6cf802b773edcd7a7da9dcdeeb36fb2b3209bb616d29010fe90153b0595e2ec4

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 02:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
Size

241KB
MD5

5c96825d8cd6c41c6d564ffdf7d1675b
SHA1

ed2f9aaa37356cbf0fdb1370d8d580f12e487960
SHA256

6cf802b773edcd7a7da9dcdeeb36fb2b3209bb616d29010fe90153b0595e2ec4
SHA512

6b2b5187aff8a90a9f48924bb40cc660e1b1207def30e5902172a883fdb49ed0b08e180bd4d239752190c1f7af010c2c6eb6afe417768b46c481424fe5771a26
SSDEEP

6144:sh6vAzJiHk5fTX2pGdq2EqkBTnY4zNDfLGrsOiFo/kYRd:sVkH2Da72SK4ZLK/6Kd

Score

10^/10

discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (83) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

mmcUccok.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	mmcUccok.exe

Executes dropped EXE 2 IoCs

Processes:

EgUEQgkM.exemmcUccok.exe

pid	Process
4544	EgUEQgkM.exe
1460	mmcUccok.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exeEgUEQgkM.exemmcUccok.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EgUEQgkM.exe = "C:\\Users\\Admin\\BggwgYoU\\EgUEQgkM.exe"	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mmcUccok.exe = "C:\\ProgramData\\ZmkIkwwQ\\mmcUccok.exe"	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EgUEQgkM.exe = "C:\\Users\\Admin\\BggwgYoU\\EgUEQgkM.exe"	EgUEQgkM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mmcUccok.exe = "C:\\ProgramData\\ZmkIkwwQ\\mmcUccok.exe"	mmcUccok.exe

Drops file in System32 directory 2 IoCs

Processes:

mmcUccok.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\shell32.dll.exe	mmcUccok.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	mmcUccok.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exereg.execscript.exereg.exereg.exe2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.execscript.execmd.exereg.exereg.exereg.exereg.exe2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exereg.execmd.exereg.execmd.execscript.execmd.exe2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.execmd.execmd.execmd.exereg.exe2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exereg.exereg.execscript.exereg.exereg.exe2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.execmd.exereg.exereg.execmd.exereg.exereg.execmd.execmd.execmd.execmd.execmd.exereg.exe2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exereg.exereg.exereg.exereg.exereg.execmd.execmd.exereg.exe2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exereg.execscript.execscript.exe2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.execscript.exereg.exereg.exe2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.execscript.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	Process
4436	reg.exe
4468	reg.exe
816	reg.exe
1864	reg.exe
3660	reg.exe
1748	reg.exe
952	reg.exe
3292	reg.exe
4628	reg.exe
4180	reg.exe
696	reg.exe
1872	reg.exe
2980	reg.exe
3576	reg.exe
4180	reg.exe
4264	reg.exe
3308	reg.exe
4312	reg.exe
696	reg.exe
1768	reg.exe
2004	reg.exe
1932	reg.exe
4324	reg.exe
2244	reg.exe
4872	reg.exe
1964	reg.exe
4148	reg.exe
4616	reg.exe
836	reg.exe
2276	reg.exe
4604	reg.exe
640	reg.exe
2180	reg.exe
4968	reg.exe
2556	reg.exe
1472	reg.exe
2160	reg.exe
4296	reg.exe
4996	reg.exe
2536	reg.exe
392	reg.exe
1052	reg.exe
1364	reg.exe
4992	reg.exe
840	reg.exe
4924	reg.exe
3928	reg.exe
2636	reg.exe
3636	reg.exe
3040	reg.exe
1760	reg.exe
4548	reg.exe
3916	reg.exe
3724	reg.exe
2616	reg.exe
8	reg.exe
2972	reg.exe
1864	reg.exe
1396	reg.exe
4392	reg.exe
4992	reg.exe
2288	reg.exe
4680	reg.exe
1616	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe

pid	Process
3964	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
3964	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
3964	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
3964	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
2040	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
2040	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
2040	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
2040	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
264	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
264	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
264	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
264	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
3116	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
3116	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
3116	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
3116	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
3788	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
3788	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
3788	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
3788	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
3640	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
3640	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
3640	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
3640	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
2616	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
2616	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
2616	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
2616	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
4288	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
4288	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
4288	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
4288	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
224	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
224	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
224	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
224	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
544	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
544	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
544	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
544	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
3700	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
3700	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
3700	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
3700	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
5100	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
5100	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
5100	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
5100	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
4676	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
4676	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
4676	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
4676	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
2864	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
2864	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
2864	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
2864	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
3472	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
3472	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
3472	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
3472	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
4356	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
4356	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
4356	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
4356	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

mmcUccok.exe

pid	Process
1460	mmcUccok.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

mmcUccok.exe

pid	Process
1460	mmcUccok.exe
1460	mmcUccok.exe
1460	mmcUccok.exe
1460	mmcUccok.exe
1460	mmcUccok.exe
1460	mmcUccok.exe
1460	mmcUccok.exe
1460	mmcUccok.exe
1460	mmcUccok.exe
1460	mmcUccok.exe
1460	mmcUccok.exe
1460	mmcUccok.exe
1460	mmcUccok.exe
1460	mmcUccok.exe
1460	mmcUccok.exe
1460	mmcUccok.exe
1460	mmcUccok.exe
1460	mmcUccok.exe
1460	mmcUccok.exe
1460	mmcUccok.exe
1460	mmcUccok.exe
1460	mmcUccok.exe
1460	mmcUccok.exe
1460	mmcUccok.exe
1460	mmcUccok.exe
1460	mmcUccok.exe
1460	mmcUccok.exe
1460	mmcUccok.exe
1460	mmcUccok.exe
1460	mmcUccok.exe
1460	mmcUccok.exe
1460	mmcUccok.exe
1460	mmcUccok.exe
1460	mmcUccok.exe
1460	mmcUccok.exe
1460	mmcUccok.exe
1460	mmcUccok.exe
1460	mmcUccok.exe
1460	mmcUccok.exe
1460	mmcUccok.exe
1460	mmcUccok.exe
1460	mmcUccok.exe
1460	mmcUccok.exe
1460	mmcUccok.exe
1460	mmcUccok.exe
1460	mmcUccok.exe
1460	mmcUccok.exe
1460	mmcUccok.exe
1460	mmcUccok.exe
1460	mmcUccok.exe
1460	mmcUccok.exe
1460	mmcUccok.exe
1460	mmcUccok.exe
1460	mmcUccok.exe
1460	mmcUccok.exe
1460	mmcUccok.exe
1460	mmcUccok.exe
1460	mmcUccok.exe
1460	mmcUccok.exe
1460	mmcUccok.exe
1460	mmcUccok.exe
1460	mmcUccok.exe
1460	mmcUccok.exe
1460	mmcUccok.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.execmd.execmd.exe2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.execmd.execmd.exe2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.execmd.exe

description	pid	Process	procid_target
PID 3964 wrote to memory of 4544	3964	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	83
PID 3964 wrote to memory of 4544	3964	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	83
PID 3964 wrote to memory of 4544	3964	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	83
PID 3964 wrote to memory of 1460	3964	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	84
PID 3964 wrote to memory of 1460	3964	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	84
PID 3964 wrote to memory of 1460	3964	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	84
PID 3964 wrote to memory of 1568	3964	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	85
PID 3964 wrote to memory of 1568	3964	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	85
PID 3964 wrote to memory of 1568	3964	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	85
PID 3964 wrote to memory of 2212	3964	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	87
PID 3964 wrote to memory of 2212	3964	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	87
PID 3964 wrote to memory of 2212	3964	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	87
PID 3964 wrote to memory of 3516	3964	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	88
PID 3964 wrote to memory of 3516	3964	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	88
PID 3964 wrote to memory of 3516	3964	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	88
PID 3964 wrote to memory of 1820	3964	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	89
PID 3964 wrote to memory of 1820	3964	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	89
PID 3964 wrote to memory of 1820	3964	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	89
PID 1568 wrote to memory of 2040	1568	cmd.exe	90
PID 1568 wrote to memory of 2040	1568	cmd.exe	90
PID 1568 wrote to memory of 2040	1568	cmd.exe	90
PID 3964 wrote to memory of 3920	3964	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	91
PID 3964 wrote to memory of 3920	3964	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	91
PID 3964 wrote to memory of 3920	3964	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	91
PID 3920 wrote to memory of 2864	3920	cmd.exe	96
PID 3920 wrote to memory of 2864	3920	cmd.exe	96
PID 3920 wrote to memory of 2864	3920	cmd.exe	96
PID 2040 wrote to memory of 5108	2040	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	97
PID 2040 wrote to memory of 5108	2040	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	97
PID 2040 wrote to memory of 5108	2040	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	97
PID 5108 wrote to memory of 264	5108	cmd.exe	99
PID 5108 wrote to memory of 264	5108	cmd.exe	99
PID 5108 wrote to memory of 264	5108	cmd.exe	99
PID 2040 wrote to memory of 1736	2040	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	100
PID 2040 wrote to memory of 1736	2040	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	100
PID 2040 wrote to memory of 1736	2040	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	100
PID 2040 wrote to memory of 3684	2040	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	101
PID 2040 wrote to memory of 3684	2040	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	101
PID 2040 wrote to memory of 3684	2040	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	101
PID 2040 wrote to memory of 696	2040	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	102
PID 2040 wrote to memory of 696	2040	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	102
PID 2040 wrote to memory of 696	2040	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	102
PID 2040 wrote to memory of 3360	2040	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	103
PID 2040 wrote to memory of 3360	2040	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	103
PID 2040 wrote to memory of 3360	2040	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	103
PID 3360 wrote to memory of 208	3360	cmd.exe	108
PID 3360 wrote to memory of 208	3360	cmd.exe	108
PID 3360 wrote to memory of 208	3360	cmd.exe	108
PID 264 wrote to memory of 2460	264	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	109
PID 264 wrote to memory of 2460	264	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	109
PID 264 wrote to memory of 2460	264	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	109
PID 2460 wrote to memory of 3116	2460	cmd.exe	111
PID 2460 wrote to memory of 3116	2460	cmd.exe	111
PID 2460 wrote to memory of 3116	2460	cmd.exe	111
PID 264 wrote to memory of 3404	264	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	112
PID 264 wrote to memory of 3404	264	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	112
PID 264 wrote to memory of 3404	264	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	112
PID 264 wrote to memory of 8	264	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	113
PID 264 wrote to memory of 8	264	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	113
PID 264 wrote to memory of 8	264	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	113
PID 264 wrote to memory of 5028	264	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	114
PID 264 wrote to memory of 5028	264	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	114
PID 264 wrote to memory of 5028	264	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	114
PID 264 wrote to memory of 4728	264	2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe	115

C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3964
- C:\Users\Admin\BggwgYoU\EgUEQgkM.exe
  "C:\Users\Admin\BggwgYoU\EgUEQgkM.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4544
- C:\ProgramData\ZmkIkwwQ\mmcUccok.exe
  "C:\ProgramData\ZmkIkwwQ\mmcUccok.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:1460
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1568
- - C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2040
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5108
    - - C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:264
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        8⤵
        
        PID:4024
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        10⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        11⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        12⤵
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        13⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        14⤵
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        16⤵
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        18⤵
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        20⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        22⤵
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        24⤵
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        25⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        28⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        30⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        32⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        33⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        34⤵
        
        PID:32
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        36⤵
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        37⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        38⤵
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        39⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        40⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        41⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        42⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        43⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        44⤵
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        45⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        46⤵
        
        PID:1216
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        47⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        48⤵
        
        PID:3868
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        49⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        50⤵
        
        PID:4144
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        51⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        52⤵
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        54⤵
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        55⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        56⤵
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        58⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        59⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        60⤵
        
        PID:664
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        61⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        62⤵
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        63⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        64⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        65⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        66⤵
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        67⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        68⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        69⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        70⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        71⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        72⤵
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        73⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        75⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        76⤵
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        77⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        78⤵
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        79⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        80⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        81⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        82⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        83⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        84⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        85⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        86⤵
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        87⤵
        
        PID:696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        88⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        89⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        90⤵
        
        PID:516
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        91⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        92⤵
        
        PID:4144
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:3696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        94⤵
        
        PID:3256
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        95⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        96⤵
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        97⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        98⤵
        
        PID:3128
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        99⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        100⤵
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        101⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        102⤵
        
        PID:3460
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        103⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        104⤵
        
        PID:3696
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        105⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        106⤵
        
        PID:696
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        107⤵
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        108⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        109⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        110⤵
        
        PID:332
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        111⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        112⤵
        
        PID:2724
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:3696
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        113⤵
        
        PID:264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        115⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        116⤵
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        117⤵
        
        PID:900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        118⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        119⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        120⤵
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        121⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        122⤵
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        123⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        124⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        126⤵
        
        PID:4264
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        127⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        128⤵
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        129⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        130⤵
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        131⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        132⤵
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        133⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        134⤵
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        135⤵
        System Location Discovery: System Language Discovery
        
        PID:3512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        136⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        137⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        138⤵
        
        PID:3676
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        
        PID:664
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        139⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        140⤵
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        141⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        142⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        143⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        144⤵
        
        PID:312
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:1416
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        145⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        146⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        147⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        148⤵
        
        PID:3460
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        149⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        150⤵
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        151⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        152⤵
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        153⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        154⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        155⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        156⤵
        
        PID:1736
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        157⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        158⤵
        System Location Discovery: System Language Discovery
        
        PID:4344
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        159⤵
        
        PID:8
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        160⤵
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        161⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        162⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        163⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        164⤵
        System Location Discovery: System Language Discovery
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        165⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        166⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        167⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        168⤵
        
        PID:3696
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        169⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        170⤵
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        171⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        172⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        173⤵
        System Location Discovery: System Language Discovery
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        174⤵
        
        PID:4204
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        175⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        176⤵
        System Location Discovery: System Language Discovery
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        177⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        178⤵
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        179⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        180⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        181⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock"
        182⤵
        System Location Discovery: System Language Discovery
        
        PID:1968
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock
        183⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2080
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        Modifies registry key
        
        PID:4872
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:1760
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        System Location Discovery: System Language Discovery
        
        PID:4264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RSQEgIko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        182⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        UAC bypass
        
        PID:3040
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lUowggoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        180⤵
        
        PID:816
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3964
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:4356
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KUIosgco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        178⤵
        
        PID:4300
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        Modifies registry key
        
        PID:3576
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        Modifies registry key
        
        PID:1864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        UAC bypass
        
        PID:2728
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sYMUoEwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        176⤵
        
        PID:920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        System Location Discovery: System Language Discovery
        
        PID:2932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        System Location Discovery: System Language Discovery
        
        PID:4216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:4972
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        UAC bypass
        
        PID:4312
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UWgQUEQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        174⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        Modifies registry key
        
        PID:1760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        UAC bypass
        
        PID:3784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iSwwIAIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        172⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        Modifies visibility of file extensions in Explorer
        
        PID:264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        UAC bypass
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VgAAgkIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        170⤵
        
        PID:2364
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:836
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        
        PID:4392
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VeYAsAQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        168⤵
        System Location Discovery: System Language Discovery
        
        PID:3296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        System Location Discovery: System Language Discovery
        
        PID:208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        UAC bypass
        Modifies registry key
        
        PID:4968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NyQUkssg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        166⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1456
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        UAC bypass
        
        PID:564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GMUYIMgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        164⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        Modifies registry key
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        System Location Discovery: System Language Discovery
        
        PID:764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OWwUQEIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        162⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2012
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:2088
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QOowwEcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        160⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        Modifies registry key
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WuYMswQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        158⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:2464
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        UAC bypass
        
        PID:4860
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dmQUckgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        156⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        System Location Discovery: System Language Discovery
        
        PID:208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4360
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        UAC bypass
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZSUAcQUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        154⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bsoMUAUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        152⤵
        
        PID:4324
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3288
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        UAC bypass
        
        PID:3528
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UsAUYAgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        150⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        System Location Discovery: System Language Discovery
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        System Location Discovery: System Language Discovery
        
        PID:2576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        Modifies registry key
        
        PID:2980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        UAC bypass
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cskwUAgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        148⤵
        
        PID:4464
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        UAC bypass
        
        PID:4916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CoMAwUoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        146⤵
        
        PID:1504
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:516
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:1640
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hGIAQwEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        144⤵
        
        PID:4860
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        Modifies registry key
        
        PID:1052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        UAC bypass
        Modifies registry key
        
        PID:4180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HcwUwEIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        142⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        Modifies registry key
        
        PID:3636
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        UAC bypass
        
        PID:4176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OqkYEkcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        140⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        UAC bypass
        
        PID:3108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YKowoEcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        138⤵
        
        PID:1844
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:3600
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:4772
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        UAC bypass
        Modifies registry key
        
        PID:392
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WggwEEsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        136⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:1032
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        UAC bypass
        
        PID:4612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\beoocIwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:4360
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XQgkwEEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        132⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies visibility of file extensions in Explorer
        
        PID:696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        UAC bypass
        Modifies registry key
        
        PID:4628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TYMoAccg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        130⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        Modifies registry key
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\smoQYsYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        128⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QwMgMcEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        126⤵
        System Location Discovery: System Language Discovery
        
        PID:2808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        
        PID:700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        Modifies registry key
        
        PID:3292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        
        PID:1940
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gCwkMcgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        124⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:3356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies registry key
        
        PID:4616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:1396
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xSkgIYEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        122⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:4484
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2536
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DCEAYkAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        120⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        
        PID:952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:4612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TIMEscQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        118⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LAoUgwgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        116⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        System Location Discovery: System Language Discovery
        
        PID:2868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        
        PID:664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        Modifies registry key
        
        PID:4996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IesUQggY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        114⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:3156
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        
        PID:3256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mIEIcwwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:1604
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        Modifies registry key
        
        PID:4324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NAkYkMEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        110⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        Modifies registry key
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DCEAQIMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        108⤵
        
        PID:2636
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:952
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        107⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:4676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dgkcYoog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        106⤵
        
        PID:3344
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        107⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        
        PID:1548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VegkEsAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        104⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        
        PID:4264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MiMAAEoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        102⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:4856
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        
        PID:2868
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sqAkoQII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:4252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wmQkcssU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        98⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:564
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        Modifies registry key
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YCYUUQgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        96⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PakwQoIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        94⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:4360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        Modifies registry key
        
        PID:816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        Modifies registry key
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\noskEMIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        92⤵
        
        PID:4900
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PmAUcIoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        90⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        Modifies registry key
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CuggYAgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        88⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:8
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aYwYoUEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        86⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies registry key
        
        PID:1872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:4768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\awIEoYIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        84⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        Modifies registry key
        
        PID:3928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        Modifies registry key
        
        PID:4924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VGgIYwIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        82⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\puYcEYwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        80⤵
        
        PID:5040
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:3384
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSYwsoUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        78⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:4832
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VqoAEIgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        76⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:4992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        Modifies registry key
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qEIcUcIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:4784
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:1560
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        73⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eegQYIMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        72⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:4216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JaUEMwII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        70⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:1416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        Modifies registry key
        
        PID:3660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DkwcQIgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        68⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies registry key
        
        PID:4604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        Modifies registry key
        
        PID:840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        Modifies registry key
        
        PID:640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xggQMsYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        66⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        Modifies registry key
        
        PID:4992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:4528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kYMYcYos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        64⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CYMUAYgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        62⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SYcIoQwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        60⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:4928
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        
        PID:3484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jgoEEwcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        58⤵
        
        PID:564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        Modifies registry key
        
        PID:4296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:4968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JQUwcwQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        56⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        Modifies registry key
        
        PID:4312
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        55⤵
        
        PID:816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bIUQMIEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        54⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        Modifies registry key
        
        PID:2160
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OCYMUUMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        52⤵
        System Location Discovery: System Language Discovery
        
        PID:1400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies registry key
        
        PID:4680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        Modifies registry key
        
        PID:3308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GQkcUgwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        50⤵
        
        PID:408
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        Modifies registry key
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kGgoEAgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        48⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies registry key
        
        PID:3916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:4904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:4764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fUkcIEkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:32
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:816
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RSYskoEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        44⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:4924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        Modifies registry key
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rQUAAAUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        42⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:4388
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        41⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:3376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GUwYsgIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        40⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:4084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gsUMQEMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        38⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        Modifies registry key
        
        PID:4180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gqscIYUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:4140
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:8
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mgEIsUoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        34⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:4508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dGMwsAIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        32⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TggkgIME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        30⤵
        
        PID:920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JIoYcUUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        28⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        
        PID:312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YUEYEUok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        26⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        Modifies registry key
        
        PID:1964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:3676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OYQcgkAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        24⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        Modifies registry key
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AOsQkcIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        22⤵
        
        PID:368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies registry key
        
        PID:4548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NmIAEcoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        20⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:4756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HeYgwkkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:2228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vEMsYksU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        16⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rGYgYQYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        14⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:4252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AqAYssMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        12⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:4368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oEAUMIEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        10⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:4864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WEgIsowo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        8⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:4880
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3404
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:8
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:5028
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PEccYgQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
        6⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:3040
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:1736
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:3684
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:696
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RuwcgEAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3360
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:208
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2212
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3516
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - System Location Discovery: System Language Discovery
  PID:1820
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JYUUkEgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3920
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2864

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:1364

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4828

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

Filesize
152KB

MD5
dd1b26dbc528c46826dfe4074ceb44a9

SHA1
8a5b11a097120d3043bc8f812d17ffe448fbf02f

SHA256
d77e7da4fa73f6d18cc005ff33d630fb104b370ab1618789b2e721e28b5bbffa

SHA512
9db305bd46ef11051d8550cf9577c0c93253c4bf610b5c8009451f9e3e3cb0a3c56d24f46a05ab2c42a80f082b0dde1634e6a3a5c26765ab4c304f208e84ba6e

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

Filesize
138KB

MD5
0857ed7c5b788c6984ddbc0534226a2c

SHA1
05c97dc54e5aaec6c84d4298665292b0bc46c7b5

SHA256
8ca877b23c5328cfb01bc74b278c87086c2d7d2e75d0efde22300382e6d039de

SHA512
ece05cf952ace426756a6ea13418ca5fdd253c371c9ec37b5ca2221d3ef21d6c145ae00689b59716027943dbf816d5059c1a422c7220df32853016ab3992734c

Download Submit
C:\ProgramData\ZmkIkwwQ\mmcUccok.exe

Filesize
109KB

MD5
e93c3905a6817ec2b0cf9a2f7a05fbb7

SHA1
7d36dcc7ff16f1608ba46e12d9d50811dbb63aba

SHA256
4d47fcce6d442c9cd386e1bfb0a31f99520e5c043f80d8fec0814681d0f1bb1a

SHA512
7019f0ea8c24ec1bdca91d315f94286f8fa239bcf1ed0f05cf77901dc43f7c7dfdda997ae6db5c35e7a285a21b47c48bf5c30ac2416dd64d7844ea98de1f3f09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-200.png.exe

Filesize
110KB

MD5
1b37cef0ee421695a97d2caf8579d642

SHA1
a3b9d9e5dfad35f57d10873547a25503e1ec2c6c

SHA256
7febd61d59735102f4d3b2a1e5e4b3ee77042ad57971b84dcb1fc342bdcd3d24

SHA512
543e9e8f297e1d7810cfcc5b9681770ce431284c2ea633311fc171495f96e0ac68283486d75cac5bd1acae42bbffdf90ee2992212dc815865bfc208d677480bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-100.png.exe

Filesize
112KB

MD5
bab2d895afc5942458f62d2fd080e4e1

SHA1
d9faa7440df00d65182b70c03b07ee5422a4d126

SHA256
4ad7ddba5a6b15f9ce22d66da1cb6ee0d868c0053393edf73e0754ccffc9689f

SHA512
07f80095ccc9c83c5536ffc6dddb5a93c2a8d72b601b0edca42eca8912edccf4c6dee26acffd777f60ebe0903805031dc1c4b50595e6a0f2a0112fd836e3145e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-150.png.exe

Filesize
112KB

MD5
7f91cc69be6351618f166e8afe734492

SHA1
f5989e3dc8f2d7534b67a110c284020426ca41a4

SHA256
dddf259ce759e9971721cae2d6cabe04fe406cd31cc3f559d14a3336bf0f1d48

SHA512
269c75bae59c0cdd79a482286d52f388689b0e8fc4e0f90b0fdefb6df8b05182d5370533794b5aa30088bb00bc9de93b097c45028876a9598cbccc161dc159d6

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\tinytile.png.exe

Filesize
110KB

MD5
5da86af68ac334053e006c57577495a6

SHA1
120e01a83c3097c2cbf0fc8c1627fa2875bd5718

SHA256
dd7e6b01d855598717949c8fe250f1ce74ee4a0657f98f964793fd1a1c4c4206

SHA512
172a5dce0b954d4cf2a1d0b20a7bd8f67d0b9af395cc2be930f82bb30e71d17b5daa15c52b0d2a0f7047d67dd2de8d72503758f71fab4a172b3ddc3b5fc87717

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\tinytile.png.exe

Filesize
111KB

MD5
1c4711667ceafa9e90d138fc5563084a

SHA1
e7ea47ce2f21122779f9ab9e6dedda26e46d1910

SHA256
41658f9254e88572a2c9b8137b75052dd54a421b36bfe6fa66cf7f7992bd51a5

SHA512
091357ae8f11d7d70510236d1c4baf7ab9615094f39f88da3c553133f1a6ce8bd436a6b1792f7411d4d610cdeb3f7c626fdc7c4bf84fa624a66cb2d0cb6ec708

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-11-21_5c96825d8cd6c41c6d564ffdf7d1675b_virlock

Filesize
126KB

MD5
9adaf3a844ce0ce36bfed07fa2d7ef66

SHA1
3a804355d5062a6d2ed9653d66e9e4aebaf90bc0

SHA256
d3e8d47e8c1622ec10adef672ca7a8992748c4f0a4e75f877462e7e661069698

SHA512
e6988737153a0996b14e6baa45e8010ff46714fe7679d05a2676cc18e1c653e99227e7507cdae4f2b6a99b3c31478630e7e1ae13d0f7c12525406d8cf9867ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\AEME.exe

Filesize
745KB

MD5
4a98aacb6bf205cffeacba89a0e8af84

SHA1
241e3709aafeeaaadfff82a53784a7e9826dc187

SHA256
56b5ee27ffd624c945a9afc9811d77d50a8b58710f287c75aeb5656fc0a016c1

SHA512
5234ab46c3e6f5509e25abaceb2e6dead9151dc58619598f81f383915dc299fb7204adf33dc603617b6d2efc0abdc6ca1784fc945a34e958d1a28204b712af25

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQkU.exe

Filesize
5.8MB

MD5
d750c454d4d1a36989aad6f27577734c

SHA1
1fb548a4326482ea12a51c8c89d3d065d98a8fff

SHA256
f20d281bb4b76a9a317efae4c2fab6aaad60efef1a13816759278566fa51c2a7

SHA512
6ea06f00771b8ba00a2cabb502aa367ac94f1adbfd52c66703716e2f735cbc3f8b3a483ad1a4b5c1769aaa334ed08ed4677de3c8ef1ade90b92325b55337c5a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\AcEI.exe

Filesize
110KB

MD5
919e106d6c9925138979e131981508c9

SHA1
a0f2975c30a8cb3975afa66504510851d18a48de

SHA256
4181e5de78335142ae6466352bf28ae0cbec4a88ec478de9c7203e497350ca49

SHA512
a89c369539c0ffb1badf55c6149e15f13bba0b7be5c08ca94e460acaee112da635e2f9374d1b060b77d42f12cb9489a3633081ea457a19415bff0f6cb8de913c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AswU.exe

Filesize
109KB

MD5
82c557ffb95a312fb1814585bffa6d92

SHA1
87ebbef7621505a9c536a3f23210cda48458d16f

SHA256
a9e82dd8fadf75f5fcd6ab7b4552593dbe643b708b6ca0d9a986340ee129e198

SHA512
4a2836131d963037152c654b3ea4980557b8fd5f6c940ec38127a8cf8667b8387902c435068e2217fa3738c6f3dea7b88d5f909f619f5bf2a302845829538c01

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAIO.exe

Filesize
111KB

MD5
dca4eecc7451409113130049a040143b

SHA1
f74a7eaf347a4379fed9b34082ac8d218df1a97e

SHA256
43f5965829066128de87e0a595fc573b36bba573bbae7bb9c9881b9f38067983

SHA512
143a940eb5edb471baceae20f2a141b5d0f04f34a73847dc40a2262e9a58d83e723e7b638b22723584e78573f284af6c63f55afed497e19f0daa88ce9ef0a052

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQgC.exe

Filesize
111KB

MD5
808a6e01ca955b2f288666cefb3a3d3c

SHA1
ae544a534f7f94366ec5bf32207c4cf911eddfe4

SHA256
55e5e79e1cf566da9a6c1dbf1ad88814d92c6279ab237a5137aa02197ea6d7c0

SHA512
e6602586293deccfda2e39b4e8eb633f35c64f215046c5e1f0a702ae9109825d17ef65b337256a92796c3b14d0058aa36aeb9317d32e9f291cb6c748eb5cfe28

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEoC.exe

Filesize
5.8MB

MD5
1c541dd938b26567937202d1b6ce1b1c

SHA1
7b3eeae10b67f987502ab3445f6d3222beedf1c2

SHA256
8105fe74a63fef8600b3bd0c51e1918ce05eb8f5e3a57112ce437971c7560eb6

SHA512
cc0b3ed2b0700d1dceaa3b341e7fabb3e0482c50dc2e559c4208070022374302157a2c4c467442630d74f8f498c5930d71a5a6286312ee152320775c6aee35f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMEm.exe

Filesize
112KB

MD5
c3bdba753d9f20c08775a7ab51df29df

SHA1
db886aa3cbfe35395d545ae5cb17e0efc06a65bb

SHA256
e65c3f1e1dc0b6fc8f337951d038715f3105530deb7692970ebe6897af820a99

SHA512
5c741e1a0ef07ee6213207e7b0f1be856a9354ef42a8623ed8ce5cdf74f36c087b71c360b602f1cb1d7ca4af411124973b8da2bec68e047c020a96586842d4a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\EYoY.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\EwsU.exe

Filesize
117KB

MD5
508609ea7b2492bbd6286510867729e5

SHA1
f8323dbd3164455ba92e94699adf9dd68e3eed41

SHA256
5052b5814288fa6a8eb79a5af52eda622e6fa68df52eb700a1a6a81188e13408

SHA512
4c2415f464c822d589fa7c0dd0b1edacc7ac239a9601fe789056882e247b497dad52278331d03b25947b774dedcd2a4e655809d3a71d3a47c4e922d5b546fd66

Download Submit
C:\Users\Admin\AppData\Local\Temp\GIYm.exe

Filesize
125KB

MD5
59b7d697a4435cff976e544c6befa646

SHA1
569a37b3e90a9e475342af8b3e54cf3a53e2597e

SHA256
52b7c918c9ee094a3cae64244fe1b95a91ee71122a8de2aabb1f6a977608df7e

SHA512
0dd8cb1ed4600b7a946f866c07c363448ee0478c928de78ad2c496539afcba23160c86fcda3297562e4e776e6dcad209b5885f3b4b6aa7415142d33963fcde07

Download Submit
C:\Users\Admin\AppData\Local\Temp\GMcQ.exe

Filesize
725KB

MD5
8fcb0e4ad31623ce7c3d52c481954f2c

SHA1
ba4e95c81779410a3327b83437d4d935247d0445

SHA256
8e851816840f4974aa4191afffc4c3d438ec5188a1293fecdbd3775e9b3354dc

SHA512
5bf20fba9d6365813acc0b3bed86329210f1069dcfc8963f11d385f7abf06b7ecdbd1cc3dfe52d2a45e74ffd583491696aec0108209f7cd92a69850fd3eea8d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\GQIs.exe

Filesize
739KB

MD5
571dee20a6be72f152f6948044eecf8d

SHA1
50cef206ab23711e80c5eb768786c9b852223846

SHA256
e20926922cb9e9346c860b5301b0b08dabc25ca85420054e42ac2cef12d24100

SHA512
115f424738f52f703217388df93cf89be184cd1db6e6e050055f3a79648370176c9c6f65d86a50d135272778285f563a4a494251306706d0687119ce47e19131

Download Submit
C:\Users\Admin\AppData\Local\Temp\GgMg.exe

Filesize
139KB

MD5
f1cb7fdc760552d0b2cdc9f63643f5cc

SHA1
2263a1da53e30395ecd608e8cff296effdb91ac1

SHA256
2be5a7e0e06bd7355091ee25b05d69ae0ef14eb4b360f86f3eeffe0f1d7c6285

SHA512
9053c8fe17ff043893617bddcacdba55a4d08bbd35db4baadbdff797b003c9628a6fc21f1d2abd5acc7ebf62cf0a024ead19072f04b317da971dd4e86e3b07eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIgK.exe

Filesize
699KB

MD5
4ca4ed33739145c7b293aebe743eaa2a

SHA1
5927d793241426145ca87cfba78e682a8f5160f9

SHA256
a2d5b204f78c61fe43ad8d57dead962a4543d64e0c79e1037e960441369a85b1

SHA512
f99788c08e84e771e7cc762aaa749c3ead0aedd2a46fa2b5ec3cfe4ff9367c60ebfb3ca7b3b6f147563443c2eca4f0235eda6951c1e1a47af53922f5ad8ce6f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IQQm.exe

Filesize
121KB

MD5
1ac1a05fad3bc53bdac82a3561b9d4b5

SHA1
66ad68676ed058248833ce0c848eeed82f9ccb72

SHA256
c4a16f0a5236f2478c4676084dcb96cf3ac4f9a6623847d0d10eaa0b52373fc2

SHA512
12b715efc148508f629e7885a315fa238595726e0cce5a1c596ecc40175e81f08c26cb5133f1f0f010b125c0dd9d603950ce4da23eb2eddee9e17acdf3e85352

Download Submit
C:\Users\Admin\AppData\Local\Temp\JYUUkEgA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\KcYI.exe

Filesize
153KB

MD5
d032442549a97add85afecbeb6a0f542

SHA1
23e0bb850d39afef8e325c03f55e4e94b1e135b7

SHA256
ec633bd2188c6544370bbfef405e1fe0c867a9de30b072dad1db7918a08185b0

SHA512
5f58c0030d46ea11a2f51c829080422c173bb55469bf97e1bc3fde245972f0d922fee82707933c285eb9d541828a0e4ba9117410bbe2bd02db2dfb06c224fe2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kcwk.exe

Filesize
134KB

MD5
ba05bbbebbd7bb07c82842625474839a

SHA1
a6aa848995ec659e0c35d04586ce633a2879f212

SHA256
2dd4c60ed57d2922f5afd2d2d05a18b0e72b505ec705da18b072d0004e4cc2e0

SHA512
e0dce819be3122df1261815710e35e5990946979849a0e5e91f98c44c7d66f46da0604347f030c0641c45d2190724884e8ad7aa127b3c7db653c326e4f2e66b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kgok.ico

Filesize
4KB

MD5
d07076334c046eb9c4fdf5ec067b2f99

SHA1
5d411403fed6aec47f892c4eaa1bafcde56c4ea9

SHA256
a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86

SHA512
2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\KwUg.exe

Filesize
118KB

MD5
3b30c57854832855701c379d0a0f22e3

SHA1
f175218170a6d22c046d2463f3279b5baace0dce

SHA256
e3a1395518e04e1092c464b4dfe2f365bef4b8f0289fb1c13ed00a2e1607412f

SHA512
672d92b0a4f0e94aa5a413fee288b56c105d5ff5ab4abbce08f1b2886e2882ab5fdf274f6fa5730dc90d188b8b48ac21d46d127ea9a443a5d645e4f7332523ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\MkEY.exe

Filesize
120KB

MD5
eadf2092f82f8fff6443fa4c760a49b1

SHA1
6310c447539fec6bc0398ecf80363ddb5706921f

SHA256
4d11ad641972860da18669f73b35cbe04cb8eef1a4830839b2db55ee1676e365

SHA512
42cc7556424e2cc8f2398395d7833c3938e9bb5df0e3e692272e7ccd6b6a6f212e972934f904d038827afaa24350dfd6c7d3b757840ecfd8bcf03d54f6e91f86

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsEo.exe

Filesize
310KB

MD5
f3f0a3884a7c30be7bdf4174e1980724

SHA1
b845f6d69a058a5d4ac3356ef16f3a8ef5245406

SHA256
c3012586dd7010dbce9d19f157c03fc635b2a5addbf1c92e3e863df30a117829

SHA512
74b2d9bff767f6ede5ef137f5a3de7923ddbf4aa880f94cb4495cab86ded58852a6f90f0db3951b410bb22868ca92b7eb84b6fd6a9814102633add06567deaa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEkc.exe

Filesize
112KB

MD5
d2eb189ef8c65f2492c9612917ea7b60

SHA1
b6aeb999262afe50e4869c01c0704de4edf284db

SHA256
f0e90c7756938b8d6f174f0f15e4e8330771a57d75c349b219b40a4dfdd1b31f

SHA512
a1a2929b51fb131c1bccb831341958a986e6af37774c6cc5d779c0f474b0e00fcda9fd3a2d2297ad0baf0bb6dceb9da1017ca5b86cb8b610a68ab7fde49b05ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\OIQW.exe

Filesize
113KB

MD5
4fbfde980acd0e1d1fd807bd13fe1f2c

SHA1
09b652823a71cefa8df3df97cd220b4318d94c94

SHA256
18add0b2927cc08706657542bbfb5b2dd570e9c022be131e5dd05dcd7ee399b6

SHA512
44bd9d909f01736566269f7656b843d318967f87ce8eb03e06a9a9eb1ea9890e798a9b1ae6705942ccba04bb8c67b659600e3ac253af7de64b7222f6e6022868

Download Submit
C:\Users\Admin\AppData\Local\Temp\OswO.exe

Filesize
118KB

MD5
5f401bb4a959a117bfdff62c6b65699e

SHA1
fe98277b82a18b135e6ac6bee98c8057a2473cfa

SHA256
4ae813c8f440eb8a6a8e6ebb0759557cbc4cf974e9c289eecc7fbc9251da3a57

SHA512
76db3d48003a92b00820722ddbcd8daa9683a3482dacf96e32fa972e37fcd804996b1cc13f6db8901783545a563cd227a3c9091cf26b75cd2f3b50febc10bc85

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIIw.exe

Filesize
111KB

MD5
56174ee8cab5f41d21b29c257726f2be

SHA1
cd4dc934b51999154486b75af2bca8559a7599e8

SHA256
68d7d909474f3cf3a0ec0961db638b5639c8cc75d914c04b46541ce8b7a5327c

SHA512
39a7f80fbbfbdaa2894175dc1f5be3ad4a525e870bbde809778c3d6a4c2e8fe3536c7b810fb476dc6965418489e80b05ca6f913f5d513215ca24fa9bf126a94b

Download Submit
C:\Users\Admin\AppData\Local\Temp\QUsO.exe

Filesize
333KB

MD5
2322c8ddbe041bce1dc0c64bb3d15531

SHA1
760507b9943161b749724bb46bf7f1b3af86cc0c

SHA256
8bf0076936a61efaa6ac0ee2203aae9432b6ca652af12ee89ca870e7e4bb512f

SHA512
7e0fd866180ce343e2eff9e47726c9d75ce50b7ce7a156dad3c3e549b8d0eb6592f3cb9217cde074025449ca072bb731057fccf1957b1042b3f1143a093ac056

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYwU.exe

Filesize
116KB

MD5
b8badcf47e5b741efdcb2ee772011bed

SHA1
c964a9acea044c34840f2915cae8f9be3cf77496

SHA256
69a405893d6b6b85f7261bc1a55321be52854b6a1e8667ef011574f01098c407

SHA512
9060b1d471f5fd48066f537a8d8e1186a5f9e24012e17585159c5586f028f7d8c68cb2fdf798f433adeca2671a2dcf26ff45a7a29441b83e6064b73f245f6d0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qcsw.exe

Filesize
110KB

MD5
6cd9aea03f6378d196cf0ce21aa5d55c

SHA1
cc7b8ab7abc592e98301e66e333384c047b8e0a1

SHA256
4599b70198b6ae608ec58692b7ca3a1b7f895280dab1a6133bd0d6e8425c5106

SHA512
b72e99d86575838a401c3d3ceed4d0979448c49dd980b1c1610ce78229d4401f4059ae35e0969e579cfcafdb47c706ee3b9b11eeb85be8d4651fb03ea7d9a4e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\QgII.exe

Filesize
112KB

MD5
d26644733fd61fedc0630359ddbe2d6c

SHA1
eee1d4a259744b030c9ad0d48139244fa32eb444

SHA256
b8066376571659665768c54020a90fa97075d80a0a6683855ee1f5d2597069d9

SHA512
6f84fb9aa355888644f8fc254ad43932360385946e889d348334dc0032d69365505159800bb0d7551285029ba8a36de0a428e54a233a8954a39816fa4d64c390

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qggq.exe

Filesize
565KB

MD5
f9f401ac4253dfea6471da9a6a8e76c7

SHA1
bcbd20bef97869ab82c22546c5af129c8ddf26ba

SHA256
024f4a45b66a5aad1308f4089d42678c169999bb373e87c531bfc25a9a9f2c22

SHA512
a7750c0abca0a45e9042817474315c899273d37a2636cb94874970f9dac5b1a0b5d3b58edc6e0daf183853d105c20c4e6349ae7977d2ed62944fa916f3e44810

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qgko.exe

Filesize
112KB

MD5
70c80007a25baaace3a5e06cba1bf5b1

SHA1
22681ed2c5e23ef9f45b438024e31bd89f30ac9a

SHA256
ea321a2b1954aa26893aff16106086f29e5aaee8aa3b83d664a4e267b0db91d0

SHA512
e10f272931aa158ad87c872ac8f6fcc5fe6f17c1f5d5e9f0f0a5345da8f4224cd072fa1d2114c85c74bd740e65452be6bc1fd9cc67b7e7507f2115cadd8d7fbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\QgoY.exe

Filesize
115KB

MD5
dfd3b789464367c82a65bc385fe2d4d0

SHA1
4358167afcce1aa0888a1782a1d0dd3b0b3d7489

SHA256
7767ce507609754aa9b8dd30ce673be932d6623add0086735c287b83c48d5a13

SHA512
5f6a3c4cb7242f833d7f590834a2439e24ef0f893bf65850603aa086512a385646e0b579937ff0ce2f4fdf52cfece0e35e1adb277e58927a584da88e427be9c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\QkEw.exe

Filesize
564KB

MD5
3523b83457a59d27e7012b87f761dcaa

SHA1
7ee627d24b0164d25052848ecf5dcfe855a66ec4

SHA256
276a42c94a4d016967545e36988ec373c677042abb828e47e09e3d18b655ce2c

SHA512
0b46523c7a38f586c0fe4aab0adeaca96de6e56064cc6a58c5b745dbbddb06181927ae0ce281d6a4a2481cc89746118e3903d4d2bb01392de90880615b8c06c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\QkYm.exe

Filesize
360KB

MD5
ed20731370150e3533d0f117b8361af8

SHA1
ad25205cedfb47c9ece4405663a3023bbc626ff5

SHA256
f0e451c9fe7637509a200b32874d8c3ac42284a24cb6929325af4750a2270862

SHA512
829ca41aa14a9be947d8e9edb3eb80996ee9ce548e0adb1773cf625892940642598a9673fb141f0c8275c50336a001224b0ab8d016477ccf3670c1df41a293a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\QsAG.exe

Filesize
111KB

MD5
3f17aa394f5a24bb001a9c915f3619c8

SHA1
bbbde68a3d2f6fb3858c017dc96c9d57486d4ea7

SHA256
f07a97bdc419c435bb95d559bd15e1e7a4b635b958eb8265a8c050ccea67e37f

SHA512
334520a71cc597170fc7ecc73e9f90bc13249cbf4675b8973b85aa957abf7bdaafd882e5c68825f8ce1523f769418d711f9421f7758512eb61c962bbd6ba9c3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMgm.exe

Filesize
112KB

MD5
1825bfaa27dd6d10ea0cf06f16945bf4

SHA1
42fc4f0d8aace1f2a61ac02b3a1a846628c13f8d

SHA256
447a17b6a48573a6ff520ccc8eb0da9976e6705ee9a8a1df88bc5e791b8c3b5c

SHA512
5534889d121f753bff4d41b95b1a5fac9806752c22deb3baf4049e64c86fa7fe61ec7c8bf5b8ebfbb5c8f247388c36050375eddb0d55921b516a6e37ec0d33a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Scwq.exe

Filesize
111KB

MD5
d659463afa90b1e6ece3cbf19173f989

SHA1
16d660812dc8c4429c4035121a4464f7628c03b5

SHA256
62bdf3f296dfdc34e413597be0f8c6dba0c41d95c5b180cad0f29bf79df748af

SHA512
650378f27d6089a86693490421e02e8fc42b057d07389196dea4f711ad4c6e4fd8b287deceb6a7c027228d14177c4d0911c2f101044c5b430b21e668c2e2be46

Download Submit
C:\Users\Admin\AppData\Local\Temp\SkIu.exe

Filesize
112KB

MD5
e4b737c4cedf9d43acaf81c849286dfa

SHA1
155a82e8af51c8f7bcc3616c663de95bb4fbdb23

SHA256
af353d330b34d8816da942eb73eba065a90eb3bac10fc60b14e6940a82c9f7f1

SHA512
fdce29ddaa5f1ca170844e1fdb2fa68c8b76685108b340a0a4d3d3d3248681d42a63981434f1376f51194121811a3fb06a579eab7684b4ced69e90dbf7d0da57

Download Submit
C:\Users\Admin\AppData\Local\Temp\SkYu.exe

Filesize
112KB

MD5
a5366f0c917ddc416c06e7c068b91af1

SHA1
c70e9b28873e29d7f577add2db9b67d94a61610a

SHA256
b5e68f4b6c9c877f49b264ea8ffd9632e8ff1e00f622e1d68333894b6a78779e

SHA512
53c37eac91a59d44cd1af43d0036f48fc5a71076282d4005965f93b6880280977e0d4353c2bb3aab81f271fa4c4a712a6b56716b58b798f995d9e642d8255673

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sksa.exe

Filesize
111KB

MD5
e9b65e76fca113364a72d42bff7ca583

SHA1
2d7e6861043ada2d87c54ae4dc6484d5f5476c26

SHA256
bda7c6b2bf04766ca01537cef302e62cb8d54d7cb03a9321676eb6fea2c66e74

SHA512
cf40efd7228155c21ab3aaa85be5c4b64d0f252549294468f788238868820388ab67f18130e14742dfcd86863cda15d0c5ba5c7791b7a0e4e207419175f1ad8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SsUi.exe

Filesize
113KB

MD5
333f46dd093120635023486695821d9a

SHA1
108520ae0109006ecf4adfff69721a142f8c340b

SHA256
ca7e035701e1108497fa66296e380b4992e36e1482a480ccdd4cf18736b4f91d

SHA512
85470479991a5b5628a9702f7ad567ab6c8b9e3d949235f7f2c4814dacb2fc5fd169b409e4b1d278e1acfe838f0dc1debe82c7cdacf8bfcdfbbe0dcf82a32dbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\UEwG.exe

Filesize
238KB

MD5
6ecfb48e4d24e23608f875a91ade6922

SHA1
b86a8c104dd6c21d5258b6be594fdba14b365852

SHA256
bd4c7686663465eac81fb71831ab3c36eaee84b0d4214888727c47c1c5363de3

SHA512
dd1e969e5a2cae6f2ce1a53e6a219da0eb951e069c592c1f47531c1ad9aaef69dae23daa730cf2261cd931bb9bb216e2dd7ba596267f9f8d0e7b4aa451de0da1

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQIU.exe

Filesize
112KB

MD5
7fe0b0bb0ee6bbb6191545f7cb21a9c3

SHA1
785473929e7ba2d1939bb74088981de1c130e0e1

SHA256
9008f3cc24dd4587794468035834296e40ac4fa6444d931c0b2b2d8f74c2b7b0

SHA512
11f0d6715cbfbde34a9e0c15dd097af75fb11204a788a80a81a82ce558ff881a7f892c48d42890cd833f76cd95afa23d26e22fefb6876b65309d9a21cfa3330f

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQUG.exe

Filesize
517KB

MD5
273038f17bd9c8c256adc4857bf985f3

SHA1
d2f9ef5fc2edf3ea79f06e5890f30e023fbcec14

SHA256
e91e6ea71f0387ab33d85c6b6406f178f72209590f478aff9a03ebf498e4daef

SHA512
65a04d3a8917d7ad1472646aa338550f3208159d0aaa8aa327a0bb9a7bfb768205333023d472280d5cf2d5f14ea9b01ab090f823699c5e8f6afe1f19661c185a

Download Submit
C:\Users\Admin\AppData\Local\Temp\UYAK.exe

Filesize
116KB

MD5
473b80f2d58c707c66c48703b2c4f89d

SHA1
5b655ccfb0c84a74be77a83cb1fa54167c087842

SHA256
e82ce31db4f6b0977833f111d559606493611c900389895682d3ba0a1cc04eef

SHA512
92cc18986353d93befee0b63c174429ca2725db0bb87e74bfc75523d509f9564c85d48b7cb33a8312b79bcbc531fd62e74dad8ab09baf61c91818a43f114632f

Download Submit
C:\Users\Admin\AppData\Local\Temp\UYgQ.exe

Filesize
118KB

MD5
20d33494d1119d2f32b084226ac02aca

SHA1
a8699c1c4418b42b1cd5e33f48072d9d1fbeb00c

SHA256
f01ca5e52b6f05265bac943f9c00133155646ebdfe2f3c4444d10ac34da84c10

SHA512
778c5882677ee74c6d8d78e240daa564d7e460cfdf30fc5d7b73a358701aa2ff69b088922d115f7b23c242506fabb0b854f9a09e7afa31307dd93a58b217f7aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\WUsK.exe

Filesize
348KB

MD5
a2395f60a8e13fb95ba1378c7f1ead6c

SHA1
b51cfaec250be87a6f6bdba16b37332c6ce18c2e

SHA256
f92ce5fb77c67a11194cd5cca9d7a1fcfc10a824d801af98bfd984122c1a615a

SHA512
f8d807ee34e785c81137d01ab02612f2cbeb369c77e0030408c08853c3156966331fe7bbbf581767838b6bbdfd1ee98fac2beff707a626ecba798e5a6e6ecd05

Download Submit
C:\Users\Admin\AppData\Local\Temp\WgwK.exe

Filesize
112KB

MD5
dec36466e6517f95cb8ee256ae98c33a

SHA1
2f4bdcc970b16e752d3007e87282df86e74bf898

SHA256
557f5ac6f4847a7a54af5e497717efd50db58ae03162c7bf07f2cf106e5a11f0

SHA512
9358c2df2810701bce1ab9b1ae09b99ff5b4cb225dd7093f509ce829f6d4fdf85c7605b34f813db494fb14b0f656cb4bc353ef8b41d5022204b108fb7dcc3c7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WocK.exe

Filesize
114KB

MD5
192570629796e1dffc910256cd70ec91

SHA1
4daea86324cc34d576b63f421aa8af008a52e420

SHA256
70028d674a3ba0a21b74f991617570761ce6cec54cd7ab994ceeb79f539904bf

SHA512
8d8f044cd219c24bc1c2a7a23530b17b50c91277ee53dff96afe2b414d5b832ed5fde0c8a11589122cc14428c32ffdea7b4312a3351ce6984cbb109b0b1aaf98

Download Submit
C:\Users\Admin\AppData\Local\Temp\YAII.exe

Filesize
551KB

MD5
6f43f0a098f43e515dd665db4622e9a9

SHA1
0e6cfa53129d72e04ca45d71dfe7cb57ca51487e

SHA256
ec0075b8793e95ea61eed0f3bffb611cfb192805ce41e267a519fc19fe6bcbc8

SHA512
c104b2cfce6111c58542505ee431160d533f58e053f75dd75df2c7b0ff48050788baaa1a09e45c4cf452722a8364a9f91e6d7e68f90776960fbeb4cb6886e823

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQow.exe

Filesize
153KB

MD5
e32d4d00d16823dbced481d425a03642

SHA1
ff0989213eb4adf02cd7319778165f173e79c88e

SHA256
34e1e4f5c83a957d82fd7e2964da08942f87bcac7d6f0484eb4a1fac9c7ba971

SHA512
44dc8ad9370973068ef0bbda482954232336ca38d11652c743427eacd557171d73778094b49df72c74cdf1c0c62d548aab22cd8aca91803ed37ba9df6ac17beb

Download Submit
C:\Users\Admin\AppData\Local\Temp\YoMw.exe

Filesize
555KB

MD5
020d3a90c7a1354576b8eb5d01e83a93

SHA1
d6ea34561677f9fe07e9aaede275a1ad0781777d

SHA256
e54a62cea2bf587cb03a897cb99ec16d75ce02626ca89d13e5a02d5dd15de788

SHA512
44ca77b8289c3329d57423f0818146d0ad576d04610e8dd1b6d7fee5e6624832ed4f8ecf92e09cbc9ef0319545287a5fddce1d720a07bdc0a56c4ceef5ad8bfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\YsMi.exe

Filesize
113KB

MD5
bf48d960aaa8feaaa3fb582697c3041e

SHA1
58a8e8d331a8659c011e993fbbbae4bb5095c9a6

SHA256
bb1ccfc552dae25ceba076f32acd4e97b4a5f75ca2c6fa08e0054401237d7d45

SHA512
f386fc75ecfc35be5518179d06f8c71c63e4ac150f51374cc160a131c4cb26ed9685cca230cf7a850de9f9e19c15a97b5999c3f2deed680c8738ee3b2c34adc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\aAww.exe

Filesize
111KB

MD5
ecf4072f6400f2180327f6544e8d8bab

SHA1
2f002e7b064ddc2fb93f89308ccc3234a639f5fb

SHA256
52d7d8b06e5c6904d0542e4b0ed5675fd9df7f6d19573b5cec38d9e4f92bb91b

SHA512
49342a1c0974551f6031760aa9eb314b371bf01e92dceda9d555333a2ee87bca46a6174a06bd9efce09a395be7984e24cd0bfbd22ebb1ec7a10092bff06215d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\aEwW.exe

Filesize
110KB

MD5
1b377b34ebef1db745c2d2f665d731a6

SHA1
72cf5d91ac31dfca0efea81cf8f6d490e937e2e6

SHA256
543d4f9e48b0b4affdf347873f0a649016acb175104a8e281b3be6a8ad765b4b

SHA512
9f09b749c006a1304f59c73cda40da488ab7ad7cb9b212843a34fc1ec0f80567d6a8104d7a46087103727d2bc64b12497d0e5956ccba2192817a7805ec53e0b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMQs.exe

Filesize
110KB

MD5
8ff49f27733a15ec34a39aa896e6633b

SHA1
fee61a9a09e0976bbb0657ce7d3453b622d14f1d

SHA256
0460bee71ea18e337f33472168a3b0c60448c13f4114a3b8975c849fcfffe26d

SHA512
a256a2072cfde6d0673001ede1e1d017447c4687adc96026270eb95d8532e3b848336effd08e556bbe0676a0af1366802e8a0c7c2f5e6ae6a504c1bf61005241

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQgo.exe

Filesize
719KB

MD5
59a7cf4544aec46c7c9be3fac4653ba7

SHA1
e655fd01c6f327abfcb87e402a7f4637c49e5af7

SHA256
3e342db7d99594513e81881d846e8824fc68d60b4065b81d153be324ef40ff77

SHA512
80001b54c373b03ebffc52246291286b58252318b34aae7ce6caa0bd632623d0621d1571c78ff443a444f3eb17747495a2cefaa350db34e6c4be790608b2b46b

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQoo.exe

Filesize
699KB

MD5
e4f3aef66bb98c2aa7de276bd407fce2

SHA1
b60adc4c8392019db7fb2ceb2d280ef45780ffd7

SHA256
fcf79dda37fc31d5355d142a6c4cc0523632d3f83af60fdee87ebd3863b9ffb8

SHA512
2e6f836beabd1f735354062129c32bfcf53281336c0b4134e629e0fe662b18d36281c781c3c933e55cd0fd84ea6304988ff654aa0f264008140d323b7e6c51a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUoS.exe

Filesize
236KB

MD5
4af43165e13ef7313b98b8281e81ae24

SHA1
d225abb8a792696dc111e8331e7c6db21f8522f7

SHA256
c81642d86f9bb44868dc192c96aea3633c18c35a7fb06ae24d4789791a80e5ce

SHA512
e5d89bc3fcc9484082c57e8cb1bee53d8a300ce2ce5eeb2f3021bd5fa77549ba3e941f8499eb87fda18add33799718a48d5481a23f21e4a0dc5910a5b2c5a0dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\agAE.exe

Filesize
602KB

MD5
a3e78024df138529727934760a14d476

SHA1
58eecd15b475503666ab2bc2ab9b617516cb149f

SHA256
b217d5e8db7a55ec7c99c1aabc7836915fd2e15313e4a60bb4b9633145e5c8fe

SHA512
c9b15b79e25362440e8f59cd0e40eded6c360f4211ca0185711fd2cd3defd4cdb9d02e2d3f7bb7c103fc3871a1931fab6a1fdd8c9da1d8aa0f7d8145ec19b1b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\agUy.exe

Filesize
116KB

MD5
1db027b72e1a055d58d196029ae7b972

SHA1
86adc8981cb6ea710355e855b694d93197cd0b83

SHA256
778cbb06c7563cfe6ef84dc432e2af3c27728c86381e7d438a88daa7a79b5591

SHA512
cd37391cb938dcae39e737d9875aae2049b14377257c543dda1f3e6aa039e2900ac99ce01da8ad1aeafa316a3e24183f457a49c170a61bbd674fa5a25572b25b

Download Submit
C:\Users\Admin\AppData\Local\Temp\assG.exe

Filesize
720KB

MD5
5493bf64f4e92081125b9849c4111568

SHA1
e4f4f2a989b268f5af2b009adb18f21d61a3193f

SHA256
7d989fafaf0f98bd26b8c7224e4d2133690c94478abf9d2ee93410dfe43c421a

SHA512
d1e27f2e349a469acdfea2fd4e4822554e0e019ea07cd4d12e1078d6e270da16112f909f390f512e736207d40a5f5017aeeb58356a2546928dc465f1f9809f7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cEMW.exe

Filesize
236KB

MD5
fa392c95bb221e850483556ba8570e71

SHA1
1488b9f37e91fab713455a720380238783d965a0

SHA256
5a78c09899e0b2028a5cf137db5f90a25d8da09470b5412368d16d54f252cd91

SHA512
9a42d693f09567293af335f0d06fafbfffe6b03b2c37941739198fbb89d52db54aa57cc73c3b2f0cdebb0b61016f1860d55f5154a653d97042c4dc5b046c626f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgEK.exe

Filesize
112KB

MD5
9b3f806a5e9e64b8069c61f0709afb9f

SHA1
9daee71bcab369ed7af148fef97aba7555e2c5a0

SHA256
cf49ae627ecf7bcc8bb596ceeb510d8c9fb0ed7af9712c25223098e0f6c74542

SHA512
b93c31d4dd493ca6b341fdad675dbf05451126956a62316f987c2a2464b5b5858dc82ae32be97da136a24bdeddc91cc994b9155a0781cfd3b48d03722843e105

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckIS.exe

Filesize
113KB

MD5
95ad92acb93392ccc6e8468d6b2d13f1

SHA1
41b3b28413ad60cdbaeaff3e39f66061a7c1a922

SHA256
f8ccce9bb222ba5ada70de9e33c12651f1dcb644ae27b5bfb6213b1223e91610

SHA512
a1087f4a3c3ab932a26fa96e1318d38a48793b20cf30bbf67a078921852f9cc218a558f6bf2b2b7cce893176b5d2331d58e04622cde648bc2accd05a162e2384

Download Submit
C:\Users\Admin\AppData\Local\Temp\cssq.exe

Filesize
745KB

MD5
4aea5f15117b337e6a2b1b4763fac175

SHA1
f981d0339080744b8e2bae2894ab6de151f249c6

SHA256
42cded045b4ea8b5b94c1fc897013d1aff3d4f5ad362503a698e7facba1bb93b

SHA512
d2c249543c2016df97c500b2bc85ce6c738313c94ce41e64878b083a86d473a7eae5c2f045d5d5f97cb44b4345a8f38c7e4577a1e55c0f1c18d90ba7742bf6b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\eAgI.ico

Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\eMsc.exe

Filesize
211KB

MD5
f199007f2fcc16093b832cc1e5368fb4

SHA1
61c04a32a87aff9cbd7e3c5aa00cf14eef60756d

SHA256
4e9df4b5721ebd40313bea1fcde8e650717d67706618f4c8bcd56a1457759403

SHA512
8cca6b49e5b8abdad1e9439791e0dbcb53ed4352de1bd2e1aaf3c00f617aab28e27a968355bedcf24c3d8dd025217fbfd11c5ba2ee2f073224a7d827386c02d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\eYoO.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\eYsM.exe

Filesize
112KB

MD5
94c384e361bc34fe01df2dcc4b33f540

SHA1
c38e461e0f3b63ab40a2702812a3b0de4e6d0bc4

SHA256
96a0df660d541ecd3417b1172b6c614ddf4e12e278754bd883ddf9b26d6e18a1

SHA512
6e0412d251a133045d306373cb4e0e5daa45a75331c5ce8b45fbbc664a461b1121be0005c02057cc68b7d28ef7ba03dbbbb65ebddf26ef9df308ccb85a9cb509

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecMs.exe

Filesize
112KB

MD5
4214e7d123891951098a21e5089fd0ea

SHA1
23924e9bfe0307282c45f135f9ab7b3ff8a8ad22

SHA256
5b156fd7b4c889fa671d35ddb38fc2c8fa0151bded5705f7db914bbc8e2fccac

SHA512
801e9bddec1c915c09fe56964e0aa2ff28b7d1eeea44af9fb2c786ad2b96c59bd9bdb469ed94d9e56037c48210e91eb0ab093a225687e17b58e454e55d4cda21

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecsE.exe

Filesize
691KB

MD5
d1c135002db7bcea322a1768aa6880e0

SHA1
709b4356255694cf4c5944841d166771a83cc171

SHA256
a5ca8466b0f69674ef86559cff79e4423ef397b63bbca7ad502e45e9704d189b

SHA512
7ae9fbf5e8b31fa776a9683c26b3fa429efa51cb714fabd601e4e5d953155aa1ff9849bebc10ce9c835c1746fe21ca66ad4f8001c8552d666c506fad7eea1677

Download Submit
C:\Users\Admin\AppData\Local\Temp\egwa.exe

Filesize
148KB

MD5
e1ece9ee7a18519352a66208a6eb002c

SHA1
ff717fcfdc96cc12590d5e79dc2b5dc4c51befb9

SHA256
4e34d15b6b14270c14147ae284a4cb1cbb3b9f5d3de31555684027e71ed8c3f9

SHA512
8bcb45966c5374c5e8d28f95a1ac19253808a52bdbc7c9be88e37094ee4ec1737b25a0167e4b902d845662189deabe970e58fba0ff6d6ddea82e58e8dca4bde3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekwO.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\esIi.exe

Filesize
113KB

MD5
a7b86da2c4fa21fedeb785b8dad41213

SHA1
9547a4b253b8f02e17a315323c0aeebeb317bc6e

SHA256
f33c07601c3365785b7a16ffc1a224eb6ca09fa5726de3f3fdd55de746f10646

SHA512
985ad891722a59ace4b0edec16f00ab4b27f4f07310b7b0410051a55a5203eef4f6577088803beaac3254815e5359024727ce3cecf03f1588ece0e0f65a11897

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gMAw.exe

Filesize
840KB

MD5
1da3858b03b8614b85832ee2d163098b

SHA1
7de55a33a6ade7f67a2f9c8c61b226062f90512d

SHA256
5b845ab4f44f15e84ad709f2b0b48dfcebedc9b00b46aa2969b38c04bed9e38a

SHA512
c92051d3940e9593eba7d954195fa66b0ee82f03b5b76c8909814d78a62af86ff9f0cf09d884bd1addbdc2c60a7ea5988869c3c165c78f71a786fcdc1475e4eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQMo.exe

Filesize
485KB

MD5
724e27cf17d1626731cf07212fa7eb07

SHA1
5241947c16c59186248297be44262abc1cf1624a

SHA256
79d2d62da061191f6733e3ecc8a5bba2d0906ef3aa3d3f3cef2bc7a7bdc94246

SHA512
bd7b43e86491f605c0a967b966e918fa11c18a9eb8ff4dedae0ed802d03b9669d6f015ed2e6befd471c9b41897203c7ccd36bba1eb8843c70d95eee2f9e0de74

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYsw.exe

Filesize
115KB

MD5
72a13152a3d9b8da1ab314a08e4e29d1

SHA1
a17599c592276b68656d5fbfe3b4978c94aec412

SHA256
c0e74b3a53fef5a5aadcaf59ae35cd56da88b600bf1e0635a4da0b1d541644c8

SHA512
658af7315b67aa6f19ab362e63f6bc6252aae808577d2492d44daafe529c4025e46e9c8d045daf56a2c904a73abf133c178cdb0847e1207f0e2048299c1994fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcQI.exe

Filesize
115KB

MD5
fb2fd9123cd38d9aecd2a8c291018a8f

SHA1
166fad20826d8cca8dc92014a949dff7d6c22e2c

SHA256
a8500b22334c72143168f49742229b011f68e191b0cae0b8f20de848e1db53f9

SHA512
b6dc16a1155c79a0d30d12454bdc7f2feeeb9fce53dd1a35e789ca2413c9a5f3e6a9de8dd9f6c418928a6b449db513a4414f770eaf855c4bec73f1de4a38ad22

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcoE.exe

Filesize
113KB

MD5
fb0e73eaab3a7c572c4754d65c8371a8

SHA1
68271b6cb6a622c09fc9b0bc026369e27d0930bc

SHA256
ab9958e25c8b3c7025b6ed9f360ab1d28088aa2c4ab379473c22b306cfbe2a27

SHA512
bf768f9e117e21e83c3d96e545c00ad3a45f54fcaf137a666d66e396bebaca919f97bc1afa60183019067a29881a43a85e2a107883d63cb31678edf32182c02f

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkoO.exe

Filesize
234KB

MD5
38e8c70b6e7925536072db3046248bbe

SHA1
ff84aaa7c1e66bcc616b84127e4553853c7f6501

SHA256
a0aa1cde47b8189a09f7079b94d134ac8a620c17375fde52b3fd4aae3c2585ee

SHA512
1360d5f48f0333decdcc67e355b15458030aa7585e9e6d8bae55b2cb0f7ff68f44c28bbd6dba2250fb901f58ab70364bc71d6a51ba4456eb5035913c99aaa395

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkoq.exe

Filesize
139KB

MD5
49d99907fb6c4dd75b1edba2a470787b

SHA1
f832ce89528cbf30b126b97a83af51717c255373

SHA256
010850f34943ee2ea1f5050634787a24af9888f4ebcead1bacc2420b4532b4f3

SHA512
a9f8b4dd3e020110df1aabc0182b6dc4673bba20e1ffb6770d1c22a338e563db3f3711cebfd04fdeb32e62aba0af4ed3c2e50dff85af112e15990e3ffe16044a

Download Submit
C:\Users\Admin\AppData\Local\Temp\iUEg.exe

Filesize
236KB

MD5
819469feae562a6a3100067e2e0626ce

SHA1
2b0c66b19d093190c00ec4060d059f8cc47d6513

SHA256
9b124b36a17dd53f79fb5aa4617037675d50354d90ae383b72c86800a8395a47

SHA512
c6876f089baf6412c8dd80a5a9396997797281b59d6d57adc79bdfe967a383c30ae0364ccf3591bdc1abf55aef90912bf8203d83e67d924bdd79a90d36e2bc50

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYMq.exe

Filesize
120KB

MD5
4f8f2ce2cdf78b0696f514ef5b15131c

SHA1
3e3a98a5f3de2a058d0a79040bf06a81a866dcaf

SHA256
0808053261a6623bfd43422f001b94c896dd77f728e57523784e04b9f7c10b90

SHA512
38d4117430a6f3d1c25a9ccafd20a2ad4d60ab56395b9101481e8c357f12a9e92201ad1e3665ffce286f78b61c9c43458db02197bb3edf5db874fa4fd9c32e6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ioUO.exe

Filesize
610KB

MD5
f37a39f8011b1fe6a8a86f3d8a82c2b4

SHA1
f9039f63539635861bd3fc868e7b563a813b5fba

SHA256
a07c332f3a73f19cf74f2c2e4467fd32ae6b7a42a89daebde376b0f2db0f8261

SHA512
b00f3a5a2ef240f9ce862f26b1eae1715ee37f00084aa6f2358df04b2348f6cef5216113c164dc3800b6f83627135d5b5d704e52ad3c651601fac0720017c0f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAcG.exe

Filesize
112KB

MD5
777214a38f0868f010ff7fff2a64ae32

SHA1
ae21cab9bf7a7c66a750f45633bd3f8976772480

SHA256
035c093b8f4e6c1cca6e497409830b4793dab9cbfbb40968438fa15e932cb7a8

SHA512
6a54adb997a1092de01a599900c60e1b575237b6f7731826420ca9d5c2e09df71e31e349d4860949f30a0dd89acb1f7cfd51cd6400f3527e975a422d82efb213

Download Submit
C:\Users\Admin\AppData\Local\Temp\kUcM.exe

Filesize
110KB

MD5
5a9e11d3daf71d3feda57baf9e009b01

SHA1
64829a82fdbd6c7d3318c84f9e4eedd2c638588d

SHA256
558bd049efa3fe3c3cb6fd7b5c0956ac14795b6410c98f258d5d7959fbf6d715

SHA512
14f6b89b39ee4c2218588f8b8275885b65eb1195ea223b9b534ec8ec1d661f284e83218f8bb98c055c2f5c5e863118391fd76d7a70db727bc6a660efa108971f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYEk.exe

Filesize
565KB

MD5
9cd36058383c4a840a0b9820c4379d29

SHA1
c4a2002a19967b2ad82e0ba602a98c3c3a3eb875

SHA256
944975c5ccc4793a9b1b1ff4c9561e37fcbd6d15d60c7dec6253153910ba06ec

SHA512
000a9b7dd93534061967b122ae5d18866c2bba46cc2016a6b45218c9e2449165686d99bde6bfe751cf76cd1b1b9ee1ad53c3c1de1ddcf8f030407ba3e024c855

Download Submit
C:\Users\Admin\AppData\Local\Temp\mggO.exe

Filesize
848KB

MD5
3b89702ff2d18617f0703d1d7debd035

SHA1
a7801325a16572492f6b5af6feffd9ec28d3809f

SHA256
dfd8238fee49c08bd355ee36ac345a92405929921622d401468130cd72c057be

SHA512
c3e44ce9b25e9ae3347d2f80a6ca35d2f19f961c392a63b9aeddc1b2874f379da87c9b92b0eebf3912d7c1ce1de6ca5b20ef10a5c82a08ea77e56000138ea1a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkUO.exe

Filesize
117KB

MD5
f2e66bbd2f0937bbc539ceb17021ba3b

SHA1
959e84467eaffada9260a9a9ef1b07cfe8d7444c

SHA256
be82444005724d219e577519a7e3e9894be3911835762b050e05f9c78ec05e23

SHA512
32b7417bf93c1d1f4022ebdab4ed9b22a2daf8fa16fea2738beb8be5414d4ad1402696999472c57d341eba6dcaa32eb3743da2deaeb051e9b8aa9b27bfd7d500

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkoy.exe

Filesize
110KB

MD5
fe22501467dc209d22a0097acd3549b9

SHA1
d42769013f3e6ba190ad9fe8eae2b28177791c24

SHA256
93ec37a5878dc354b91defa66b600e652d9f211fa010db2ae3ffaa0f896773fd

SHA512
32d9bc12ef37edead4c7103591c6d9d5c594f540ec5d06651d5bf84b43ca139fe8fd5472c33263ca5d3ced14ce5f76981f742816e939bc8c33ba51c5b764fda5

Download Submit
C:\Users\Admin\AppData\Local\Temp\mosy.exe

Filesize
113KB

MD5
6dcd292b2d4a1418dbb81fbcb180b076

SHA1
b830b41e875cc0242793173ec5b49afcff6f0090

SHA256
936b158f6d86cf3f977ddb9343f9b13ea91ee163c101afef6db0817cfa98c16d

SHA512
fa3147fe7d7044926824977a7513cc700eb9cb8c8bb05dbb3fc528df6883a0e0dbd6adc1b8703b7804c94d4b8caba31b914a737f14ec2f934b131741254bc3c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\oEkI.exe

Filesize
122KB

MD5
f0f8ff0a572f62da5f26685cdd1335fc

SHA1
781f7aa63ebf62ba051a3d38b40fa14ff6120067

SHA256
d0738e01d61eb1b92c84cf859b23978e5571b3292d4a1b9c79c354241efbc282

SHA512
ff4c9069bba925a31551369323a3f0a78e70c53bce2e2daee2acd6bed827ae8c566ea21c73ac12ad888475923a3e72e8adf3342d9c9eac4bf301e4d8d5f5c2a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\qIgC.exe

Filesize
5.8MB

MD5
28ebb9b7a463857928ac90fc02d9c89e

SHA1
981c6408a9caf379c173d802ee17197b5a9cfe3d

SHA256
19141c506fd10a96a70cfca692c28a55b9273deac0b5946077bd4c55e55600a2

SHA512
438a687aabd99d2620cbe1616b422708fda4c0992099fd1185e7dee278ebf6282cad81afae2853181b48137f405b7958852dfa0352ccea347f4be9fd82fbf9f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMkc.exe

Filesize
558KB

MD5
4d6eb18f6ffa66a53b92fd8b826d352a

SHA1
11c4fba0fd79ea166be04ab5e33f8b84ffebaff0

SHA256
d1ccd1f5ec3c9f614ea60e00e250f9bc028e42704c584094be32b384282a300c

SHA512
d09281b9058703b7342bcfce9772153493b66f85071fee62291168d69543beed44787f3ba73f475ed2e22d21db7154f671f34a13ded54401bb0d8240f2575ea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMsQ.exe

Filesize
111KB

MD5
609e08add69fc07240d41dfe6b81d19e

SHA1
0cac1ef3e5307420a841fafeb96b594434853195

SHA256
8f5aeb377635a95a4607bd20a8680e2b386db4df5185a91dc0f1ce9e661103d6

SHA512
bc2c2636b348bf12062ac874b8420d1ce0946643aa97fb9a55560a389a382414be92bbb56f02498d7fdc5301312e35ee17d4cd8370f1056c5a30f85ad3054db7

Download Submit
C:\Users\Admin\AppData\Local\Temp\qYAY.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\qoUI.exe

Filesize
120KB

MD5
1c8c4ac3ddc67d339c1050ae3e8a95ea

SHA1
86ab50575e75665a6afcb6ad0088b118507ae914

SHA256
f6671fcb09e6d92f3e10dee3f8c53a3953d2312db2178987589ba4cf0596b1ed

SHA512
9d181f558c4b0f0ff3c2a524992940eff07fb3a82fb1b301c5a0da64a8abc0518dd01b553997d5723d9d0e69e8cbfa3cef817f971f95a94a02a02fc87ff87989

Download Submit
C:\Users\Admin\AppData\Local\Temp\sAoC.exe

Filesize
113KB

MD5
bc2f594836408e473aea5d04dbe7921f

SHA1
e89289a895f50063c7c73c403183ba5f605a1464

SHA256
aed241198edff3519ea90b955fae36768b6ed996cc547978e4447edbc14d141b

SHA512
8201d9375f9d860fede1cf49af2e5dc460bc48a172e320b61099fc30f4848f8328ea3ab284d73ce95ac6fbe5135c1ecf1e6eaeafdc221ddb897309c8a9239d25

Download Submit
C:\Users\Admin\AppData\Local\Temp\sccY.exe

Filesize
1.0MB

MD5
dc17efb3547b728252aa23090bc89bff

SHA1
57e2ca265e92c2134220e7fb49e574fe0f57216e

SHA256
d4343a769e2867d191496926104e8c3abd428a51bf0448527ca26a0d2d6314c0

SHA512
ffb1c501b1fe3a1ef64f22055bc9da23e326ec8378489c2c3fa579c960e9004aaf5043588db161abfb674a5f4115467eab2431267096398e4976e1ccb9f1a4e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQkc.exe

Filesize
117KB

MD5
c5880cf10f74f5f3b381d87d457998b5

SHA1
7a3ac0f1ca671e77738322ea3119180567069361

SHA256
e8f566b696e1da78c9bcf7f741ae1aef647b7fb16b1568cb8763b7d10783c121

SHA512
0bea6e83ebfd374c83780767bb001ba187b268502365430014707422b8ac579547a34d6160fe768806819882f3304ec27da166dcab092d5811bd6b2f57c396fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\wgUK.exe

Filesize
1.7MB

MD5
34643e1ea11628d4c64d55f52ff44a0a

SHA1
e55f50724bbff18f05f89c2ad3d2ff98afd18772

SHA256
d6b843ff70842ea491d19878962da026fa5cabc06393700b3650d7ebafdcb2bf

SHA512
1312eb0ab9d70a1e39b9bac69894fae70341c857fb54f05366823bcabdeec2de04d37e4b5a50d76b9746a8b1c872ca0684e93d4bf49b07e03441154a86d7cf33

Download Submit
C:\Users\Admin\AppData\Local\Temp\yAwe.exe

Filesize
110KB

MD5
b6983a1445e6d23ee65ba434d6de5a06

SHA1
ca66e1fecd0d42b0b048deb74fe8670896d3be85

SHA256
77c0b05bb67fb26c2b67ebbddf285b1a077a1f423729748ed1c2d0c5a43c6e68

SHA512
00ade78e2b7c3991f4cd266021b6df6a9c113cd875323698a1f232bf93e8d3b1ddf220fb6f684e219cc19290a59a83297f167f14861e0497c7e463bc7aaad183

Download Submit
C:\Users\Admin\AppData\Local\Temp\yYIS.exe

Filesize
138KB

MD5
aff2d70906e43ec6caba7606368c1d52

SHA1
d5d17da122e7838cd934e34d98bcbb66c0c86e20

SHA256
7706773b55f8224b24d4d61ead668c0953a7f9597023f290195011c0cd9a1df5

SHA512
05e601d0bb1033c5ff4b66a857fbc4d7ea2d463141e4484a7daf9949572fae3ed481ae8aa33d44b98c2c29b34c1879bee256167735f135f2fd830dbb02d77dba

Download Submit
C:\Users\Admin\AppData\Local\Temp\ygIM.exe

Filesize
113KB

MD5
7859799f9ed16a72dda0fd6f220806da

SHA1
ad0d2bd3fa70d1c1f11b0209d80a06ab7d617dcc

SHA256
4a492fb2638c0f4b1b0351accd12f77eb874d683a077ab3d9c1f0b2733f513a9

SHA512
725c8cde69a26e1ef113515c59f84717dd558b982136a74575f410278557364743c8d51c7401d49288116e7d74f877f2aa528f20d5939e2df895c8bf14916273

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywkc.exe

Filesize
111KB

MD5
f8f39c6ea39372cf11a7fdd62af535bf

SHA1
cd8ae670f714a78273ad6af0ddefc370a89b771c

SHA256
82c68c801f334bc7b4f3a34d7f19b78c3f42b45ed9652bad6c87e9b11272dc83

SHA512
cdd70e2ca2d8d1991f3504db869e90b19b2c00f44c603fbc67f7c7a2b02a437446b55d4042b2c63513608be5726490c2365142eeecd95e1d858c7a12eb1415fa

Download Submit
C:\Users\Admin\BggwgYoU\EgUEQgkM.exe

Filesize
109KB

MD5
cf1f16542216b92632a9d23c4a66cc82

SHA1
8ddd25a06a5740321338a3707eb38c8c9f70165b

SHA256
a3f4a4c41085d7a67c45311799fae6d6344b95929d972e18f4b79414d486df93

SHA512
a60ba977e0b259f9f5b4a711d4020706392483f0fde67a2dd7f9ab0757e370c9bfaca6a5967d0010f8a36ad946780c20971f8e281c83acd996140b6bc9f80ab6

Download Submit
C:\Users\Admin\Music\ConvertToDismount.jpg.exe

Filesize
722KB

MD5
cf8768dac8b1517bd9b87f8699b4c260

SHA1
c4d941a51f42b89c17e791ac29ee835dd68dd6ff

SHA256
826db0130779e8835a9c270f60204361eb4443ab91c2558efb744668fcbf6761

SHA512
7c8b3d4323cfd098abf1206987e57a222bfb9c7441008a81152adb1a87ce78671c3c44fc48bb598c2f8c83fdeb7db1c3e55c42fcb84d6aadd9806c95b305a453

Download Submit
memory/224-99-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/224-110-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/264-42-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/264-1072-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/264-27-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/544-121-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/548-312-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/548-304-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/696-436-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/836-895-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/900-1191-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1108-380-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1404-446-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1404-454-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1460-15-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1504-295-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1568-224-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1640-1813-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1676-320-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1684-1136-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1820-539-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1964-1891-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1964-1869-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1968-1557-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1968-1635-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1976-1392-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2040-31-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2092-354-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2248-1264-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2448-213-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2448-202-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2460-438-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2460-445-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2616-87-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2764-287-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2772-589-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2864-155-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2864-168-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2976-346-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3116-53-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3144-279-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3308-329-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3308-321-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3360-235-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3408-201-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3472-179-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3472-164-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3512-1763-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3516-271-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3516-263-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3528-1699-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3640-76-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3640-811-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3640-845-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3660-1492-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3676-412-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3676-420-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3696-476-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3700-132-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3724-1950-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3764-957-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3768-1556-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3788-54-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3788-65-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3964-19-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3964-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3972-262-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4060-1447-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4188-365-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4188-372-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4288-428-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4288-98-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4356-190-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4356-411-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4540-682-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4540-745-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4544-7-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4588-355-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4588-363-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4676-156-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4676-146-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4688-1849-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4728-809-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4760-1315-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4856-303-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4880-1022-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4880-972-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4924-330-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4924-338-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4948-246-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4964-388-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4972-667-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4972-604-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4980-403-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4988-254-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5100-143-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download