00c3063129d2173184399

SHA512
1fd77b1d3c6424cb4452355340e1807d4b6c2e1c47221d8c62ee15fae42af8454a6919dd5a473aff457924fd2c76b11c6b791e7a20b73b47853e5d43ede36cbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ygsk.exe

Filesize
798KB

MD5
60634c5de607eb45a60e3969a0aeba33

SHA1
f14f6295d3a596deb4c548cb1755459488446f73

SHA256
e56288d17d1c05b3033642b0c001cccf1be855c5615ca58aa1ff080674b4924f

SHA512
4a718c8276f40d16c7f6ec27737e0c7fb9abd6374b8caba28fa1f10d6322751e243d1ac15c42f791188709356e49ca04b5e9ab21fe14b1f30e35fd8eef507c9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\YsIE.exe

Filesize
5.9MB

MD5
105a360c3034e75d34adf7de4c5d4cc6

SHA1
2e774120745aac8c37ac4d9b0739ca389b1c4ab0

SHA256
b4fead00ecee5bf1b38d21f13184fcb270b6f7b4e1f293ee7d4c57cf715f6664

SHA512
f2463ff1fc105ce9e59d737447aecf65d75c79705ba675bb0fac581737606df45dc18e41d2f533a32e270b6868d5f1317c0bf9163ea70117455ad3cc184df8ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\YwkE.exe

Filesize
209KB

MD5
0b1175736315ee90cfb454279890f39f

SHA1
d0994b6bab031fdf929a2fa702e88b301262d484

SHA256
2a64ba51210c07051a9851ccbaa0fea712c42f96438d5ac143ca751e53122704

SHA512
9fef6c1caa1810be94f6edbc750011e3fa77383a6e28c996fc3c24d4e5e347050357d265ab3cb4b6e2d55fc9ac34265c184815f36a15fbd7ded3601014b8a705

Download Submit
C:\Users\Admin\AppData\Local\Temp\aAgU.exe

Filesize
203KB

MD5
309ede1a1625a15951013ed302d0c631

SHA1
4c8538a2dd8f8e219b733a3bb66473942f45581c

SHA256
d83e7120949fe37df504045a7c92f6b0867079022e6ee4b183eada7a1552b1b2

SHA512
b78e674e7e98d18629a54176a623f30065208b75dcfd274943bb3a0a9cab54867de914a7482ac18966127759a4242d631cf954690a5a953a383d9e49d68b8b2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\aEMy.exe

Filesize
920KB

MD5
15dae121ede08e1fc6cc9e6062c3d6c7

SHA1
02a8b259efaa56d5ff514430083c6a06bd0d614a

SHA256
a545f131753c3f3f8c832fc94b413f2a18993642fc2a6423ea8ffd2e64959fc4

SHA512
6e10670001c73857c0b7aeac9834d7e7aa0e3662fbdfef0ee806559795f1536e5309e037f639e92b2366047740fe4b636d456a9fda6af9c7ac1b425477ec157e

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUIE.exe

Filesize
206KB

MD5
e017c18ecb7f12f70fba4b6b4e5f4fb8

SHA1
edf484b8b8c3967960c87ca96053f6c9eae4dda1

SHA256
defef3bd0fc8ac489802287e76ba11f3a194b5e97873b3fd9cc30359bf19e46d

SHA512
3844f0fa655824c2d87d3471b33f339ec5ba9375f21ac43320b31c4f7ddd60d9ac6f9bd2ef689b5f212f116e5c152ec7229190d32f2d54eee8e1358322ad86d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\aYcs.exe

Filesize
186KB

MD5
33d507842afbbc8fd21b89576fd39015

SHA1
f16bd47bb51357411da2cdd35771b7b2679a249f

SHA256
88d11ff3fc05c92a3c5579abe2dae3b2655934db3cb2d914742f11e55e74255c

SHA512
7b66d67eba43fd221f8e6d79182ad63668e561f69fb34c6d93aa439076bfd3fa2026985aa6438738e2ac5cffe81e599599330717c08c3c1cb68d146376cea29e

Download Submit
C:\Users\Admin\AppData\Local\Temp\aggg.exe

Filesize
1.7MB

MD5
8fbf3d40a3678941b5beef932bc681d6

SHA1
2af837431ccb4dd803bd64e66b18919730767135

SHA256
78564028a434b892b233528386ce86f903fd9dbf8f4df498969e468a99574370

SHA512
ca59fb07f285571a2a65eea83affeebc8daa28c8bf7b016589c0293de1264dbacc66728c63b178fda350e4588e727c8fe6ae9475d1b1b572760c66238896b462

Download Submit
C:\Users\Admin\AppData\Local\Temp\awou.exe

Filesize
769KB

MD5
b7ceea49390c5d048fad2eabb7e2bb2c

SHA1
95055757b220abbca83e49ff5221a00945f24068

SHA256
91d7380f0ef9af22dc7cb8375d856abe6b067ba74f555fe0eff882b0dd951a1d

SHA512
23b04a00d5e2f8382d2a2a835afb3d30703ede38f858506833327becfffe6f82ca85c558c47b23b6c734fe27f22408a6a2166f3c7ebfd111710966e9dd504367

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAUg.exe

Filesize
828KB

MD5
b168e5cba9d824fae83d21791ab45a9b

SHA1
a7870c9c80c83f8c67b7b23b02a385ebfbe34283

SHA256
fd9db95f6519470a0c2947a020a7f8b3fde0f59f39d4f6e01b9e6d5dc7c76f67

SHA512
0e4ee20e6a1223b6da91f935ee19b78c30894ad3c218d92fa1e9c050528a737d5d6bd5918e247223446f65c0b77a491321f034efb22a55ae5a8cc489aa3b9c71

Download Submit
C:\Users\Admin\AppData\Local\Temp\cMMW.exe

Filesize
204KB

MD5
8f0ab38c2641e7f2631c1824ccf7ec13

SHA1
32e127612c78c90c46edb7580878e084e3c5e773

SHA256
69b30e2095a5fb29bea18f8eeedaad08096c92436e21de59174473645ac5acce

SHA512
7156fbc760134f9796f6907d0db65c3fe4579a88f5b68aed8fbbc7482146b42520ef0caffaba85ee90858993d6a21aa208e3ed25f1b6353e9754af9346131969

Download Submit
C:\Users\Admin\AppData\Local\Temp\cUcE.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cUci.ico

Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cUsK.exe

Filesize
636KB

MD5
4dc680e22e07504960ca69f7c930f326

SHA1
d0337660314db1e377d04b2d1b24d14e160e8ef9

SHA256
c27748990b7e55b6fa74e33a37eabb49b009ba6ff05df5a1fcaa37279d0c0744

SHA512
6f3b0d2e7a5ec2a13c1a1f329ab8e0a9add842094980376b8ca3050c19c8634e65f21a9a777b967a145abf568c1b3a1013c2f22866e9525b2ff5cb954321f14d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgAo.exe

Filesize
418KB

MD5
32def2b0bac539bc032417f2b31d4e65

SHA1
4fd1515032d2d5cc8c7b2f7c205540cd8fafb05a

SHA256
08caaf454a077f4b103e993a7b38d276a7d8e957ae23f50f1058cb90df5b8ebe

SHA512
d7d9c6c20a7495c678809a58f1043f40f8c29f06ac10dadb55ec26a86c53f51fbca8b6418ba2f198198c86d03f7bea0d264af075019c671a00ae7c602a339d7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckAi.exe

Filesize
638KB

MD5
c3e4c8798c1302f98a186ffcaeca5e5f

SHA1
7d6a55ca9953a358fa6bcc55410859909ced565e

SHA256
36ec15e8a3c970b404a1cc08f57a4d4aec4f0f465ee62e3df63a6089f7bb8cff

SHA512
bec92c9e58a38de51368a2265bd50eef1c80ad844ce08c61ab8a30c3e6624505a77398b26b49cdb71fdb5bd5ce16b92c11fa8cbeac6abb74c9fac5fb7fc20fe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwsS.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQMo.exe

Filesize
817KB

MD5
595ce5039db6f5bae0192161fad00466

SHA1
31cd473bd7f4b465e68a48f8a31cea858bee3f38

SHA256
2b7a73605e9e141f81d892974677f7421efa450ef3b5732ab6c6fee49a9a18ef

SHA512
bd3b6be48689e2712a9a66542f546ca996292825176864f20335e2dac69ca174a896e5fa67d1fd1294b2aa6008e02b1426f8969bb7a0d555ad7b86afd3703817

Download Submit
C:\Users\Admin\AppData\Local\Temp\eokM.exe

Filesize
192KB

MD5
6c6b54dfd7695ba39f699cb39fbea3e5

SHA1
b09ecc3def24dbc6bb711b27149fecac87616c14

SHA256
1a26acb2aafb2def9f93d7182b8bbbcd91cc58987d39a21b47040170c3f5091c

SHA512
55ff6cffa8af97099b31f0d9223aa83911838da75627a8ea4887a3faabbfa2842bbe807dbccb3a06515a3b3e9ec8b891872bb686896ed1667691dfa0be1744ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gEcG.exe

Filesize
829KB

MD5
7f698a0b95152f3265097f68c5c6eac1

SHA1
2aa16ec63988878a79f97cde3e788d8042e5f709

SHA256
b2fcb854b287b85a4fa9cf95cead0758bb72898129fc8a4c86e2894572fede67

SHA512
3b70ef66889aaede681c0ca82558d4619cb3bd7c464435a8a0b461d9ba9396164d5053affe63d6ee6f7abcdb05953206c27aa5149ad7792758acc6fa28890a4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwoy.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIAi.exe

Filesize
199KB

MD5
9fbb52a8c6d41d461202deb3d6c9b442

SHA1
cda69a58cf2b36033d8462585c3d58015300c57e

SHA256
7255a5fe8528adb683949fba7a28f770b44f65011e5cd91a15bb84e00d3e5055

SHA512
9ca4872e1f050c94165dd766cd2d5ae6c95796f8b2592318a44d92fdcee454438b0cc685917546043d8266a2fe0aafc0e2e2436e462e61b0c844bc964ba9d9f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIEs.exe

Filesize
207KB

MD5
48c2ad85b48a338855a4442de8455ca5

SHA1
db170f3557781ea29093a74862c83dfdd481096c

SHA256
fc52ca92321ba0afa0c6b641ee9ebf563f6203c054c22ecbc41f45c560d42a4f

SHA512
07bf33fbfea0234ce6e79924d3438cfaaaf975df4dd59cb69ec794d05c42ec88a65d39e5182b454d1a1ee47ee42979d842b70ba5b4f8182fe27c4aa1eae0ae88

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQMw.exe

Filesize
192KB

MD5
a544f5c5bf93e1ba88966e3a85aa7508

SHA1
67b5cff4b923457049034b39a685c2214464c0a8

SHA256
246c79e48d1608716a92bdd92aed76129d0eaf85e8a561abaa4c96d3858cdf75

SHA512
8805def495344c43e62de7c222a658ad579d4e4f2f5ad935c14270e4166cb91e33553794c962cc5ef0b5b1bd8aae894352a4665fc1b8a69c1f4fd5b11c0b731d

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYUe.exe

Filesize
651KB

MD5
f4a7ec7fdcc6fd11d7b0d2097042df03

SHA1
de5238ac5faedb3919147bdcbbed675f8c17a9c3

SHA256
d87a42fae5434499b155b39b055c35e95901a8134997acb6661ac70f70c657f7

SHA512
99f214bb64ced7c3751f74228adfda67fcb8a68368d55bbdb2f2ce9f7b4ff788303709e5c3981ef39ae6de4145b1a22c4b2fbedf437322146fc5b1cd43edb972

Download Submit
C:\Users\Admin\AppData\Local\Temp\iggc.exe

Filesize
889KB

MD5
e389d67396229a15edad24f715a592cd

SHA1
ac877c74c53f8e5ef511b428102099f0f180c887

SHA256
fa12de15e84abcf24f6f24c7acec5e2806157949051c4c2085426e719a7b4c98

SHA512
e595ad46f424dfd667a5132e76d4dd361e36bcf5b16b45544dc87ea8c12b322e3d109037b40283bf46ea77455aca104b927a0db336304b00496746f56058f7da

Download Submit
C:\Users\Admin\AppData\Local\Temp\igsA.exe

Filesize
223KB

MD5
af8eef8b83795f1465111828e83a0bd0

SHA1
5eee3a813df9af52fd5639875b6e02c56847cf38

SHA256
9c3b937ef3de79f89be4b7f34ec1d80cea502c3b77d35a56a5878cf5deb8c390

SHA512
9b09b1684b2b5cdee918a31cdaadc33b3c3cfa3593a819e1b347cf3b9a19a8ff966b95fe35dc491af553059512dd1d80aa5d307e0f306c4fc44e0f02196fcae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEUy.exe

Filesize
324KB

MD5
32f6b9dc58b414c226d4959bf7862c2a

SHA1
383b129d492deef6ca53a07fe94aafe64d67c355

SHA256
ac7481423c8ec6de49ac43474a2bd79ea3e318f5063f0d48b77a73b4e8efc447

SHA512
50db50188293a963c492cd6e1b8fb345dd53073875e66504727ebe2e5eb5e53555b45ed401a42c4ab6612b8761005f7994cb26a8af89f39f1446fd6456b663db

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIsc.exe

Filesize
205KB

MD5
d147c6356e67560c0de7d7f9b4b10103

SHA1
76e0e2bed612697f9f07908d70b12c36072d8bc3

SHA256
069e56ac39e115b5dce08c57700c5bd40404d7d9897b114aa89eac4cc59026ae

SHA512
ef179c084d4f6d8bae282efe3f519166ee5568a7d4317d7da7c8bcff528757f863299436842c833cea814b50e93662d6ce7b791d5c86e0172f92dd94ecf37300

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMge.exe

Filesize
203KB

MD5
b044b35771445e727b5e8cdaf0576a3f

SHA1
6d1d2e1b4da02edc7e5b6e22c1ca43dce5b99efc

SHA256
8138566db3a7fdaa5e9dbd69986af484cbb4a72bb7bf4d98ae4f6a8f5f116673

SHA512
b8f7867e645aad9c41f827f41d8cf1f7e43774825a606824d6a64f1b7114bf88a33d01fd2068e9fb6f8d0586effa8ca5a2938838569da8696a180bce683e6262

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkYi.exe

Filesize
199KB

MD5
7cfae9c3942cf433dbf89c5800a99183

SHA1
bcf784dc572b5f9b81e88fc35616aa494cd091e6

SHA256
6958ae996e41e316907a27f62561df262bdb108820d3f56782bd11832f7078df

SHA512
57acf53b40a704386505edb067c9307a98238c5aaeae167e86746c2420860d8a01c4e48d356cbadc9f189f5ab4228e87179d525b50066f5cf690462bdf910fb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\oQAc.exe

Filesize
200KB

MD5
51f606836893525cefb14cb42f78f850

SHA1
3e5fa3523d0d2a07ade03b46c918b8a1b873cace

SHA256
df95698965cb69c1b714d66475b0fedbebc40f5c6090e896a3223ea1c83601ee

SHA512
df5309da553a0ba87909202bb64a8ea7d23e50a832032246d165a09d907f66219bfcf8fe12729c267da8cf160badb98a2ec52f82675e7e58c1f57a42fdeace9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\osUA.exe

Filesize
194KB

MD5
90b9013009a6476b35259877d1a1fcbd

SHA1
58fe4fa9454ce1dee757e984bbb7a86badab8c37

SHA256
aac89e1a979e64911ae4eb8bda9469aa35559b47efcbcea92ad222f630bc0b93

SHA512
be1adffb8e501ec1988e9abb4416cfb370f1983be1c5f31be1877f9bf6b553d782bf390213ea24ad31c6f3c99f281e629f4c459b2bd9f9849036c654c08eb9e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEQc.exe

Filesize
183KB

MD5
647dd4269e9c28c55fc35ae5506f65c3

SHA1
c1f850105b08e93a140130046b3fe278b89fdc3a

SHA256
80bccb2c20090a0400bfe4c2959dd8ff5115c4a785f3a5cb2f016d5dd48b968f

SHA512
6e8625c9cbf48689900a5521bcdb6663234d3c8247cdb2b58d9dd442b1531f27e6385a269dd6f2191c562ec0d6cbfb3713693022c67de0415199498d8b6c73af

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEcU.exe

Filesize
773KB

MD5
b28dda05b8b4cb5bee84467ebf24e725

SHA1
6d64f308c421571b329762fbbc831ed18179beb4

SHA256
71e9a14443e111c992c0019fa4dfc1d640a241742c30ab5612070283555e6108

SHA512
3b22afaf857b984f5b1c45fa1cfc62d6c8f467f604e34082f9dca73f6b4a8dbc417676d626993239ab95e9b0794cf21a86261e6470917e9bb9af9afad90621ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\qIEs.exe

Filesize
649KB

MD5
bf1e84b86fa7675ff58e9ae40edf9ad0

SHA1
48fffd436ed26ac11e78710e3cdbd04983c96533

SHA256
ad64920fa9f8445555c234bba0257c3fbac1772c725f6054f18016eecee06b78

SHA512
12114114916771271b74f6f886f3087f93e7af17b546b2e08a8a2aa6f0a69e3733bbaf8a912a982ece7018025357adb69f52ab5c9d44c6444d0ca05a3106e596

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQUQ.exe

Filesize
196KB

MD5
46685533cec132a0cb590b8230ce7946

SHA1
633732d2e06d1a8cf1263da8334c806c12212663

SHA256
da8d24204c49dc8e8a9c5b6aeca656123fb2cb87c6981bddb1700f9b449e9401

SHA512
bad5e9203cbdf7f482438848e878396af3429efaf4c5b535c410415be71e85be856bf706d351eda29faeb9dce67115b16c3cf0f2fa0169289291d4759898dc4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQkW.exe

Filesize
883KB

MD5
47f495276c83433778b2459bb3a7dd34

SHA1
ffaeaf38e4917b37d46aff33824f1131080c681f

SHA256
4d0368b63ea7de555600fd322eb9d946c5c23e7df97bc25970564fed700ace43

SHA512
3c27cc6ccab8d82be3d7772f2dc5ae98ff5ac82f07d82c135a73c347a9cd69d07806909ab460a25f94c2083f8605605bab0a85c268d7ef40098ae9542f7fffa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\qYkw.exe

Filesize
197KB

MD5
1aa29acad4235ca3438aaa9e9261cab8

SHA1
b191124b97d342cdcb751e5468914af64cbd2f53

SHA256
62416cd585e3978a850d6ea9a2b6f344d94551b79067e6a8349550cc93eab06e

SHA512
0de1c701dc94672e015b38085e2f37fd2bd0924d7a2c105dd2938d81ffcdd4016905c75827fac7efb55f04f4f496b366b3a46d21e585cd7b8e52f02238d439a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwcu.exe

Filesize
198KB

MD5
cfb30a0c474e2640eb3388535a3058e2

SHA1
cfd77454c58b43f673fc2aeeae611e6b1da96147

SHA256
9cfc08b0fba9313dc0daf22801c031d3a85b0a70635e1bb0f83238a282ffdd4b

SHA512
76aba981a58660f47fabbc0da8b51986fdf29d11111e18bc970ce7e235cab902d22018bacd7e750ada213318cf14f0a4f84829ec97ce4ef5da72d437c7d7be28

Download Submit
C:\Users\Admin\AppData\Local\Temp\sYcQ.exe

Filesize
236KB

MD5
b66c33c80dd15159b3f0b60ae0100592

SHA1
25ae7fbc6d19bfffedc0e364eb4760d9b09f7a58

SHA256
1ac171077e06d0d5e3f43e08d6e251db7e1c662da7b9b3f2cfb65f6409dd1b97

SHA512
e4576ce1b2f31cdc4971929b077aa7ae0a09071607d27981d8cf021f1c866b94e0e945bf1a0180e710544af51623ad5b5c32641a0cf7c6820f33f4cb712bbc12

Download Submit
C:\Users\Admin\AppData\Local\Temp\scwA.exe

Filesize
242KB

MD5
70df26741ec9377cf3e1a180d1366d6f

SHA1
656497ad380cfb8e627481e6ecbf85850d466200

SHA256
4d1ed52ea84998de17c0c15e41dda83d9835f532ba80d01024a599c66505f801

SHA512
70b0ace041da19819ee7f6260bdf5bc402d69add8ae40beb1d44d9cb7a5fcdbc45e7c40b4c3ad6c86be844da4a7ee7d1e1d56956c290988662d59945e0606540

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIQq.exe

Filesize
196KB

MD5
357109cc537f59f06fd0d7e352cd074e

SHA1
1ba610f90125623c8851be28999968ad3f12e91a

SHA256
824e9157b492207fb6bb0af154e8de9bc6f2c6eaac25139e53b319bdf9eb3365

SHA512
a30b0a28ea25027c33402f040047b9e9d4a12db39b66e3513edae7d085f82179bd4bdb48726247a736ab6b01ceecc0ab5f72ec049bcc3c09c4a12d1f6b428a6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugUa.exe

Filesize
198KB

MD5
498800e505b9a810957a857412ff6a8e

SHA1
18f77e9594fb8796d37f9bef9aa30b650b1e79ff

SHA256
ef135762c587fd3fc8ff66c03a95b127a813c8d2ed4dbc5474e90f3301a2049a

SHA512
f000bb467c87bd5aa27cea0633d9c8e194b192087d82e303191c873ac1f9e7394c5d6da836bdffdb6bff60312a0cb1c2d36698bb76f10cae4e49a174fc133757

Download Submit
C:\Users\Admin\AppData\Local\Temp\uoEe.exe

Filesize
198KB

MD5
8df906da7c7b8bbe0c4918a936da03b2

SHA1
51c0d7d645f2b6009b78859e3c22afd22193842a

SHA256
ecc893337830069aae7af00b7893c48784182da4ec5c5018cf54d7480d75536d

SHA512
b0f98c2f1d2edaa477cc59a0e7d29c2bc916436583f7aea50d688bf3f536ebdbf8c62217e0e525730ea50352a8969cbedac8c6ecab5b667a42f56c693251592c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wMAI.exe

Filesize
191KB

MD5
d42c9a1b376bf48037b853dc35a6db5a

SHA1
4cbb4f95c9a1676230063d4461986bff6585cb2a

SHA256
39e4d2669794316fd304e8122c04649129f4f2802994d5827ecb3d4ec689ce94

SHA512
064dd95c6f33cdc3dc7b6e559dd5bad3a93ef8dcff936caa13f9ef7c52a23b53b910b124272587b579a19d5a5e91a1e910416bcff47df4aa0ae97ee3d1d18d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\wQYK.exe

Filesize
202KB

MD5
9157bccf5e5b4d2de45319e39ac287c9

SHA1
2b172f4a82dae13d9a986939a65081ab48414c4b

SHA256
c18b62805de71bd810460169ad5f9688389ff0bdb1a86e53bf5052117df78462

SHA512
35de2b168e210106d5ce9cad504a2f58b876ffb8e8cd87348105491d6cf4f78c41e433fcaee4d49049338a7af4a61ab919d750248c9c2d78242cde3226a29133

Download Submit
C:\Users\Admin\AppData\Local\Temp\yMkW.exe

Filesize
220KB

MD5
22e84e771f7563dd92700f8ec2c0db44

SHA1
84311786733dece4d0a069f5efffb52b428572e5

SHA256
3e5f61b82b6f3657c77330740796174d038a42aae2c1cb0fd49861ea69de441e

SHA512
21371e57ce3b6c8751d11d956244d35e7f5ced161d342e7df32d1414018ed239b2325c817beb637c077f3497600c340e0b659cc919bc0a042a6900f5d895cf8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUke.exe

Filesize
381KB

MD5
00d9faf4b3487d297967a14f6576e99e

SHA1
a6b530751e5a93aa9321b4fbe2ea000a69b798be

SHA256
164e87527c5436ea12bf87e706580e955b883210204b9468ddb87b83e6579e81

SHA512
c13ca2875038d255d86e2914cf32cc20b98ccdefe65805a9ccaee1d41fc629279e26685fde4d1c3c4944ebbd6bef755b0f03c365430b170c5ca91c5fcdb97b90

Download Submit
C:\Users\Admin\AppData\Local\Temp\yYMy.exe

Filesize
203KB

MD5
3ce4c1af3a9fbb874a982fa531a7fbe1

SHA1
80c9f1a59ef66aa30de9fb8003602d4be6e3c4e1

SHA256
ad18d4dba36821acab1e37616a3ab2257e6387063e9bd43185e7ccb5ae2dc04a

SHA512
d371adb094a633f06524edfcc807e7c19d29e7f538e73193e6776c5b6516ec7b634ea6b3f4e29e0fe08cbcd46b2249768f8b46e62441cc2868378dc1c5b804e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykws.exe

Filesize
194KB

MD5
6c2edb52682492f79209af29f173f4b5

SHA1
9ba3ef73603bd34eb2fbca349931441f04bd8d81

SHA256
36671358848b212ad0ebf9424637a442ad84ad4f226354799f98480d9d0e08fd

SHA512
5429efcb41634ad8e7eb56c0f7530adcde3572674726e232baa5e5daf7e6833c8df862b6e944b04f93f7b7ca99f369db7ceef4f5ef0abd69c693c3f67cc8ce79

Download Submit
C:\Users\Admin\AppData\Roaming\TraceSplit.wma.exe

Filesize
391KB

MD5
db441db8b27bc74ecb06bf128efed63c

SHA1
d1e1bab8226e6026941f643f1e2620222776fe16

SHA256
6aea6142563f34f8354075d20c2a1416742d3810e5f707b7d30aa2d1b3a886ce

SHA512
8d36d1192b36503a3612969337b1f38a971e781617582f1f012c7fc7f833f03965692bc4f10843c2ba3e6b05b0d59f637297d63a08c5a655a85105b2d7e8d23c

Download Submit
C:\Users\Admin\EWQUYkUQ\ckggEsEw.exe

Filesize
193KB

MD5
98bcec9775c7e8ba7892949b4957cde6

SHA1
1d8f4850f5c64aa05a149db5e2109316f151f86c

SHA256
f07fd09821d4bbe29f1f6c8307ef3a846d9f9d035aed4028b843e64ccabe332a

SHA512
97bbe636cd18ca06173e8fc5bbdd7ef417f572ca2101af97415ea5e7c3eb1a9abab194a4b7ac24b005f6d4ee24b67566845e84c4fe629717eb8392f6a1fcfe07

Download Submit
memory/320-32-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/376-255-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/404-297-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/624-617-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/848-210-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/856-763-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1084-427-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1140-479-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1300-573-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1424-105-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1424-114-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1440-348-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1448-726-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1448-738-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1508-271-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1596-523-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1712-43-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1720-279-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1736-557-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1848-653-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1856-382-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1856-331-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1864-687-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1912-19-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1912-163-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1912-0-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1984-679-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2080-435-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2080-423-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2196-139-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2196-128-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2204-607-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2280-14-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2280-806-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2288-669-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2348-339-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2348-54-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2388-565-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2508-721-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2524-357-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2616-489-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2616-475-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2720-772-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2764-289-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2784-583-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2856-229-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2892-618-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2892-626-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3032-102-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3064-713-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3084-242-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3416-443-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3440-539-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3468-470-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3636-599-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3796-365-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3808-451-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3832-404-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3832-416-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3840-185-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3840-323-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3908-768-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3908-5-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3940-497-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4012-645-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4012-635-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4056-549-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4068-150-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4104-62-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4104-80-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4252-174-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4276-196-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4296-591-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4304-505-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4312-661-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4332-206-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4332-218-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4416-263-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4424-373-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4436-515-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4492-91-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4492-399-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4492-79-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4624-305-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4636-408-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4644-531-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4716-391-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4724-462-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4724-730-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4724-455-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4748-695-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4748-66-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4832-313-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4964-127-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5028-703-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5036-634-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download