efc7a45fe8efcbc92a1f16bfc3cfd1666fda5340815322af7cbee709c51d7cdc

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-11-2024 01:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
Size

882KB
MD5

784d6132ccc958a3e44ac9b8f26b64e1
SHA1

3db2b316b3bf5bf9cc5c69e90f013f34ed283d34
SHA256

efc7a45fe8efcbc92a1f16bfc3cfd1666fda5340815322af7cbee709c51d7cdc
SHA512

5a5ca6f606c3dda9751766cfe799f3f35bf0337494bd21843e6df70588cca0d37014431338c3ed8652fbce4898980db59c063c89f3aa6c89e3a255d7eca5eb6a
SSDEEP

24576:H694Zofqlkfx+cvhGHv9aTCJxlCEbrjUfyiXbfHG:H7qCgxHm9aUj8yizH

Score

10^/10

discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (76) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

HYIYgIAE.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation HYIYgIAE.exe
Executes dropped EXE 2 IoCs

Processes:

HYIYgIAE.exeeEEAkwoM.exe

pid process

4976 HYIYgIAE.exe
3716 eEEAkwoM.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	HYIYgIAE.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exeHYIYgIAE.exeeEEAkwoM.exe2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HYIYgIAE.exe = "C:\\Users\\Admin\\HQIkcIUg\\HYIYgIAE.exe"	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eEEAkwoM.exe = "C:\\ProgramData\\BewgUkIQ\\eEEAkwoM.exe"	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HYIYgIAE.exe = "C:\\Users\\Admin\\HQIkcIUg\\HYIYgIAE.exe"	HYIYgIAE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eEEAkwoM.exe = "C:\\ProgramData\\BewgUkIQ\\eEEAkwoM.exe"	eEEAkwoM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lIowYkQg.exe = "C:\\Users\\Admin\\mqMgcAEg\\lIowYkQg.exe"	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\YicMUgIM.exe = "C:\\ProgramData\\ViUYUEwU\\YicMUgIM.exe"	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe

Drops file in System32 directory 2 IoCs

Processes:

HYIYgIAE.exe

description	ioc	process
File created	C:\Windows\SysWOW64\shell32.dll.exe	HYIYgIAE.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	HYIYgIAE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3352 1436 WerFault.exe YicMUgIM.exe
3444 4204 WerFault.exe lIowYkQg.exe

pid	pid_target	process	target process
3352	1436	WerFault.exe	YicMUgIM.exe
3444	4204	WerFault.exe	lIowYkQg.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cscript.exe2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.execscript.exereg.exereg.execmd.exereg.execscript.exereg.exereg.exereg.exereg.execmd.execmd.execmd.exereg.execscript.execscript.exe2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.execmd.execscript.exereg.exe2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.execmd.exereg.execscript.execmd.exe2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exereg.exe2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.execscript.execscript.execscript.execmd.execscript.execmd.exe2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.execmd.execmd.exereg.exe2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exereg.exe2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.execmd.execmd.exereg.exereg.execmd.exe2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.execmd.exereg.exe2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.execmd.exereg.exe2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exereg.exereg.exereg.execmd.exereg.exereg.execmd.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
3740	reg.exe
5048	reg.exe
4876	reg.exe
2200	reg.exe
4524	reg.exe
3188	reg.exe
2396	reg.exe
444	reg.exe
228	reg.exe
4412	reg.exe
2224	reg.exe
956	reg.exe
2024	reg.exe
876	reg.exe
5052	reg.exe
3496	reg.exe
2860	reg.exe
2560	reg.exe
3260	reg.exe
4980	reg.exe
4104	reg.exe
1148	reg.exe
992	reg.exe
796	reg.exe
1496	reg.exe
2636	reg.exe
4820	reg.exe
4352	reg.exe
32	reg.exe
3016	reg.exe
3956	reg.exe
636	reg.exe
4124	reg.exe
2768	reg.exe
4156	reg.exe
2376	reg.exe
3016	reg.exe
4776	reg.exe
4296	reg.exe
2772	reg.exe
3980	reg.exe
4428	reg.exe
1736	reg.exe
1408	reg.exe
5108	reg.exe
3532	reg.exe
616	reg.exe
2524	reg.exe
2396	reg.exe
1736	reg.exe
2456	reg.exe
3000	reg.exe
5072	reg.exe
3472	reg.exe
3472	reg.exe
3148	reg.exe
3532	reg.exe
4872	reg.exe
1640	reg.exe
3376	reg.exe
3452	reg.exe
3692	reg.exe
2024	reg.exe
2792	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe

pid	process
1848	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
1848	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
1848	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
1848	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
1336	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
1336	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
1336	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
1336	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
3380	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
3380	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
3380	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
3380	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
2300	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
2300	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
2300	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
2300	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
4972	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
4972	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
4972	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
4972	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
2348	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
2348	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
2348	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
2348	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
4352	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
4352	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
4352	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
4352	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
1968	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
1968	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
1968	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
1968	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
4572	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
4572	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
4572	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
4572	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
4676	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
4676	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
4676	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
4676	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
3876	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
3876	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
3876	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
3876	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
228	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
228	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
228	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
228	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
4292	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
4292	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
4292	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
4292	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
2264	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
2264	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
2264	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
2264	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
5084	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
5084	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
5084	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
5084	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
3008	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
3008	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
3008	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
3008	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

HYIYgIAE.exe

pid process

4976 HYIYgIAE.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

HYIYgIAE.exe

pid	process
4976	HYIYgIAE.exe
4976	HYIYgIAE.exe
4976	HYIYgIAE.exe
4976	HYIYgIAE.exe
4976	HYIYgIAE.exe
4976	HYIYgIAE.exe
4976	HYIYgIAE.exe
4976	HYIYgIAE.exe
4976	HYIYgIAE.exe
4976	HYIYgIAE.exe
4976	HYIYgIAE.exe
4976	HYIYgIAE.exe
4976	HYIYgIAE.exe
4976	HYIYgIAE.exe
4976	HYIYgIAE.exe
4976	HYIYgIAE.exe
4976	HYIYgIAE.exe
4976	HYIYgIAE.exe
4976	HYIYgIAE.exe
4976	HYIYgIAE.exe
4976	HYIYgIAE.exe
4976	HYIYgIAE.exe
4976	HYIYgIAE.exe
4976	HYIYgIAE.exe
4976	HYIYgIAE.exe
4976	HYIYgIAE.exe
4976	HYIYgIAE.exe
4976	HYIYgIAE.exe
4976	HYIYgIAE.exe
4976	HYIYgIAE.exe
4976	HYIYgIAE.exe
4976	HYIYgIAE.exe
4976	HYIYgIAE.exe
4976	HYIYgIAE.exe
4976	HYIYgIAE.exe
4976	HYIYgIAE.exe
4976	HYIYgIAE.exe
4976	HYIYgIAE.exe
4976	HYIYgIAE.exe
4976	HYIYgIAE.exe
4976	HYIYgIAE.exe
4976	HYIYgIAE.exe
4976	HYIYgIAE.exe
4976	HYIYgIAE.exe
4976	HYIYgIAE.exe
4976	HYIYgIAE.exe
4976	HYIYgIAE.exe
4976	HYIYgIAE.exe
4976	HYIYgIAE.exe
4976	HYIYgIAE.exe
4976	HYIYgIAE.exe
4976	HYIYgIAE.exe
4976	HYIYgIAE.exe
4976	HYIYgIAE.exe
4976	HYIYgIAE.exe
4976	HYIYgIAE.exe
4976	HYIYgIAE.exe
4976	HYIYgIAE.exe
4976	HYIYgIAE.exe
4976	HYIYgIAE.exe
4976	HYIYgIAE.exe
4976	HYIYgIAE.exe
4976	HYIYgIAE.exe
4976	HYIYgIAE.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.execmd.execmd.exe2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.execmd.execmd.exe2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.execmd.exe

description	pid	process	target process
PID 1848 wrote to memory of 4976	1848	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	HYIYgIAE.exe
PID 1848 wrote to memory of 4976	1848	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	HYIYgIAE.exe
PID 1848 wrote to memory of 4976	1848	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	HYIYgIAE.exe
PID 1848 wrote to memory of 3716	1848	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	eEEAkwoM.exe
PID 1848 wrote to memory of 3716	1848	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	eEEAkwoM.exe
PID 1848 wrote to memory of 3716	1848	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	eEEAkwoM.exe
PID 1848 wrote to memory of 5000	1848	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	cmd.exe
PID 1848 wrote to memory of 5000	1848	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	cmd.exe
PID 1848 wrote to memory of 5000	1848	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	cmd.exe
PID 1848 wrote to memory of 5052	1848	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	reg.exe
PID 1848 wrote to memory of 5052	1848	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	reg.exe
PID 1848 wrote to memory of 5052	1848	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	reg.exe
PID 1848 wrote to memory of 5044	1848	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	reg.exe
PID 1848 wrote to memory of 5044	1848	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	reg.exe
PID 1848 wrote to memory of 5044	1848	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	reg.exe
PID 1848 wrote to memory of 3184	1848	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	reg.exe
PID 1848 wrote to memory of 3184	1848	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	reg.exe
PID 1848 wrote to memory of 3184	1848	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	reg.exe
PID 1848 wrote to memory of 2860	1848	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	cmd.exe
PID 1848 wrote to memory of 2860	1848	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	cmd.exe
PID 1848 wrote to memory of 2860	1848	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	cmd.exe
PID 5000 wrote to memory of 1336	5000	cmd.exe	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
PID 5000 wrote to memory of 1336	5000	cmd.exe	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
PID 5000 wrote to memory of 1336	5000	cmd.exe	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
PID 2860 wrote to memory of 5108	2860	cmd.exe	cscript.exe
PID 2860 wrote to memory of 5108	2860	cmd.exe	cscript.exe
PID 2860 wrote to memory of 5108	2860	cmd.exe	cscript.exe
PID 1336 wrote to memory of 1816	1336	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	cmd.exe
PID 1336 wrote to memory of 1816	1336	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	cmd.exe
PID 1336 wrote to memory of 1816	1336	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	cmd.exe
PID 1816 wrote to memory of 3380	1816	cmd.exe	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
PID 1816 wrote to memory of 3380	1816	cmd.exe	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
PID 1816 wrote to memory of 3380	1816	cmd.exe	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
PID 1336 wrote to memory of 2972	1336	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	reg.exe
PID 1336 wrote to memory of 2972	1336	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	reg.exe
PID 1336 wrote to memory of 2972	1336	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	reg.exe
PID 1336 wrote to memory of 4000	1336	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	reg.exe
PID 1336 wrote to memory of 4000	1336	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	reg.exe
PID 1336 wrote to memory of 4000	1336	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	reg.exe
PID 1336 wrote to memory of 2032	1336	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	reg.exe
PID 1336 wrote to memory of 2032	1336	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	reg.exe
PID 1336 wrote to memory of 2032	1336	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	reg.exe
PID 1336 wrote to memory of 1172	1336	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	cmd.exe
PID 1336 wrote to memory of 1172	1336	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	cmd.exe
PID 1336 wrote to memory of 1172	1336	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	cmd.exe
PID 1172 wrote to memory of 1528	1172	cmd.exe	cscript.exe
PID 1172 wrote to memory of 1528	1172	cmd.exe	cscript.exe
PID 1172 wrote to memory of 1528	1172	cmd.exe	cscript.exe
PID 3380 wrote to memory of 4544	3380	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	cmd.exe
PID 3380 wrote to memory of 4544	3380	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	cmd.exe
PID 3380 wrote to memory of 4544	3380	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	cmd.exe
PID 3380 wrote to memory of 4444	3380	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	reg.exe
PID 3380 wrote to memory of 4444	3380	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	reg.exe
PID 3380 wrote to memory of 4444	3380	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	reg.exe
PID 3380 wrote to memory of 2224	3380	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	reg.exe
PID 3380 wrote to memory of 2224	3380	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	reg.exe
PID 3380 wrote to memory of 2224	3380	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	reg.exe
PID 3380 wrote to memory of 4324	3380	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	reg.exe
PID 3380 wrote to memory of 4324	3380	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	reg.exe
PID 3380 wrote to memory of 4324	3380	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	reg.exe
PID 3380 wrote to memory of 1948	3380	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	cmd.exe
PID 3380 wrote to memory of 1948	3380	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	cmd.exe
PID 3380 wrote to memory of 1948	3380	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	cmd.exe
PID 4544 wrote to memory of 2300	4544	cmd.exe	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Users\Admin\HQIkcIUg\HYIYgIAE.exe
  "C:\Users\Admin\HQIkcIUg\HYIYgIAE.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:4976
- C:\ProgramData\BewgUkIQ\eEEAkwoM.exe
  "C:\ProgramData\BewgUkIQ\eEEAkwoM.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3716
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5000
- - C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1336
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1816
    - - C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3380
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        8⤵
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        10⤵
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        12⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        13⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        14⤵
        
        PID:780
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        16⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        18⤵
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        20⤵
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        21⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        22⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        24⤵
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        26⤵
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        28⤵
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        30⤵
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        31⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        32⤵
        
        PID:4124
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        33⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        34⤵
        
        PID:3264
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        35⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        36⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        37⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        38⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        39⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        40⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        41⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        42⤵
        
        PID:3916
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        43⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        44⤵
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        45⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        46⤵
        
        PID:100
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        47⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        48⤵
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        49⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        50⤵
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        51⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        52⤵
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        53⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        54⤵
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        55⤵
        System Location Discovery: System Language Discovery
        
        PID:796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        56⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        57⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        58⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        59⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        60⤵
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        61⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        62⤵
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        63⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        64⤵
        
        PID:3532
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        65⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        66⤵
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        67⤵
        
        PID:956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        68⤵
        
        PID:1168
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        69⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        70⤵
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        71⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        72⤵
        
        PID:3460
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        73⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        74⤵
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        75⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        76⤵
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        78⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        79⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        80⤵
        
        PID:880
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        81⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        83⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        84⤵
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        85⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        86⤵
        
        PID:3216
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        87⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        88⤵
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        89⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        90⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        91⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        92⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        93⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        94⤵
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        95⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        96⤵
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        97⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        98⤵
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        99⤵
        
        PID:628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        100⤵
        
        PID:1380
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        101⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        102⤵
        
        PID:2308
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        103⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        104⤵
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:3360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        106⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        107⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        109⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        111⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        113⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        114⤵
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        115⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        116⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        117⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        118⤵
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        119⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        120⤵
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        121⤵
        System Location Discovery: System Language Discovery
        
        PID:3248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:4032
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        123⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        124⤵
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        125⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        126⤵
        
        PID:2308
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:3876
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        127⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        128⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        129⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        130⤵
        
        PID:3104
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        131⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        132⤵
        
        PID:4448
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        133⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        134⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        135⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        136⤵
        System Location Discovery: System Language Discovery
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        137⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        138⤵
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        139⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        140⤵
        
        PID:2180
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        141⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        142⤵
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        143⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        144⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        145⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        146⤵
        
        PID:2316
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        147⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        148⤵
        System Location Discovery: System Language Discovery
        
        PID:444
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        149⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        150⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        151⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        152⤵
        System Location Discovery: System Language Discovery
        
        PID:4008
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        153⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        154⤵
        System Location Discovery: System Language Discovery
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        155⤵
        System Location Discovery: System Language Discovery
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        156⤵
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        157⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        158⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        159⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        160⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        161⤵
        
        PID:780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        162⤵
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        163⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        164⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        165⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        166⤵
        
        PID:796
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        167⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        168⤵
        System Location Discovery: System Language Discovery
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        169⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        170⤵
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        171⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        172⤵
        
        PID:4840
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:4008
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        173⤵
        System Location Discovery: System Language Discovery
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        174⤵
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        175⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        176⤵
        
        PID:3500
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        177⤵
        System Location Discovery: System Language Discovery
        
        PID:4064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        178⤵
        
        PID:4204
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        179⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        180⤵
        
        PID:3396
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        181⤵
        
        PID:912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        182⤵
        
        PID:2936
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        183⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        184⤵
        
        PID:3088
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        185⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        186⤵
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        187⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        188⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        189⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5008
        
        C:\Users\Admin\mqMgcAEg\lIowYkQg.exe
        
        "C:\Users\Admin\mqMgcAEg\lIowYkQg.exe"
        190⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 224
        191⤵
        Program crash
        
        PID:3444
        
        C:\ProgramData\ViUYUEwU\YicMUgIM.exe
        
        "C:\ProgramData\ViUYUEwU\YicMUgIM.exe"
        190⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 224
        191⤵
        Program crash
        
        PID:3352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        190⤵
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        191⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        192⤵
        
        PID:1240
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        193⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        194⤵
        System Location Discovery: System Language Discovery
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        195⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        196⤵
        
        PID:1256
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        197⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        Modifies registry key
        
        PID:4820
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        UAC bypass
        
        PID:3452
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:2872
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        UAC bypass
        
        PID:4856
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BeMkUwAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        196⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        System Location Discovery: System Language Discovery
        
        PID:3928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bmoUEoco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        194⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        
        PID:692
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XgIoIAIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        192⤵
        
        PID:1668
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:2776
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        Modifies registry key
        
        PID:4296
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xsMMAwsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        190⤵
        
        PID:908
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2792
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        System Location Discovery: System Language Discovery
        
        PID:2396
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        UAC bypass
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ugcEMgkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        188⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        
        PID:2348
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        Modifies registry key
        
        PID:796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qcsAIYss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        186⤵
        
        PID:4156
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        UAC bypass
        
        PID:1484
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SaIgcMso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        184⤵
        
        PID:3104
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        UAC bypass
        
        PID:5044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XYcAEcIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        182⤵
        
        PID:3924
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        Modifies registry key
        
        PID:3000
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        UAC bypass
        
        PID:4564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DuMAgIYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        180⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:4712
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        UAC bypass
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PUMsIUUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        178⤵
        
        PID:4588
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        System Location Discovery: System Language Discovery
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        UAC bypass
        
        PID:2028
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LsMAMcwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        176⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1736
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        Modifies registry key
        
        PID:4776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aeMgwYAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        174⤵
        
        PID:2084
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:1640
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        UAC bypass
        
        PID:1544
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gscAsskE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        172⤵
        System Location Discovery: System Language Discovery
        
        PID:4720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:4028
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MqcEUgoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        170⤵
        
        PID:992
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        
        PID:2456
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        UAC bypass
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LwMAoIEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        168⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:2028
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        UAC bypass
        
        PID:5116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\roIMwoEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        166⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:2856
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VmcUswgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        164⤵
        
        PID:2184
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        System Location Discovery: System Language Discovery
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        UAC bypass
        
        PID:3956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HywUYcEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        162⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        Modifies registry key
        
        PID:2024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        Modifies registry key
        
        PID:876
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YIwMccAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        160⤵
        System Location Discovery: System Language Discovery
        
        PID:2292
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GAEEsoYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        158⤵
        
        PID:3692
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        System Location Discovery: System Language Discovery
        
        PID:4712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        UAC bypass
        
        PID:3176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iWkkYIAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        156⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        System Location Discovery: System Language Discovery
        
        PID:616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vSQcQIwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        154⤵
        
        PID:4792
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:1216
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        UAC bypass
        
        PID:1020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoEAgkgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        152⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        
        PID:4360
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:3496
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TyEQYcwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        150⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        UAC bypass
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vsgAUAgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        148⤵
        System Location Discovery: System Language Discovery
        
        PID:228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        Modifies registry key
        
        PID:4104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qCMYYgcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        146⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4352
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        UAC bypass
        Modifies registry key
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yYcUAowg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        144⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        System Location Discovery: System Language Discovery
        
        PID:468
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        UAC bypass
        
        PID:3956
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GwcAsIgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        142⤵
        
        PID:780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZogsckgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        140⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:5116
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        UAC bypass
        Modifies registry key
        
        PID:1408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fSokscoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        138⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies registry key
        
        PID:2768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        UAC bypass
        
        PID:4880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IGwwgskg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        136⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        UAC bypass
        Modifies registry key
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GyMosEkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        134⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        UAC bypass
        Modifies registry key
        
        PID:4412
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wgQwAMgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        132⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KiIMMsAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        130⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fEcoQQgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        128⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zoQAAIck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        126⤵
        
        PID:2520
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies registry key
        
        PID:3148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:2108
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RgMocEcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        124⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        
        PID:628
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        
        PID:3360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\csgIIYMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        122⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EawYMcYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        120⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        
        PID:1788
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        
        PID:4960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KYYYAcQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        118⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:2948
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        Modifies registry key
        
        PID:4124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TqgAYwAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        116⤵
        
        PID:3852
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        
        PID:3672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HuYEwoso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        114⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        
        PID:3468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VssQgcIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        112⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        Modifies registry key
        
        PID:228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zugAswkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:4440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eyswgcgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        108⤵
        
        PID:4572
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:3468
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        107⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:3988
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        107⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:2776
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        107⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qIEMYUkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        106⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        Modifies registry key
        
        PID:3692
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        Modifies registry key
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\scwEMUkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        104⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:1708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:3128
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        Modifies registry key
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rAEkkQog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        102⤵
        
        PID:1960
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies registry key
        
        PID:3452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bgsgosAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        100⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JOEMAcQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        98⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        Modifies registry key
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xKkIgQIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        96⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KqgwcEUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        94⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:4968
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OukEIgMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        92⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MmYMEkoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        90⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies registry key
        
        PID:3376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rKQwcEkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        88⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        
        PID:956
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZCIwYQIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        86⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        Modifies registry key
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FgsoQEUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        84⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        Modifies registry key
        
        PID:3472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FMUYIMwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        82⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        Modifies registry key
        
        PID:444
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:4644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YQwYwokI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        80⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        Modifies registry key
        
        PID:3980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uWcUQQgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        78⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies registry key
        
        PID:1736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\auMYkcoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        76⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies registry key
        
        PID:636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xAkQsoQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        74⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:5088
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        73⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fuokosQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        72⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DgckcMQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        70⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:5100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        Modifies registry key
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XiQQIAwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        68⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies registry key
        
        PID:4980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        Modifies registry key
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WiUQAIws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        66⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:2856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iyQsIIQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        64⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        System Location Discovery: System Language Discovery
        
        PID:4760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        System Location Discovery: System Language Discovery
        
        PID:468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:5112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IMYEAEQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        62⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        System Location Discovery: System Language Discovery
        
        PID:1324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3188
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:4032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WUMsIQAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        60⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        Modifies registry key
        
        PID:992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fGkQUEks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        58⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        Modifies registry key
        
        PID:956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jskcAAUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        56⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LUcEwYcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        54⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GKsIwEsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        52⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        Modifies registry key
        
        PID:5108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KiEoIswA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        50⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies registry key
        
        PID:3260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cGQgoooA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        48⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        Modifies registry key
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nOQgMwkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        46⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jksoYgMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        44⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fUIUQgww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        42⤵
        
        PID:376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies registry key
        
        PID:1148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:4040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\suoMYUIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        40⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:1372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        Modifies registry key
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IOgckgcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        38⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:960
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        
        PID:32
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yGIMUMYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        36⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:1264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NiIMEYwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        34⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies registry key
        
        PID:3496
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        33⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:3596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VAoUoEks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        32⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hkQsMswE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        30⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        Modifies registry key
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\twUUooMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        28⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:32
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        Modifies registry key
        
        PID:3740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KaIcUccQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        26⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        Modifies registry key
        
        PID:4352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SokQUggc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        24⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UWYYkooI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        22⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HIsEUgUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        20⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:1120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VuQQsYAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        18⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:1372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmgsEwks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        16⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WgwAQgcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        14⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:4960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EUQIYEMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2292
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qusUwoUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        Modifies registry key
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FGkkcoQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        8⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:1436
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4444
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:2224
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:4324
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PaQoQAgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:4692
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      System Location Discovery: System Language Discovery
      PID:2972
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4000
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:2032
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tQgAIAQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1172
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1528
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:5052
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5044
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3184
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QaIMgQUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:5108

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:3452

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:3008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1436 -ip 1436
1⤵
PID:4572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4204 -ip 4204
1⤵
PID:4444

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv 4+s7YuJgikCt26Iw/ZKvlw.0.2
1⤵
PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\BewgUkIQ\eEEAkwoM.exe

Filesize
110KB

MD5
ac3d2304eba329293ce4ae43783aa7ef

SHA1
16ff902653c423e8a20a0b9e14d2ff03d4bed650

SHA256
c863501b0a645a24d951e5e5e040883820d0d1cd43247a3b5777679a71cbcd3e

SHA512
2f4db2571ba77fcfc26f4c6bd4038b936a5b9ce59a3216c0a338fc7cf27513330d2211d9e0f27573ee77c108ec92d573c1fb70e68b3ce30755a8c5396b19e1a1

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

Filesize
237KB

MD5
c1e3f805ea172589a931c96a15436ffa

SHA1
6d9f9a83ac95500677f9b7cdfa12be9f2f2ebf48

SHA256
da8c72cfe0e26908f795153bb53b8e0da5f75ffb98a95e4cd1d5292130fd51ca

SHA512
22506c62aa3b73bf48177dbe30c415b9a4757f14d95955ccb3c72b3eb5aaf3be5e930f19fc8f2d746077d67be558a3391b15d8bd2065408ff86d56ce3fa9c653

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

Filesize
155KB

MD5
b66ff6e840fa86ff41eedb374e359b6a

SHA1
a37a921a2fb1bc982c09ce19d786141bc889d8df

SHA256
2b79ec58087b21b47f318d524a6b94a9f87e7a10f506de864c5b8ed3864bdff7

SHA512
004ed1b97101d8f6a3c603e8e19a671676fab827115a66700e10e4cfcae5d21e19b5e1b879189aaca3a616ad4bb1f83363013a7f39faac6dae8ccebcfe7cc60b

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

Filesize
239KB

MD5
024fad722399adc9a7dcd2b664d9bd61

SHA1
f30cf8cbdcaf25303e98003587a17c8634d9d122

SHA256
3ab038ec746e421f4e09eaddf8db47c194b8426ad3f6a7fc597b06c4170e1fe3

SHA512
0c216a9c29e3d7213e2baee6165747296a64e8917ec2a378329e0a302d2f22add44bbf2ba1c652635a026de89c04f4465b08e12b7c3e7a3ff5a5c3204aa73072

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe

Filesize
700KB

MD5
a743f9122745b8fdf85556100c5720b4

SHA1
681755cdc9bd919e19e363d4d00395231029d91a

SHA256
ab2f16f482623aa3a21c47884d6ae1f4566bd9888661a1af87dd94a541259fcf

SHA512
953b938d9fead74ffa265b42f7715dd6cc752431f97945468f58eb15db9255edb2db23e79b81f90fdac39361781d10ad2c14defc38a985da70ac5d7ba1e4228b

Download Submit
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

Filesize
567KB

MD5
27cdb6cf781d723b6fe0f358efed94f0

SHA1
a027dcc1d60866427c0fe0786602e507e80aabf5

SHA256
817b97a0abcf2f2d7e0c5e8a76805ffb660745da668f08dc2aeaab63998ace84

SHA512
41469d599a518605d99fc4b44a69e1e34840aa33e0567702841ba7ca4e5be47d09b5032a0f541a05b720a5ab6c5c9fd5e6a68fa4881b723fcacc992a0ce63070

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.png.exe

Filesize
120KB

MD5
040c3b7e2b3aa2831ef8a2825f68d371

SHA1
640036e7e08635c4f1a64e15ee8a0e72cf4a18f9

SHA256
de625cab8334fd972ea9e40f520c25a9dcd7449227f4f33d119362f11626a931

SHA512
a98b9601ca9a68014984de02bb863f278d268856ae9233acd2d8723fec0c8594e3f62babf8e5630da9f6c505d7b89404197f929bdb031a9252564b2f4309da15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMScanExclusionToast.png.exe

Filesize
120KB

MD5
7c88d6787260a5a7d592c6a0f915e33a

SHA1
1ee923861e1a215547fcf81214940bd1a56bc6c9

SHA256
54043f05392b20bb7da3c88a5a5db15450e8d26c998ff7315f6cedb386a26482

SHA512
8c43df172bcbd6ff18aff06f8f7e4811bc2d12dfa69c54674cacd7e9e2beba1ad5e066d7e3f68a9177c05b2bc26c8e256134cf8531b33a73c5fd3ab24f466248

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaNearing.png.exe

Filesize
118KB

MD5
8c1bcc553e553e79a085c2a832c419c5

SHA1
1eb4da59840c9b4d78d286e31bca5793a7e48a49

SHA256
30cc83e410fa8c3a1e73e5e5533ef82e760672fcf05aeaab264be4bfbbb56cc7

SHA512
0593bebed818722300f9480de332320546ca7532780b3a215dbd3f6a397752a8ebadbacbe1ff8f9630baaf30dcdf3611ae013e4428a7ca6c4d75584421251fc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock

Filesize
772KB

MD5
d25529e9080d702963a5a244ecd0f316

SHA1
f01716bfbe0018688834ea7015d2453f058efb2d

SHA256
ac61d8db9f5dd07d2719b46a1cbd859e65b55f4c64a7a3a433f005353daf1381

SHA512
641c2b15b12688db80074d06a59d871b59aa2d6b8ae5b9924258b68abc5ddc3aa2ba4f7db1447cadf051a2957fc082d3ca0484feb219896ea33a4c3391cab1e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\AEsM.exe

Filesize
114KB

MD5
4bfa820587eab4c547c8aa18cf740821

SHA1
57945f28f55238237ccf43d1ce5d769051699abb

SHA256
eba1519aadf71e5a099a487d700e8d2bae2f7f02cc1e75f28b2d3b3595b95dcd

SHA512
9c7511e994605d1df800dc4b926d71210693a2c55a86aac030546ee70e5c35222a75ccc4d487a87c2a1d0b019f360401a12ead2735733961771693a49b20c272

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQAA.exe

Filesize
113KB

MD5
7ee15a92dc6d90defb3a4d778e980ab9

SHA1
d4d27e9be3689bb6e78e825a14dcb32bf381f614

SHA256
8a3550e0fd3a14f24c4cea6bad192c89732ac074a85b73656ae2d39607305006

SHA512
b36bee0f019c2d4ea469cd572b7c848e292e0fefd235798938bef1adfae99b1b6ac33a6cdb039516da394db26de2333576c1b6dd2db7a7ced8c74aa82cd1289e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AgAI.exe

Filesize
116KB

MD5
cefc25a574daa4ad703722460a0a2b4d

SHA1
d821fd2770e6fcd7020a85e4c2654e2d29974aad

SHA256
4bfbdc2a57fd858c787a5d0d515c9681c16dce6e1733b8593f0e19534ff1c91d

SHA512
f94cfc9402b3942c0fe6a21417f554417fda2e51dd9f265a2b6bf29fec0d2f873d11c417709f235d6d9c5f053ab9ddd18b37c8d4cb7ee14f858b7eff8fb05820

Download Submit
C:\Users\Admin\AppData\Local\Temp\AgAe.exe

Filesize
110KB

MD5
b475a11574cd0ea69180835b19d2ae2e

SHA1
e15ea56a327971efe53caa264af666c2e24f2397

SHA256
9d82a1175039b11440e1741400d89ab34193dd6b56e0cf2b9aa43c95b6c06c70

SHA512
7ee4f03ba50ec51471455873406fcb805f085d228c0d4b451e9d6f843d2de1bd78bf3522e4465c9af5da46d1831561a7f6f31d6e34ca39750ed4c723630712b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\AgsM.exe

Filesize
121KB

MD5
be5c6023d3dd9351875b19cf27ca8cfb

SHA1
1350478a3787cf8ea348e0dfd4112fa2254fb7ca

SHA256
d39e595aaadd7d2d02a35b5fe36f261db364864e61fd148f3c7f80deccec801a

SHA512
e0805df7fc385a9d65540bed484be50d0f4978cf10f1445d5e0baf05f76e90d39c2e72704c06f740c9f2bcc06bf472a5fe97cf89698fae26fccb7e1c1a0a9647

Download Submit
C:\Users\Admin\AppData\Local\Temp\AwMi.exe

Filesize
149KB

MD5
6cdd9cffb6ca3be3c88a5895fb1a8828

SHA1
b9b6140e1a4513d9561989875f97a77382097fc6

SHA256
05a11bf6d4f7aefc2ed89cf91d11ff0afb2c2dd708d7f246e0d8bed9fb6866f9

SHA512
92c32810a4a028c1f1fb292224851c5cddac4f24f7f9270752dd64218451f0b49443b6362f521bfc8d12ae25af6088ba9d0c567c17abf0b29c9e16f67f981c72

Download Submit
C:\Users\Admin\AppData\Local\Temp\AwUQ.exe

Filesize
110KB

MD5
27a73b0b98b77c3719bb52a06dc73b1b

SHA1
a04f4f684be7558e1f2c374b61a054b81d92fb27

SHA256
d7a1ab6703a26da2a5a4aadc9a911abe1ea95060e554a296986c7818eab13727

SHA512
8e20a15805407e2eefc71d798c5d8e67f356318fc7b59dded1a205dcdb077a01801f21666b05a095acdb5dd61669d621f687984848d79d791c43e216985ff4d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CEkw.exe

Filesize
236KB

MD5
8974b9ce757acae51f74f30c4c09fc3c

SHA1
7cb1388908e0a5a4781abaa589abd2aa8bafac33

SHA256
11871cd46e865d2b77632769a6b0c081e390b5fb1250e1a23dfa95cd26b64e33

SHA512
47e729bb70030cf81a87c1cd036ee0e3504c58be97305597ead46d4282f7df6cc51368b7cbe158212a4b8baa99ea60b06404767a636dca509cb68ea8644b561d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUMA.exe

Filesize
138KB

MD5
108391ad4e5d098cbb24e37cad12481d

SHA1
ac10db7dba09aa90d27f19603e69d18b0509917d

SHA256
ee30da863b67a166bde9754aa8f1ae0589559c9a46d2eaa3faa11580e0eceb1d

SHA512
10c3a9623417777b8082d7981e7ef7dbf9a13e43a79de3f4409363d65c05ffcaee9522bf651ae7d6c35ea58dbd6bcfe97ead01fac4cdcb8e4ea7b5b132336b9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CgEU.exe

Filesize
117KB

MD5
c179eee221a47d5f2315ef622ffe1999

SHA1
9d482c0fcfda86c4bbad07e64eca3b79b946ef7d

SHA256
ffa09cff8172b4c73b4ac941d88eae8ae3a4e2ca8dad36dbdf7460ecd8bc7464

SHA512
398428a3454057caefd2bff7608cb80596dc0c91331b4f8257eb1e3d31765e3abf2226c06f2302fd2ca9f50d86c27c93fe6bdc2c33c8bc95e646c35b300cc597

Download Submit
C:\Users\Admin\AppData\Local\Temp\CgoY.exe

Filesize
357KB

MD5
21e9a5af94975dc977d28a09827358ce

SHA1
f0371ba18fc07ee8c387339b38e214a19d2fd1b7

SHA256
4d62d1afce4179129ec35237a257be2ad9597ef31806fc056a336b8331191758

SHA512
78f8e4b155e0a11f7add40ffb24e68bbe6bf46d1d03a5372d00ee7cf6c91ed126c2daa2fbd8305e40a4e0b21cb18733adc29b27c8abff17f7af250f045d6b50c

Download Submit
C:\Users\Admin\AppData\Local\Temp\EIQI.exe

Filesize
113KB

MD5
fb481d124e09d76a89d07cd5d41538d6

SHA1
1ec8f4f82b3601cf364de56c231da48b97b44822

SHA256
f030cd185b3bcb015152633262c1d773a48d7d379b7758a964cafd02db11c2bf

SHA512
2cd65acd2c5f72ea4e0dd64ecf895f1489a660a7c3e007a902d42dd16b7e59dce45f5ceeb700c72b0efb4344fa749b551d192d10418342c5294e586bcbb1d2f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\EoYO.exe

Filesize
117KB

MD5
6862422205183bd9dcdac5011b2649dd

SHA1
46c91a17afdfc2310f02499a6caad77e41c412bb

SHA256
7683ff9856e4e736935cb965d7130243643acf6bce876ab608e77aacdff098d2

SHA512
fd20af964097fbe6dfeb44c24e5b55899924a602a9914f0aa2f9de6843b3d87b96fbf9285d197dd4b6fd4ad56362690eb86ea1c102bcb4cf7689233220f5cd42

Download Submit
C:\Users\Admin\AppData\Local\Temp\GIYq.exe

Filesize
719KB

MD5
1d27ad7e9a360c11bb0ac80026a73549

SHA1
8c5025b080f492a836c1ca65747456ab3f76512f

SHA256
9b1f8c62f1cab2ad84a27651c7b4f810d517cd357c2e7e0e87edc2ee06063378

SHA512
b27d75111dc708b109a1903e602b907b322bbdddb79db14ce189cf537d561bf23bcffd90d27bba5248018a4a3a51e1ac04e3a66f1aaf051c90ccf82f9b425a6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GIos.exe

Filesize
114KB

MD5
2bdb38538f7fcfd8a682f35bf8b96e2c

SHA1
b688a2256cf187352f1af7b0e94d78287a9f0fe6

SHA256
2097ea45a88eb6723c0617f11383eda885f6cef52c83321c203616d2055a2f83

SHA512
2f369e2edd2b0a6115c9d63c5fcdfdbebf6d635b8d545b8310638c3789db47c2a51036da8023c3bd29c277d39b14de2229a295342d21b6af31cc8368d021cdc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\GMUA.exe

Filesize
111KB

MD5
fc3e88d2cba9e1a45cdb4b92436d7ab1

SHA1
40690b7dff5bd403ba1b2cf380077e934431b513

SHA256
ca270efa8772dde88abdd749ad19bff9d8f667fff7482a8b9022821fd0646577

SHA512
4be1ebfed6ffc61bde1a9917f80ce1af0d2b0467bc51fd8c169d42dd2428fce9addab8187eb13d23a22b5e86c5a9334876091aacf513a844685d67cccd5180f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\GMkE.exe

Filesize
120KB

MD5
14e0acace73dea08683ab573d88658ba

SHA1
4773e1b7f8fddccd193808d110aa86053a409aff

SHA256
5dfa2c38b77c3d13df4d00d7b41b39388961fffdd297e30228dd2e84957c1a8a

SHA512
a7449ef59ff9318ab16c75a7c502abd1ffac066894e0349377a509e1e56894f96ffaea41147874d3c3d945a13c07ad6779dd77c2cacc024665b7506c5dc8e1bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IAok.exe

Filesize
113KB

MD5
6f6519c43a7519f24224f1c7f7d3a6d0

SHA1
0a7d82fcb6ecfb488e3523bab10857e7c81bba9d

SHA256
b6c5c4560bccb521e47f1e73cd216e1528bbc7b31922c9bdf92534519a660d52

SHA512
6c2f8d268259db587dd7edd517645d9d491edbac7f75c780bc5dd0d619248d5a6bebccdb9d76a461cde47a361d8d6d60e726d97e2b8953cab4b1381b04ffd61a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IoUO.exe

Filesize
113KB

MD5
8de918409cc73956df9707473f88119a

SHA1
3447b7e1351f7cd85190e9fa95bd8d73a464f70c

SHA256
1e6effb73217ebceb6126d48b25503e815e824a8125938d40f7ee7bf8f7b4012

SHA512
182fbdf406c92cb364f8fa5702b673f84b9af0491aac7e5eca4f62df2799e90c349af634918669d0f93ee3a2ad1c2f4d1b4a7c7113601cd564dcfd6b9c38bc6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IosA.exe

Filesize
567KB

MD5
3fbc1c62ee499f599e87bfcc54e34698

SHA1
39062dfe9253b7354d77a8d8a1b6f7607b3aa856

SHA256
cddc83a8383cb023cb0574676c6739c2ec0e99cfc5d7ba2356ebd72d75f12221

SHA512
00ebb5d73f325b72564ff5667bafdc765437e317f93b0b95c0c0026e034c11479df4da53fbdb36ef3e1f2f9258dd5d277f371c51c4abd247fe5d681714bd2058

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEMO.exe

Filesize
486KB

MD5
5acc113312feaf88aec017c79501586f

SHA1
67e0b022a61ee2b1350c40089a1feb5684fbf8bd

SHA256
0d2d96db14c614665db0950b7662dc8c6fc721ac9ee28f59920813d857a06edc

SHA512
34a563e942c904b2b735c5cf8da30b292a4c272e3edbc36437cfd6d503997f41369c55fd0224e8b1d105d0686196fb7789206052c17a432e33f56116cbf29878

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEgC.exe

Filesize
112KB

MD5
bd76f23c3f051ea95fbe755299142bc4

SHA1
f391f53c3b6b124871f59e341236af2d6f509d75

SHA256
816beb1fc3f9c522a34c2e59e34aafed09475f3df5363592cc6eeef09d188ff9

SHA512
d9593e326d39e65dc45d81ba7c3bebc4fc9e990103f59f794b283e21dea5b8ed0ef5cc9d73b91b7ded7667696caa80d3e5cfe4d90c19d40519d033409ef94e55

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEoA.exe

Filesize
110KB

MD5
0236850fe0dd8544a6285c471e308b9d

SHA1
31f7eed09f797ea6b9ab8f525a174c45960eaa28

SHA256
c8275443e8ea2e128d8be3115ca108c427fb5fc6ac14fac281c9b6025bc99a68

SHA512
00acde324b455bb87293f195405c411867facc547d4f60e73513d10fff04dac12140ba14d4bcb87e5041cc223e5356c23fa2404865e89ef2dae6a9b4edad63d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\KYIA.exe

Filesize
110KB

MD5
442f0a75384df21696b97bc1fcadd8ac

SHA1
43614b66a4431c764707efb02a9a9edfc6dba36e

SHA256
5ae51cc3a20d89f3497dcea353fc6977aa53e31e4838319606a4e4991c6e84f5

SHA512
e2c367d24ea058a8b4331b00645112d5f4d3efdedb40e5c363deeca4f9ca76ea7f55f675f9a273bdc03ad2730876ec9146d2fd0a1b6decf3dad2e66f7e97b0aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\KgQu.exe

Filesize
110KB

MD5
fa8db8ffb4a191ee34b997d348e9b292

SHA1
ef4346dc5f02d068ae9961d84ee193f0352782a2

SHA256
546e6aac8126906e6a7537b9d78358b100276d1645931b39760d31c9e5af4fb8

SHA512
d79c15202c3039724619b92b9a9120ebcae8799375311f60d2f28818e556b7899230d731dae98b2ba012456b0736756ff898cfdd469ee2e44b45a89485994183

Download Submit
C:\Users\Admin\AppData\Local\Temp\KsgY.exe

Filesize
346KB

MD5
ce06563d1b3dede5946879fc6786d5ff

SHA1
dfb4b91a3b12020f07b90d17b8a5da8010d6730d

SHA256
8310325affd426708bdc45913baa7356d6d8379be61d839f7ee996277d49db7a

SHA512
fed64884285c9031b216f6d5e20a01ba9784d5d3e9e1cc3816cddfc91c69c1d1ff250b6c7188b80af58356f488a0842af4bd6b1d8890b57d61e9335144b92924

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ksoi.exe

Filesize
698KB

MD5
9f3092b5fa251c940d06cf73d3f8b346

SHA1
5d4294fb4f1f2e2290df4c27291e0a99315469d3

SHA256
cd2f9e988c1d1fa9375043196a301eab67408f84ff7de54096b7bb7a2900e0af

SHA512
d3de757830ea55c6e706e915a60763fca76b95e6765352d6edfabd9deca0d62263514c31fc0ec78c2abb0afbb5f0087b1629747b604bc09125f1b7c70fa53363

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAEe.exe

Filesize
112KB

MD5
572fc26c2c01944e8ca2464b270ba6b3

SHA1
3d97c054b006eecc8cf9e4b019c57cff7595d521

SHA256
ea09e9a9aa3d47f8326c3eebf22b6f2c5721e1b9b22dcb12ec2420c20028da22

SHA512
1ad1464427c448c8e8ace92e45e4049c5948c70e9fdfe65a258760a54441e91bd7673fd286bd5e38ed7605edd813c6dcb6743bd329a896fc48debf50a190f0be

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIEe.exe

Filesize
138KB

MD5
d36dad06b2aa34e83644db0a368369de

SHA1
669ab7a20d9d35c5f4cad07cc6518cec55bc32dd

SHA256
a011968a2345de4879c5147ec67e019a83b9381682d0ae3c6f8bfda49143803e

SHA512
5f6729adb767433a737324be914ae80f96eac14fc65d0a6cf32d8c51c197af07249543ff21dcc30d46cf327dac66c33fe4cdc2a75b03115e57d43a9b30bafca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIoM.exe

Filesize
111KB

MD5
5bd635022a54c1d679ca22d4edb75e1e

SHA1
bb7607c177abc25f8c7041f7f30e5d3bfc26caaa

SHA256
85b497676070260948878053198478032a427ddca9766c92c8f9f8577b96914f

SHA512
2881b4e50e97ae5048ad5c247acb820270e0c7f0bfadd09c67b47a2dc2f4862f779784ee81c2788925a8395c616e6e4dfccd41d4e1e6120a2db6114fbc2be92e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYIq.exe

Filesize
119KB

MD5
2a239d5cd011364019385dd7265fb8f9

SHA1
8b4b34b0a53089ee193cc40f9d121247e3b3b5b9

SHA256
cb52135951f52f4d100ba763450bf181a851a83ab0783d2505e50e602ea645cb

SHA512
1bc666be33aeb1b1f0969703de5f053c1a0dd5ba647945eefdb250de2f8d533137cb195c73fc3aa090f22665fe04bc713979b1d4ad2e17c704bbbf6ecaf65cb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsEo.exe

Filesize
555KB

MD5
30024d6ef8c7eea0ab4d42aae98cb7f7

SHA1
cf8e35c009b6aa05f4e4c5631c2dfb3e500a93b0

SHA256
7ce9a7c2673ed8efaa381c0d3785d3db2b3602c842f79f9aa76ffd16a7b5a9d9

SHA512
8ef87bc72fcdd66b2f893a0eb68ecf9a3bfaef6634df38ce1b634c17946a6fb013521f6e879647158795ee9bb8a939a92ca4d1a98f44fde1d761a975af248902

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mssa.exe

Filesize
117KB

MD5
a85b5dfcf101d92c327d882e9ebea521

SHA1
b302a83062248d7b6c68eab5e0dcc1d7085807ec

SHA256
b811b305053ee3d09ffda18f4b1d6181fb141dddc42771ec53fd4c9bfa80fef6

SHA512
df84a478b207cd62346f286f35c65a662f9dbb55738f8ec85789503eeba172696e3551a288c4a05a9d9c9c795853c92883229500a3a04aea7c383cc9f70cb355

Download Submit
C:\Users\Admin\AppData\Local\Temp\MwoQ.exe

Filesize
110KB

MD5
c8ade110dd36ea460369d86f312b590f

SHA1
ed87afad7053491cce7990ef8927a5bc4a5da1d4

SHA256
d35912dfabd5d92fb8c3bee47e183b5353df938e093e7da788a5c08510f68d94

SHA512
8f2365c0c27d7d108b84533925b875d7f629f95517164b1edad0aa9a135cfe4dee047af4fe7bb5d12af7d343f2a8d14537508ac9aa11acf950cb7621b19f5e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEoW.exe

Filesize
111KB

MD5
387a6d6d35b61be67de45c893786f568

SHA1
adac95beb0c2751f5d971847276c84fd251fc6bd

SHA256
26b31e068648e17a0899b868b5e8a7d491b9a2cf1b6724a150037e1bb84a6198

SHA512
94d29d474136262874e7e57d9022668fe7d9c8daa3f865e5a5754841dab57be630677892c5acf1eccaa39f1472b6baf3a5d51d036010e6c72d303647d4688cdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQIM.exe

Filesize
124KB

MD5
bb6d12447fb4f46d1b471c3bfb6e4c66

SHA1
dda91f42064b69cedc4f4bdc76ca1b2f71f48177

SHA256
199ab08245861d599d905aece3943360aaa14621d9c993309dedf8e61244c8bd

SHA512
46e0e39a00d4993e19ff37e927554abce0ddebc4af2d1e56614260c75eb1787c34198e155a108e01d5606c216134c58d05a4ff9f5b385cecbf012643372103ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQMK.exe

Filesize
112KB

MD5
74b23a5d1073e6c5aac322062c4b1338

SHA1
f4024c087bbb95956edf2bec54124dc1a669416c

SHA256
b86b1f0daabf4fb93cbbea9854278af90cc63e5f6c294a11fb270c1864e4d33a

SHA512
bfa4e8dda605981f77feda456ffe427d100ac04d37c0f4512d9b9dd5a86aac5e215331b0cde103f2c738bb1c2c3159d0eb2f0b4dc4e73ee81ec4c6be94d7c318

Download Submit
C:\Users\Admin\AppData\Local\Temp\OgII.exe

Filesize
5.8MB

MD5
1f05e5be2027b99f5f32cacc58b7a133

SHA1
4f5aefb7568b97dc8b93029ec81417084fb2d17f

SHA256
8912b8580d460f2fd1b79f47b1cc6a7885e6ca7b09dcd6722f02f0bba8eb1975

SHA512
0109f1c4d497a2a7e3d2540c2bc417ba65cbef02c860a3a9693ef9ee5927d6dd44b5fdb7e9dc6c48aab72524ecfbe39972cfc0aae66dcb2cfca2bc4a0502aa11

Download Submit
C:\Users\Admin\AppData\Local\Temp\OgQk.exe

Filesize
149KB

MD5
c57da7dce6ac5d00e30eaf62afb4e297

SHA1
2ea62eb06979806f9df34628bf98052a74dfd8e8

SHA256
0c10b3d57b090275d69fb01ac208b0f19e9cea3d14987a6cd708843c622991f6

SHA512
61085bd8605a7fd1bd7be6929e2a2550c8d10dfd5b51aac59469eee606c1ba4d3111ad4003394885f34bbc62a0cf8661e9e8d098706a1d10a5d502cf9ff3c8f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\OwAY.exe

Filesize
111KB

MD5
643b6283f5472632cfc022a051a85eb5

SHA1
03e1241134d5b9d34c46cb9c3b619361d2228e4f

SHA256
d0dec227b27273b9f87e72019d87a3a2221caf5b26caba0b183d655137f8f858

SHA512
aa2b1bd210adc105db8a2ddc8732f5ce4ea26ed07ab9d6d8f5fc22953d06589ef63abfcb97c3cecf558ce08a367c7c32e746cb66925c2151ffaf5a2568704b7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Owco.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\QEMe.exe

Filesize
110KB

MD5
a38e98bed320cd7a0ad229c60893ec9e

SHA1
c99454baecd6a35a623e937af271593006dc4d82

SHA256
77de9cfaf73bfaea688182ed1fe65816f8cb60541e83bb57d9dd70872770ee85

SHA512
a3932a62215e9969941b6ed6c08e5c8887fb17ed13ed58fa2cbf3fd684e6a067805571489f3c8542ce8a5dca61eb32a768dadf660e5d2a4d3ddb32fb04bf0f14

Download Submit
C:\Users\Admin\AppData\Local\Temp\QaIMgQUE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\QwAM.exe

Filesize
109KB

MD5
56266376806efedb1a68d4d970fa086a

SHA1
fbd83588515443194937cdd64ebfc18125cdbf5e

SHA256
ad8d2442a136dabb1a4d94b6ed9e267ac077845ce510f6314772194212f310c2

SHA512
ae8baf747efa097cb1670a395bc3ba27077478ea399d00dd3ece00176d1b572a429a824a1155cccbd3c3d0bc9b7af9b8e1c251730ed124c20e4c6a342da84ae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\QwUG.exe

Filesize
111KB

MD5
0bfe83e5a5bb645335674e794493ab29

SHA1
f1557ad8707019229dbdbc8d45d953081799c077

SHA256
84be31f793e5ebe2b70f8100740d6b5d7e34762447b5aab2fb87161ec8dc8599

SHA512
0cf61e33393d19846e9ac8e045aae9e04fc80bba7848c6d643fad19afc2b3d4382ecc2947dec5ebede301fe5402de2ce413a48422b45a8121862dc1de888be2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\SEcQ.exe

Filesize
563KB

MD5
25cf1126713f34e0a595ee7700bf87d6

SHA1
481e89f1273dda183b6f9ebe5ba56a0a071926a9

SHA256
656d2df8b612cb99eb5480fdad02a59fd5425c28a0739cc47b86b1b44a5f6cb6

SHA512
1ce5baeea9188f0c1d8b4c35ad81c8e5e399bd51a35186245060fddf7b3b56020c64baf97beb240e7c7255a0678ebc533349492162cf846b73f6a724b29ba208

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIgK.exe

Filesize
111KB

MD5
801b06d381e8553aab0cb3cd2421f7cb

SHA1
edaae835b80b9dbf22f4be5f2f4d7e178361e40f

SHA256
3149cc829f6e7752fcd584b70b43498831719ce3da1108cedf3df090504078d2

SHA512
ee7cb61a8a08481b6576aa565cd6de3af6d8da2a791f20ff7f4ffd262912bf4e18ba68a46fa75859b94ca5cd27a6161832b10c394c50cf27ff319906c37a0474

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMIU.exe

Filesize
580KB

MD5
7df6508b0c7ea797534f56daf39f2075

SHA1
09c2c8eb72e86b4fd37f641b249e432b80fb90d7

SHA256
54fe9c54846f45ab6afc45edb46eb488639c70bea8693f6fca0701d97f8a656e

SHA512
5d6a83f8cf9f5643bc095469da4dab522891b9b78fe60545fe5d6c3b080c351ec6393bd06b60ffeeb474dd160ea1c9b228a33ca76a697310d57e056419e42df8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Skss.exe

Filesize
111KB

MD5
0c5f4169c0f347746a23bb8c0866acce

SHA1
7fd274f6346df2d262aef56e52794574bc80a32b

SHA256
c2ef84bc10939f77cae8a2a89590008a1b640dadb497ef21f010369a526a4c56

SHA512
354c30efe69f2ede6d455ccca07a5cfb44e403d04587fbbffc58d23bfe307b559c58d4753900a4ac49b6c466f025c6c0a73b54eb9a0df193b2ea5fd38c3d741b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SsUo.exe

Filesize
742KB

MD5
68eb8fd7d533aa665a87dc6dba5f4aca

SHA1
9e419639fd477fa9586f9b237a2e099822820a49

SHA256
14ea1143793a947763d6539e3b99d5565a066198ababb7476095067583485e42

SHA512
f4ec77dda5b0bd111378ad24772e000f5061d66a15edb95809a3eea49eef4f7c289154239b816369c1967cad9be075f539f0d8eb003ee7c46e7ea3ff50a15511

Download Submit
C:\Users\Admin\AppData\Local\Temp\UEYq.exe

Filesize
114KB

MD5
0e6fa910621f1bcb7bd436800e9af2b5

SHA1
a52645e43b764fdf5ee7320a70015abb6ce8f4e3

SHA256
c56261927a9797876d387d9465a238acea087838baab027b186a0262bd9b5c37

SHA512
f72d17a1212ded679650888f6558f9700257542e7199dccd28b076352a2179a92bde37d6267285f462750d85996089bbd31647fd87fabaa9f71fd69dbc7c63bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ugkc.exe

Filesize
566KB

MD5
b71480f826b43535f2cc79ab43d06b69

SHA1
0e0b09b2718cba91c8aa5653cebe091be62fb3ab

SHA256
04c3a1092395ed73b5b3ed56a9a52476c5c5865b626852251d5c6d032a709888

SHA512
0a1495cb3f9c91d4217728d60321063743210733746740822da710fb76a53d5a274eea0f04389c291b5614052a29b995ebf80f0736bddc766458104a76c18f01

Download Submit
C:\Users\Admin\AppData\Local\Temp\WIoE.exe

Filesize
112KB

MD5
be2732618e4148559aae3e899c98d9d1

SHA1
5c8522ca5de5043daf3305972fd953fc59949077

SHA256
7aba42d62cff951bef6c8f00d66f64b3216d1c669c4fa2094e33cc5e7fb7c305

SHA512
ddd896d1765dae09708786d25a47366b3c46c7696b0e1ae9afeda1d9ee443474e270fa8fc696638df80e78a023f785e782449a8c0ca95c4f447266ace08cc475

Download Submit
C:\Users\Admin\AppData\Local\Temp\WUsu.exe

Filesize
555KB

MD5
5de19f8ed7d7c17d45475049b268f82d

SHA1
f502baf276bfecb569afc7de5e3ae66ebeeb0ddb

SHA256
31fe7378ca1babc333abb2398672183a763c329a8e564e808afc7ac9a21ed637

SHA512
1aead5dfcb36292206a2e9e66e7bdb5d61642cb540bf1a4df88e302c4203d127c8b2aaf183d78bc457c13e59e2d2596e261c282d3b99ac95891bc15a77740649

Download Submit
C:\Users\Admin\AppData\Local\Temp\WssA.exe

Filesize
116KB

MD5
e35d0f1f575ad684c634dc615b825800

SHA1
4fb6f30f62a906a500769c748031e579380bcc66

SHA256
c47127c90e5af50d2ea6ea0184e9f81efc948b1bd3b5f1fd7449fac6a3bd13ed

SHA512
3e803a7bb8b2d7b03ade874b5af325fbd876bc999c371ef6a76feed203da80e7ebe66139d675b8185d13c67481a50eb20eb0192797309719628bb3594fa74be7

Download Submit
C:\Users\Admin\AppData\Local\Temp\YMcm.exe

Filesize
115KB

MD5
50cf9c044e7bc83b63ebb9280ae6f8b8

SHA1
fe09909e0e9b8fc023b0ec762e9ffc15fd2d2724

SHA256
0b29fe2b9d8cd1d1390315c9a36b3f71dfe7a01f97d60cb91c5c724242f79802

SHA512
656cc6706c77d4030aee3cac058fae8913982306b85375cfaf8b97d57289f81fce90b96e78d6375e582ff1439e11db24a2f821d041dfc8ee5a648760efd00c01

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQsS.exe

Filesize
111KB

MD5
6723e9513398e65ddf60afd018bb6b3f

SHA1
c8b05b0ff9ccff62e9e1092308929d34fadc38d4

SHA256
d2d43719735fc086d534c3cc66c7821b037a8db4e1e4c2340c075fb5bac80d92

SHA512
c81c3fab5e6f7d3af6a5524a31b57ae24530c7225f5f84861c7aaf6737aab1dfde482fa7b4e7cb8255e5cf204c829da761913cb7cacc36c60a41af79b050c94a

Download Submit
C:\Users\Admin\AppData\Local\Temp\YscQ.exe

Filesize
547KB

MD5
a14a46731239d8425192e5df4685af6b

SHA1
7a0fcf13caaf9f89d5f69c2acc942c563799a45a

SHA256
d825954661147392fb92705cfc5923281b3a0ab2fe6c79fd32b1969bcfa0fc63

SHA512
2665b819ab843ae999d98f16251eef837f7c48968d286e603825157e0155997cfb19f7ab26bf89aacccd8d7a8363b21f460793b87a9f2b6087a3d64ac557d8dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\YskC.exe

Filesize
112KB

MD5
54105a63a6b395e03d2feb1329a990dd

SHA1
41728d354496d78c4c3d7c30ccedf5a91a684374

SHA256
89b73c72124325d86bdc6ac1ec4a74a25215cc1357505dd0578020823f8a9bbb

SHA512
d1fb3ade4b690650f17c7ed07e3a54d22ea43c4a13859b5256a952a5bf51510e0e6e0c9a3c2a2afd9775a961adfa78f5c86063173b6818a2d4387a22391106ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\aIsM.exe

Filesize
768KB

MD5
1276ef8ee94625764500644913b85f56

SHA1
51deb39fcef10a225b8cf785e8aa474d0b265418

SHA256
6ced600456668d106b12693b80a3caec42f0b3669e8916cca550f05b13de4276

SHA512
d7690900151660d4b21e11fbfcec0bba09ca7a6f32bf97f9e7eec5cc5a6c9381b5e9e0231168a24ab0096df48fcdf269f7036b19ccc51f45bb7f7b34e82c66b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQcA.exe

Filesize
113KB

MD5
e0300234622c9f24ea6b3bb290dcc223

SHA1
75c7116b357931e6b32964a2f3ca0a96f99d2215

SHA256
d72b711f5dfe5605b507b86bd5f4177d112e082a9710c563f34e3fb0cc4e43da

SHA512
348a7e7a917bec86306517eb5ba585ce46e0f1934101ccf71cf43c83b716877e868964d88099d2817bb93303b28a8f612027529f0fc3666794d48cecdb32189c

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUQC.exe

Filesize
111KB

MD5
cb897e2598c6d74214fa774e1c4c3208

SHA1
d3e651cbd75668b98735965b3efeb482628f5359

SHA256
94d642c4e40353a57b4b2b7dacd43441226484cb7a10385873496a6b5b8790a3

SHA512
40525add4b8da0915bdf7569665ab49338b3e1edc7349c5c89920a1951a230fdc67d253a9057d17b8eb681d1a9086e9e0b3e3017839c7713f0749bdc9c044c08

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAss.exe

Filesize
110KB

MD5
9636f29736c8941ee37472526179b42c

SHA1
d2068e6d828371f0f43bdabca94fd5571d2286d1

SHA256
1cbc8a9c9127ee12494e73dc414c4b731f14cb6519cb341f4c10f7cc5b0d93ce

SHA512
24d3c1078db5a14f0b1fdce4f102f0926f6b5315cede6e7cc46067e60fa77bf26328e0aa597a2d0bb24cea3262c848ee2a197ed7bb904091d93eb1d08186cc50

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIMy.exe

Filesize
113KB

MD5
1eb659be4d735c8b3b0530ad483b063e

SHA1
8f5cb9a2b534b0cdb1fbf7871ba0a396edd01bad

SHA256
26f9a48a3062e89d21df429441c441641314ee7a4e0bd1ed2340a49425933054

SHA512
87e765348ce2a7950f31874542becbabb5c9ac790214c9b9d1cd1d9223614a0171d300a52acdbb52dbe997bc6c0225ad00feb53a37e925ed8de4fc6903899cad

Download Submit
C:\Users\Admin\AppData\Local\Temp\cMcu.exe

Filesize
110KB

MD5
27531ed3e2b799322da287835e224ccf

SHA1
1583e51f7c9e458d3f1f98163ca948ea26d85fc4

SHA256
90848a2cfffb3406a827220585ce0f9fbf74f8719cfbee9e9df66a8f77072d63

SHA512
22e44598fbe97ff30ccf9151012a62f66644c9d49f718cc4447f4fdadcef2dcea163cbdd2c17901f93c97821f3bd444f376567f0d0d1f52b0b7739966980c631

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIcA.exe

Filesize
964KB

MD5
71abdda60d557168529fb3b6f38ec493

SHA1
3de60d41d7b580b25ff6a6799d8de12fb66bb63b

SHA256
4926be8aaf0a78b903267fa4f36a3c5d19f1af6cba1bc93be9e19960fc688812

SHA512
c986b5881c52012ed3519faa39296c834f71cc5772bfa81d306aa5ce1bc81f7524ac104a3634d4a4691000bff796f974c5fcdaa8638441eb5155c9a9d9d51ee9

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIgK.exe

Filesize
1.1MB

MD5
34d6dd7feb0b66bf3d5a41ea1766fd73

SHA1
5487681249b911001778203547a6ddc879b7923a

SHA256
7da156081dbf3b4987f50ea6e67736287f5505b3a2e9ca504eab289288569f90

SHA512
f8d267a557a9a423483d694b9da078eca5c93c1785b62e6edb34f5b21af56b33b77e766796f33788772ce7a9d9344e0cd11b8cdffd705d104d2f807ae6253aba

Download Submit
C:\Users\Admin\AppData\Local\Temp\egMQ.exe

Filesize
112KB

MD5
58c3b71092c778cb315a2fa28428578b

SHA1
28b3c98895864f4054fcfc3b66fc04fc2cbf9a86

SHA256
a2d6e91c0d068aa448c9250f06f44418805430aca2e3742b078ce2304365b7bf

SHA512
f1bc2a732d0324eae7740f6a1337510277b428e3bd5598f8f20d044ea6b161ed736fe6a32838836e210e874cb05804abe3bf1344dd687b302ff30e21c1b6634d

Download Submit
C:\Users\Admin\AppData\Local\Temp\esAY.exe

Filesize
115KB

MD5
2c63e53386c461ae42045fac22ddf741

SHA1
809bcf4dc7c6606b292f9297dbf47fb707e112e0

SHA256
89f0189bff3f3c001c0b4e713e0347636f115046add2116a64e90da823840764

SHA512
55db28acf5552978a6222fad2febeae8a55cfcecd09ed102458b4d31363226498117c16e2e737442fa1a234d6142c8fb7a28b6221d734ee91ac9bd12ee1e4d86

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYkE.exe

Filesize
744KB

MD5
14545e9015ebad94220d0ac4f2aec3a6

SHA1
567279a9bd92482d8688fff70b243ad7a6fbbc70

SHA256
b57357cd669cff227a951ad05be73e4f980c2cab5e5bfb38e30e8514e787da7e

SHA512
3a426cdf69fca53c4dd342cbff1b14a2862ad219bcd04f8b2e2c2f65a5d3f08f797dbe99e8e2b29314820a4cdce6c944cfe3b46a25b2de17a72815727fa4c7c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkkw.exe

Filesize
116KB

MD5
5ec7c9c2f207bb94c9aaacf6b57e61b4

SHA1
bbbb566fb2eeefd0dbf5faffccf1912217c1d10f

SHA256
95bdb1d8f07716a1b37faf7e6dcff257e0c2f0c478332193fe5af61a86ee017e

SHA512
eb0880566059fc314b1aff745882c48f6c4fcd92a70b3afd8c3e122d549649dcf99912863792b3543a59478f2324f4fec5cb3ee186aeb3fcb2cb3c7f692af812

Download Submit
C:\Users\Admin\AppData\Local\Temp\gogq.exe

Filesize
134KB

MD5
4afa7cee52325855fb432e7cbbdb852e

SHA1
17746713d82cf72d6b72abf48915affab2e27b0c

SHA256
3592dc92597fd6e47db8fbd27da90adab1eb84827bb2084e7c846ef592d45b41

SHA512
d73560bdea7532fd0c9c70c611057faefcc1fef0a2796794850bd229758286150692c6121fcdbfcdc65390f93cbaebd0d32b1f41c158403ebe05fa962da10c20

Download Submit
C:\Users\Admin\AppData\Local\Temp\iEUy.exe

Filesize
111KB

MD5
2b7acdb2c8bddb10c97b1c373b6070d0

SHA1
0c1a44fd0cc2b216164d4f2a87453d17da5447a4

SHA256
2101272eafda8ca08fe114ca0f91218a3c5b5cd89d406d49e6c148eb1b2290d6

SHA512
623aa36db2e511a0d1cdae15b349bba102a736240044b47f56b0b8122bfc82fdb6e081f67a04e6444de79a030bfc8741a05688c2eb0362f8b03f5d8111326c7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\iwcc.exe

Filesize
111KB

MD5
56d1401e8464a41a13f41d77a783042c

SHA1
b7830ecc8b77f81303d6848e561e092a883d3351

SHA256
fb8399b92e6609d45faa8ae70cc1282a8090367aa2c2e1e874b6635b2de21983

SHA512
dbfc1e2a5ff966ca4a2f085aac39d91f96d0282a18a213ebfd2c5bd15a722af82c17bdc3bc07d815ee1f79af7b4d8a63217e94b164771b3d01b6ed1d16a0e2e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAoQ.exe

Filesize
118KB

MD5
23d4fe820122d36df384d1a26c04a7e7

SHA1
121ff46511bed488144ef3195c1eb2f91daeb3a2

SHA256
5febfc9717da3e08c1f3fae6683ef7220e1e60f7c847e67a46840b7bb6160f5e

SHA512
7af8f96186e6604ca9cb06f76dc2d722bb14f01eee8981ead67b5662468fc78fa3ae15b7657bd651e0b48451d3bab446e989b0c8dd01dc7f3a8e5fe64ca1abf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\kMEc.exe

Filesize
119KB

MD5
57e53487ef269a1bd4c8d821b65866ba

SHA1
a13498e44776d7a0b21f816a41ee2ed6b0e5d794

SHA256
a64b302d4555075d230b0f51d63dac476a44e10887a40565a0deba8ac5b0f1e9

SHA512
8d7fbe7dbba893a09a0cc826ff5f225bfec93fb57649adc2a732aef0d0896ea231c922508f3f4bbf6c5473b579caafb123cb2ea5abf9ccb7a25f182f4575d461

Download Submit
C:\Users\Admin\AppData\Local\Temp\mUYY.ico

Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mcge.exe

Filesize
720KB

MD5
33afa6fb3dfeda06931d8d21fdc7c622

SHA1
11190b16d19a3393e95d982186dd4e4a37995477

SHA256
2cc6cc450c68b22b1b726771bfe919b8411eed65391934ee199b07b92a7fc65b

SHA512
706ee657fb759011f6418fba647fc8816390e9f1d03d0d96d6f0434cbf74bedcbc9209169d72f78beb9f2e6bde5a73c63f3994927103012abc7c59c80c17d758

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkEU.exe

Filesize
140KB

MD5
31b2680241233f96fd2a85da7e69a407

SHA1
3db89d45e1c95726d2552ba0be778a3fba1a2ace

SHA256
a3f5d3486e4715997d268fbc1cdc270f6dd9d59ed8a2049f98df64064e6e071d

SHA512
a887b2aa23417b30d104c5e98a8c4e57cc9dd2c3faaebaf09775db1f758c21ea5b81be789130a68867f83a2973d7ba4ba791bca463a9410f2dd7b3aeb1007b26

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkMi.exe

Filesize
237KB

MD5
25b2ed2ec4f5a58fb4ab4785a84847cb

SHA1
7f11bd350b9c1b8cbfe838e3a850d6e390976498

SHA256
e7d5dc9fbc5230b524d260c433417ae6b54c32ef5b23425b99ed4eec5b2febe3

SHA512
fff10920c132114d36504d2f6b7c4015ea48bebcb88e0abe73d0aa5b0a3b0807148a11a1dd2379958c955888d551c32f4f54a08e54ecc61b8caf861554cc7db3

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwMY.exe

Filesize
745KB

MD5
341b515c00e65695d4000425e0224fef

SHA1
175f49275528274d85ee559367fd72f4a301927b

SHA256
c904980314b185cf8b15b79cfd27943ba68057672fa197e134f1758df35f9b78

SHA512
06e89bcd58e2779ec8bfb364fa8d0770a45adaa4ae83a4d7d60703c689119adc71e80333b9561192bf2f5f984bfbce4f7bddeea13e42dc00ec6bbf56022bd8c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\oAIO.exe

Filesize
116KB

MD5
cf8f9c8afaca975170d0cf81e42f6330

SHA1
137eb60dd24f49d737d0094c7101d159a8002237

SHA256
1501901b63048809d268c3abcbbc0e9db590f03a04611996a86d2250d87afee6

SHA512
3827c994adcfe8b7b987620090ce91df1b1b0c49c5feda1ff190c571c652c92021c24e47436cbef73c3949f95f4a4526270dfb749503590126c29a388d451369

Download Submit
C:\Users\Admin\AppData\Local\Temp\oIEm.exe

Filesize
112KB

MD5
981b251b3b04936a699e24c6655e9704

SHA1
d7faa1055eb1d391e6ae37c5375865a56124c414

SHA256
33783db662228d8e6ec015ca82b6aa6434002c1b898ccfce8cfbe35aab856458

SHA512
e945b5e1ec82c99caf0d072c1717c94bb62899efc295456500e57469e0f8c4c18b7d0e6077a6d0b72132e442edb5ae6e64acd850d9e2145b4c5d37f3a3161e6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\oQUK.exe

Filesize
120KB

MD5
cda06af37d072ffdc0dcb6be3f71e17e

SHA1
98f89e583a4237608b2114ac1d995e1945357f81

SHA256
4bbba566a351694c6590b0c40f648b4dde160adf7f8bb3072188d4e98e8d42a9

SHA512
4f1d5438a8db7820f8a4d3f4e9d54f5002f3a9d4be1e815e63bcd01f0d96c8e3a7263b407fa6fc14b70cf3ca6df8ea97890dbc90643eb711b325b78571890da9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ocQG.exe

Filesize
722KB

MD5
314e29ba50c79b03fb3e6da16c268e1b

SHA1
1c4d4cf2f1097bfdfa494ee6f1b93065ab149520

SHA256
05dd67c27f01396cdc85f4757e7c75606d755d4dd8dfad06262ee5e764c04fd4

SHA512
2d66fe02473d409c018d48e08b00b1d1459d84718074e0540d2a7b3590e9530ce856063f98b60a7da4b1be400dff7cfe59ca0bea75259be1b344dfe163260a53

Download Submit
C:\Users\Admin\AppData\Local\Temp\qAka.exe

Filesize
155KB

MD5
489d160ee412cf9652f74d463cea69d1

SHA1
a9b9abb31fcd14597d4baee03c96ac36f945afbe

SHA256
fb0c92346f7720216ae340757c9844c95e48c9e1bb1c37af632e5aae1a91a068

SHA512
f1a301766123933f35f2d48b991cb87d3aa253abb890e21b1b95b572eb8c72d480159b3ffe71730364bf59e6968c0be4a4f79dae7e1efc33e431d3c8027afd6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\qYUA.exe

Filesize
1.7MB

MD5
a615c4d6078ddbae9b2b2b99abf7b998

SHA1
e35fb42e95003add679731533d4fd681994b7617

SHA256
05f3e97e1fd86c9208674249fb203e29880ee625a035d0699043bada80149e9c

SHA512
7d57461cedfa6f7ab630593a0f0168c069a17da15bdf7dcf0159466d16e3f1632eaf04b56ff60006dd61eaa1015b8d900d713e654e41b4f9fc3b49fcd3749e74

Download Submit
C:\Users\Admin\AppData\Local\Temp\qkce.exe

Filesize
113KB

MD5
e8b20ba4fa8f6324907be4cbd460c4fe

SHA1
c538322f9e559adfb436e2dfa70bc1181312288b

SHA256
0501ec225edbe7e7c92a4d35f789abf432c7de3e9abbaad559e6513e3c7c5211

SHA512
33293a3c666948786d3603279b79c443a21b5ebb9235e6e752bcb31d53182211dd30b26aa7a4c3999442e4bc6f98074e45fdcfd017f473dc5ebc65ce4d7bf505

Download Submit
C:\Users\Admin\AppData\Local\Temp\qogC.exe

Filesize
113KB

MD5
fa4201f2962bdd92eabcdf8ad1864b29

SHA1
121a57b3282beb2c5af8f9125eebed4160cc1d1c

SHA256
f221e3d2d78b327e027c8588b2d590e51b0cd0b64f8fb62f80877879ce4600e5

SHA512
3a287c6f52e19cbc8c09fe9e36e3740884515d39cdeb6a1d6ebd9990fc8362b5808a1c0a794f4c146b744d059acf0968b6943c7659a495ec7d20489a10b66165

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwAe.exe

Filesize
140KB

MD5
11b0f6e0824888f07564f5825f34ea6f

SHA1
faf582503d6baa58525cceabd336abaad3ada3ca

SHA256
d19f3b4dcedcf7386867714d0df278c8ad1dffd9a5201dd4264cd62256b71469

SHA512
560ca2bf0aaef2607d929de00fdac49b11c0e3f39d9c6365be1fb719df07139d5ba377e07009e2014f1a55b38c4185440b827689e0c437ba8e2a67363973afd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQcO.exe

Filesize
113KB

MD5
9c62a5f89e74e9d2bd92bbca1ada60a1

SHA1
56b8d5535fb72994eaac18b7375373abe19fa248

SHA256
b9a576ee64df87e562a8d9aae0bdae4e00108867c46e99aab108de7b4c362c6c

SHA512
a4c48769856a71481b25dcbabffb635feeb3f34891bf57e2cc37551e8c530486b1cbe73186c6eb8fa00e80f2faf8724c6ba895c0abce4ff3f02f8f7c5e08e9fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\uUoa.exe

Filesize
112KB

MD5
3853c69eecd5d78e562ff25f4c3233f3

SHA1
8649816a779fe07ee3b4398f8f87c61d2ded578d

SHA256
ec96bbb314e4353017b7997fead1696101947adaa7da8a78493276d63bd58ee2

SHA512
5d0bca420620361cb95cdfe0ea5937130a5f1ac8341023621fb39303248883a6ae694db1fad379b0af31c84d2590cdaf1b596cfd81c12dcc6c9fc9ab305b6445

Download Submit
C:\Users\Admin\AppData\Local\Temp\wMMi.exe

Filesize
112KB

MD5
5be5debaf1a67d886e70c601ac6a3011

SHA1
78586434c781f37138c72b773e025c8a4bb11390

SHA256
a6fe0f6582ae717534928d5a755e93e91f464a9ff6cd3ef760fec023c3db67e4

SHA512
82ac9194dc470a5f7b2cf41cd240dc0c15839eb537487906e5e3aca28a6232fe10af1cba61fe20d23cc845a8933c6c00fbcf8a666eeae3a2c98e3d52e2d5900e

Download Submit
C:\Users\Admin\AppData\Local\Temp\yAko.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\yEQa.exe

Filesize
110KB

MD5
2393592c2011c475e93a8a2e127ec759

SHA1
33e27bed3b6771a49ca01bab3ad5f3d2dfa227f8

SHA256
9997f424bcd13853da1f176a422a2af3ecd4184c559bed2b7a62fc465deeb64e

SHA512
8cd25dd431042920581377ca3e17f23430226d68e777a578c276cd086f082beab52950cf427559e89a6ef2ac4360099136902b3343323249b9ab3a6fd05b453f

Download Submit
C:\Users\Admin\AppData\Local\Temp\yYsQ.exe

Filesize
116KB

MD5
d9e4afc27c00d7473ef021e79ec64580

SHA1
eee04804663a9cb007a9829b868ef93c5c9d1854

SHA256
7d7df54ac6074c0e9cbe402a4e59037aff03ede278e887fecc9fafc03ac44259

SHA512
9eafb28acf038208495dfb6888738ccde32e70e8dba1faa26fe998924016687f8bc6313c9e9a36fc7a00c96daa07f0e71012277f6e4741173abdde02e49ae966

Download Submit
C:\Users\Admin\HQIkcIUg\HYIYgIAE.exe

Filesize
109KB

MD5
e52b8c4925329251b440cf0745b1da54

SHA1
efdeb68cf35e3e67d11f23a63145da932c1446c8

SHA256
5a78adba4c89dc283d2c77319c92e22d96776e9cf3c685479d63699dba573ac1

SHA512
ec26e0a789b1a84f0e1e19727381b37244a64fe0400c9449c17e5dbfc8c702a6581f75ee8b8ec081ae8b64d2f780de31a8d96fcb60a8ed83716c71e7294c670a

Download Submit
C:\Windows\SysWOW64\shell32.dll.exe

Filesize
5.8MB

MD5
d0216db281b9fbdf75277ec5b6723cf1

SHA1
7bd8dac397a75ea90a536fe486c97ae1a9113b39

SHA256
c95113b7935c0c970df399b83c9c74f36440f405a8a8aaf5849f9601fbb81b05

SHA512
4933fbae205371c524c46c20456e465e01734ee4358a1c5f7d296d6d77de8626ec449760cf0acd260b7e963aa35897d2e368ed310b37bb51fd8b563a2f752e04

Download Submit
memory/228-143-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/228-128-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/628-551-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/628-587-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/796-302-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/956-350-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1032-420-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1048-189-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1048-200-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1256-1327-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1256-1400-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1336-30-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1336-385-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1408-334-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1412-1299-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1436-1787-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1436-1826-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1496-326-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1580-360-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1580-368-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1676-1122-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1708-252-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1712-720-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1848-19-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1848-0-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1968-98-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2096-958-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2108-1610-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2120-428-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2120-416-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2132-286-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2132-294-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2148-1556-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2212-253-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2212-261-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2264-165-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2300-52-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2348-65-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2348-76-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2396-277-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2520-536-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2524-244-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2616-463-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2704-395-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2704-386-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2752-1788-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2768-830-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2868-638-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2876-1688-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/3008-179-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/3008-188-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/3008-1696-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/3040-411-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/3224-342-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/3248-1236-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/3360-779-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/3380-41-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/3380-269-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/3480-318-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/3716-14-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3876-132-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/3980-1187-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4072-454-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4072-446-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4164-1405-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4164-1470-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4292-154-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4304-445-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4304-437-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4328-1821-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4352-87-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4524-222-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4572-436-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4572-109-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4576-459-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4576-486-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4584-377-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4584-369-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4652-285-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4676-120-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4676-1036-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4676-359-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4676-1058-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4676-352-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4780-310-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4856-403-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4856-391-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4932-1035-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4936-908-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4936-844-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4960-211-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4972-53-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4972-64-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4976-12-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/5016-233-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/5084-176-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download