efc7a45fe8efcbc92a1f16bfc3cfd1666fda5340815322af7cbee709c51d7cdc

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-11-2024 01:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
Size

882KB
MD5

784d6132ccc958a3e44ac9b8f26b64e1
SHA1

3db2b316b3bf5bf9cc5c69e90f013f34ed283d34
SHA256

efc7a45fe8efcbc92a1f16bfc3cfd1666fda5340815322af7cbee709c51d7cdc
SHA512

5a5ca6f606c3dda9751766cfe799f3f35bf0337494bd21843e6df70588cca0d37014431338c3ed8652fbce4898980db59c063c89f3aa6c89e3a255d7eca5eb6a
SSDEEP

24576:H694Zofqlkfx+cvhGHv9aTCJxlCEbrjUfyiXbfHG:H7qCgxHm9aUj8yizH

Score

10^/10

discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (82) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

icUssEIs.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	icUssEIs.exe

Executes dropped EXE 2 IoCs

Processes:

icUssEIs.exefGogsEAI.exe

pid process

1192 icUssEIs.exe
4324 fGogsEAI.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exeicUssEIs.exefGogsEAI.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WaUUIoAc.exe = "C:\\ProgramData\\RSEowoUc\\WaUUIoAc.exe"	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\icUssEIs.exe = "C:\\Users\\Admin\\pWEkggkI\\icUssEIs.exe"	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fGogsEAI.exe = "C:\\ProgramData\\DiQIQgUo\\fGogsEAI.exe"	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\icUssEIs.exe = "C:\\Users\\Admin\\pWEkggkI\\icUssEIs.exe"	icUssEIs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fGogsEAI.exe = "C:\\ProgramData\\DiQIQgUo\\fGogsEAI.exe"	fGogsEAI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WwUwIokY.exe = "C:\\Users\\Admin\\lMkgwoos\\WwUwIokY.exe"	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe

Drops file in System32 directory 2 IoCs

Processes:

icUssEIs.exe

description	ioc	process
File created	C:\Windows\SysWOW64\shell32.dll.exe	icUssEIs.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	icUssEIs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4072 3892 WerFault.exe WwUwIokY.exe
2332 4244 WerFault.exe WaUUIoAc.exe

pid	pid_target	process	target process
4072	3892	WerFault.exe	WwUwIokY.exe
2332	4244	WerFault.exe	WaUUIoAc.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.execmd.exe2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exereg.exe2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.execmd.exereg.exe2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.execscript.exereg.execmd.execmd.exereg.execmd.exereg.exereg.exereg.execscript.exe2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exereg.exeWwUwIokY.exe2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.execmd.exereg.execscript.execmd.exe2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.execmd.exereg.exe2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exereg.exereg.execmd.exe2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exereg.exereg.execmd.execmd.execscript.exe2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exereg.execscript.execmd.execmd.exereg.exe2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.execmd.execmd.execscript.exe2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.execmd.execscript.exereg.exereg.exereg.execscript.exereg.exe2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.execmd.exe2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.execmd.exereg.exereg.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WwUwIokY.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
760	reg.exe
1684	reg.exe
3260	reg.exe
2112	reg.exe
2168	reg.exe
3896	reg.exe
772	reg.exe
3408	reg.exe
2664	reg.exe
4932	reg.exe
1328	reg.exe
432	reg.exe
836	reg.exe
1404	reg.exe
2796	reg.exe
4700	reg.exe
2384	reg.exe
4352	reg.exe
2216	reg.exe
4208	reg.exe
3820	reg.exe
432	reg.exe
4592	reg.exe
1100	reg.exe
1080	reg.exe
3896	reg.exe
1080	reg.exe
316	reg.exe
3596	reg.exe
3912	reg.exe
3424	reg.exe
1648	reg.exe
4292	reg.exe
4376	reg.exe
4588	reg.exe
4596	reg.exe
2852	reg.exe
1156	reg.exe
2236	reg.exe
2948	reg.exe
3984	reg.exe
1900	reg.exe
892	reg.exe
1724	reg.exe
2480	reg.exe
540	reg.exe
3152	reg.exe
4592	reg.exe
2236	reg.exe
4440	reg.exe
4160	reg.exe
4944	reg.exe
2204	reg.exe
5108	reg.exe
512	reg.exe
1872	reg.exe
2408	reg.exe
4932	reg.exe
2088	reg.exe
1528	reg.exe
3992	reg.exe
1828	reg.exe
4296	reg.exe
4276	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe

pid	process
4988	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
4988	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
4988	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
4988	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
3924	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
3924	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
3924	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
3924	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
2920	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
2920	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
2920	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
2920	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
2404	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
2404	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
2404	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
2404	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
4124	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
4124	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
4124	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
4124	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
1760	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
1760	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
1760	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
1760	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
2856	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
2856	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
2856	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
2856	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
3500	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
3500	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
3500	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
3500	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
2408	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
2408	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
2408	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
2408	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
1044	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
1044	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
1044	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
1044	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
2168	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
2168	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
2168	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
2168	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
2516	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
2516	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
2516	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
2516	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
4948	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
4948	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
4948	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
4948	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
4592	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
4592	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
4592	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
4592	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
3448	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
3448	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
3448	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
3448	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
4040	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
4040	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
4040	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
4040	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

icUssEIs.exe

pid process

1192 icUssEIs.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

icUssEIs.exe

pid	process
1192	icUssEIs.exe
1192	icUssEIs.exe
1192	icUssEIs.exe
1192	icUssEIs.exe
1192	icUssEIs.exe
1192	icUssEIs.exe
1192	icUssEIs.exe
1192	icUssEIs.exe
1192	icUssEIs.exe
1192	icUssEIs.exe
1192	icUssEIs.exe
1192	icUssEIs.exe
1192	icUssEIs.exe
1192	icUssEIs.exe
1192	icUssEIs.exe
1192	icUssEIs.exe
1192	icUssEIs.exe
1192	icUssEIs.exe
1192	icUssEIs.exe
1192	icUssEIs.exe
1192	icUssEIs.exe
1192	icUssEIs.exe
1192	icUssEIs.exe
1192	icUssEIs.exe
1192	icUssEIs.exe
1192	icUssEIs.exe
1192	icUssEIs.exe
1192	icUssEIs.exe
1192	icUssEIs.exe
1192	icUssEIs.exe
1192	icUssEIs.exe
1192	icUssEIs.exe
1192	icUssEIs.exe
1192	icUssEIs.exe
1192	icUssEIs.exe
1192	icUssEIs.exe
1192	icUssEIs.exe
1192	icUssEIs.exe
1192	icUssEIs.exe
1192	icUssEIs.exe
1192	icUssEIs.exe
1192	icUssEIs.exe
1192	icUssEIs.exe
1192	icUssEIs.exe
1192	icUssEIs.exe
1192	icUssEIs.exe
1192	icUssEIs.exe
1192	icUssEIs.exe
1192	icUssEIs.exe
1192	icUssEIs.exe
1192	icUssEIs.exe
1192	icUssEIs.exe
1192	icUssEIs.exe
1192	icUssEIs.exe
1192	icUssEIs.exe
1192	icUssEIs.exe
1192	icUssEIs.exe
1192	icUssEIs.exe
1192	icUssEIs.exe
1192	icUssEIs.exe
1192	icUssEIs.exe
1192	icUssEIs.exe
1192	icUssEIs.exe
1192	icUssEIs.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.execmd.execmd.exe2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.execmd.execmd.exe2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.execmd.exe

description	pid	process	target process
PID 4988 wrote to memory of 1192	4988	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	icUssEIs.exe
PID 4988 wrote to memory of 1192	4988	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	icUssEIs.exe
PID 4988 wrote to memory of 1192	4988	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	icUssEIs.exe
PID 4988 wrote to memory of 4324	4988	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	fGogsEAI.exe
PID 4988 wrote to memory of 4324	4988	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	fGogsEAI.exe
PID 4988 wrote to memory of 4324	4988	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	fGogsEAI.exe
PID 4988 wrote to memory of 2876	4988	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	cmd.exe
PID 4988 wrote to memory of 2876	4988	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	cmd.exe
PID 4988 wrote to memory of 2876	4988	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	cmd.exe
PID 4988 wrote to memory of 3912	4988	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	reg.exe
PID 4988 wrote to memory of 3912	4988	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	reg.exe
PID 4988 wrote to memory of 3912	4988	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	reg.exe
PID 4988 wrote to memory of 5068	4988	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	reg.exe
PID 4988 wrote to memory of 5068	4988	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	reg.exe
PID 4988 wrote to memory of 5068	4988	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	reg.exe
PID 4988 wrote to memory of 4556	4988	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	reg.exe
PID 4988 wrote to memory of 4556	4988	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	reg.exe
PID 4988 wrote to memory of 4556	4988	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	reg.exe
PID 4988 wrote to memory of 4712	4988	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	cmd.exe
PID 4988 wrote to memory of 4712	4988	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	cmd.exe
PID 4988 wrote to memory of 4712	4988	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	cmd.exe
PID 2876 wrote to memory of 3924	2876	cmd.exe	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
PID 2876 wrote to memory of 3924	2876	cmd.exe	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
PID 2876 wrote to memory of 3924	2876	cmd.exe	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
PID 4712 wrote to memory of 4892	4712	cmd.exe	cscript.exe
PID 4712 wrote to memory of 4892	4712	cmd.exe	cscript.exe
PID 4712 wrote to memory of 4892	4712	cmd.exe	cscript.exe
PID 3924 wrote to memory of 2100	3924	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	cmd.exe
PID 3924 wrote to memory of 2100	3924	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	cmd.exe
PID 3924 wrote to memory of 2100	3924	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	cmd.exe
PID 3924 wrote to memory of 2452	3924	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	reg.exe
PID 3924 wrote to memory of 2452	3924	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	reg.exe
PID 3924 wrote to memory of 2452	3924	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	reg.exe
PID 3924 wrote to memory of 2808	3924	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	reg.exe
PID 3924 wrote to memory of 2808	3924	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	reg.exe
PID 3924 wrote to memory of 2808	3924	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	reg.exe
PID 3924 wrote to memory of 1320	3924	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	reg.exe
PID 3924 wrote to memory of 1320	3924	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	reg.exe
PID 3924 wrote to memory of 1320	3924	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	reg.exe
PID 3924 wrote to memory of 800	3924	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	cmd.exe
PID 3924 wrote to memory of 800	3924	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	cmd.exe
PID 3924 wrote to memory of 800	3924	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	cmd.exe
PID 2100 wrote to memory of 2920	2100	cmd.exe	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
PID 2100 wrote to memory of 2920	2100	cmd.exe	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
PID 2100 wrote to memory of 2920	2100	cmd.exe	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
PID 800 wrote to memory of 3156	800	cmd.exe	cscript.exe
PID 800 wrote to memory of 3156	800	cmd.exe	cscript.exe
PID 800 wrote to memory of 3156	800	cmd.exe	cscript.exe
PID 2920 wrote to memory of 3760	2920	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	cmd.exe
PID 2920 wrote to memory of 3760	2920	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	cmd.exe
PID 2920 wrote to memory of 3760	2920	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	cmd.exe
PID 3760 wrote to memory of 2404	3760	cmd.exe	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
PID 3760 wrote to memory of 2404	3760	cmd.exe	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
PID 3760 wrote to memory of 2404	3760	cmd.exe	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
PID 2920 wrote to memory of 752	2920	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	reg.exe
PID 2920 wrote to memory of 752	2920	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	reg.exe
PID 2920 wrote to memory of 752	2920	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	reg.exe
PID 2920 wrote to memory of 4700	2920	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	Conhost.exe
PID 2920 wrote to memory of 4700	2920	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	Conhost.exe
PID 2920 wrote to memory of 4700	2920	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	Conhost.exe
PID 2920 wrote to memory of 1076	2920	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	Conhost.exe
PID 2920 wrote to memory of 1076	2920	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	Conhost.exe
PID 2920 wrote to memory of 1076	2920	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	Conhost.exe
PID 2920 wrote to memory of 384	2920	2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4988
- C:\Users\Admin\pWEkggkI\icUssEIs.exe
  "C:\Users\Admin\pWEkggkI\icUssEIs.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:1192
- C:\ProgramData\DiQIQgUo\fGogsEAI.exe
  "C:\ProgramData\DiQIQgUo\fGogsEAI.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4324
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3924
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2100
    - - C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2920
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3760
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        12⤵
        
        PID:4204
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        14⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        17⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        18⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        20⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        23⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        24⤵
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        25⤵
        Adds Run key to start application
        
        PID:4772
        
        C:\Users\Admin\lMkgwoos\WwUwIokY.exe
        
        "C:\Users\Admin\lMkgwoos\WwUwIokY.exe"
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:3892
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3892 -s 228
        27⤵
        Program crash
        
        PID:4072
        
        C:\ProgramData\RSEowoUc\WaUUIoAc.exe
        
        "C:\ProgramData\RSEowoUc\WaUUIoAc.exe"
        26⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4244 -s 224
        27⤵
        Program crash
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        26⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        28⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        30⤵
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        32⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        33⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        34⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        35⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        36⤵
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        37⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        39⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        40⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        41⤵
        
        PID:684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        42⤵
        
        PID:1292
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        43⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        44⤵
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        45⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        47⤵
        
        PID:32
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        48⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        49⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        50⤵
        
        PID:752
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        51⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        52⤵
        
        PID:1488
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        54⤵
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        55⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        56⤵
        System Location Discovery: System Language Discovery
        
        PID:772
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        57⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        58⤵
        
        PID:32
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        59⤵
        System Location Discovery: System Language Discovery
        
        PID:4292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        60⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        61⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        62⤵
        
        PID:3764
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        63⤵
        System Location Discovery: System Language Discovery
        
        PID:4632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        64⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        65⤵
        System Location Discovery: System Language Discovery
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        66⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        67⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        68⤵
        
        PID:4984
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        69⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        70⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        71⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        72⤵
        
        PID:4596
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        73⤵
        
        PID:516
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        73⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:3060
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        75⤵
        
        PID:760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        76⤵
        
        PID:4000
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        77⤵
        
        PID:456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        78⤵
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        79⤵
        
        PID:384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        80⤵
        
        PID:4568
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:3152
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        82⤵
        
        PID:4136
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        83⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        84⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        86⤵
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        87⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        88⤵
        
        PID:3448
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        89⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        90⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        91⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:4660
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        93⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        94⤵
        
        PID:3900
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        95⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        96⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        97⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        98⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        99⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        101⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        102⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        103⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        104⤵
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        105⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        106⤵
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        107⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        108⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        109⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        110⤵
        
        PID:4032
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:4072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        112⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        113⤵
        
        PID:368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        114⤵
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        115⤵
        System Location Discovery: System Language Discovery
        
        PID:3968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        116⤵
        
        PID:3892
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        117⤵
        System Location Discovery: System Language Discovery
        
        PID:512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        118⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        119⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:4856
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        121⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        122⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        123⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        124⤵
        
        PID:1704
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        125⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        126⤵
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        127⤵
        
        PID:744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        128⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        129⤵
        
        PID:740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        130⤵
        
        PID:3712
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        131⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        132⤵
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        133⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        134⤵
        
        PID:1100
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        135⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        136⤵
        
        PID:2496
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:3736
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        137⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        138⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        139⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        140⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        141⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        142⤵
        
        PID:4292
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        143⤵
        System Location Discovery: System Language Discovery
        
        PID:4948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        144⤵
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        145⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        146⤵
        
        PID:32
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        147⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        148⤵
        
        PID:1752
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        149⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        150⤵
        
        PID:3912
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        151⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        152⤵
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        153⤵
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        154⤵
        
        PID:1808
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        155⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        156⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        157⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        158⤵
        
        PID:2736
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        159⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        160⤵
        
        PID:4480
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        161⤵
        System Location Discovery: System Language Discovery
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        162⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        163⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        164⤵
        
        PID:1944
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        165⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        166⤵
        
        PID:892
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        167⤵
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        168⤵
        System Location Discovery: System Language Discovery
        
        PID:4032
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        169⤵
        
        PID:456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        170⤵
        System Location Discovery: System Language Discovery
        
        PID:3736
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        171⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        172⤵
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        173⤵
        System Location Discovery: System Language Discovery
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        174⤵
        System Location Discovery: System Language Discovery
        
        PID:3456
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        175⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        176⤵
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        177⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock"
        178⤵
        
        PID:1872
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock
        179⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:4536
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        UAC bypass
        
        PID:3912
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4024
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:4948
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2480
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kMsoYIII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        178⤵
        System Location Discovery: System Language Discovery
        
        PID:3904
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:4676
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        
        PID:1724
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tywUQUYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        176⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3644
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:2224
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        UAC bypass
        Modifies registry key
        
        PID:4932
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wesMIkgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        174⤵
        System Location Discovery: System Language Discovery
        
        PID:2208
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        
        PID:4228
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        UAC bypass
        
        PID:4004
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TKAIwkok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        172⤵
        
        PID:4620
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        System Location Discovery: System Language Discovery
        
        PID:4640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        
        PID:940
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        UAC bypass
        
        PID:3692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RKwocYMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        170⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        UAC bypass
        Modifies registry key
        
        PID:1872
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mEQcocQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        168⤵
        
        PID:988
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        
        PID:4592
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        
        PID:1292
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hKooAIMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        166⤵
        
        PID:1044
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:800
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:4388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UcYcMgkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        164⤵
        
        PID:464
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:264
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2664
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        
        PID:4596
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GqQUEIsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        162⤵
        
        PID:668
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        System Location Discovery: System Language Discovery
        
        PID:3476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3984
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        Modifies registry key
        
        PID:4588
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        UAC bypass
        
        PID:4892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vggwooYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        160⤵
        
        PID:744
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        UAC bypass
        Modifies registry key
        
        PID:1080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AGMggssQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        158⤵
        
        PID:5092
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1216
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        UAC bypass
        
        PID:2696
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WWAoQYAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        156⤵
        
        PID:1020
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:4928
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        UAC bypass
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TmEcgAUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        154⤵
        
        PID:980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1796
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        Modifies registry key
        
        PID:3408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qgQgYkwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        152⤵
        
        PID:2168
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lmQcsgks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        150⤵
        
        PID:2496
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:1528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:1644
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        UAC bypass
        
        PID:928
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VWYQwIoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        148⤵
        
        PID:2904
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        UAC bypass
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\laYAYkgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        146⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:3596
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:2072
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        UAC bypass
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WAUQkIgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        144⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        Modifies visibility of file extensions in Explorer
        
        PID:892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dqQUYswg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        142⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:3608
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        UAC bypass
        
        PID:4192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hSIAQkMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        140⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        UAC bypass
        Modifies registry key
        
        PID:3992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RYYwEwUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        138⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        
        PID:2408
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:2904
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:540
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LCQsUgEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        136⤵
        
        PID:4568
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:432
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        Modifies registry key
        
        PID:3820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        
        PID:2696
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YsEgYgAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        134⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies registry key
        
        PID:1648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:988
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        UAC bypass
        
        PID:4996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CmsoIgEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        132⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        System Location Discovery: System Language Discovery
        
        PID:4568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        UAC bypass
        Modifies registry key
        
        PID:4944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kIQscUUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        130⤵
        
        PID:1240
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jMkssQcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        128⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        
        PID:2660
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EmUkgwgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        126⤵
        
        PID:3264
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4292
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:4936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BysMUQIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        124⤵
        
        PID:2920
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GQYkEQcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        122⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:548
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\syQcEUEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:3236
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:1872
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        
        PID:4376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qeMgUoAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        118⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:1160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        
        PID:3820
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        Modifies registry key
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GSwQAowI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        116⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NUAkMAck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        114⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        
        PID:4944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pOUEksAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        112⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4192
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        Modifies registry key
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xGcQYAos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        110⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        Modifies registry key
        
        PID:1100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eKcQIgQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:440
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies registry key
        
        PID:1528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:3692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FmgQwgQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        106⤵
        
        PID:928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        Modifies registry key
        
        PID:3896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        Modifies registry key
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JKowcosc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        104⤵
        
        PID:4604
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        Modifies registry key
        
        PID:4296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IGIckIUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        102⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        
        PID:800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        
        PID:988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PYgcYoYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        100⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:1368
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        99⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        Modifies registry key
        
        PID:512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eUYcEksQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        98⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zckYEooo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        96⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        
        PID:3500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iIgUMYQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        94⤵
        
        PID:2764
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:4228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies registry key
        
        PID:2796
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:3164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:1160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qIgEogoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        92⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        Modifies registry key
        
        PID:1404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        Modifies registry key
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EGokwkYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        90⤵
        
        PID:3644
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        
        PID:4184
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zkoYcMgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        88⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        Modifies registry key
        
        PID:2216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qyYEIowg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        86⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2828
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        85⤵
        
        PID:760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        Modifies registry key
        
        PID:4160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:4928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iMoUQsMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        84⤵
        
        PID:2064
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        85⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        
        PID:644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        
        PID:3536
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xcIAYgkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        82⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:1588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4488
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:4936
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SkQAsAcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        80⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:4940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:1144
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eyUAQcYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        78⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        
        PID:4072
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        
        PID:844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tWYQkMgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        76⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        Modifies registry key
        
        PID:4932
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fKIkggoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        74⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:3620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VyEcQgIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        72⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        Modifies registry key
        
        PID:3596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:3976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ngwQkwAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        70⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AkkoUwkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        68⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2980
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:3968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wWsQUwcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        66⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kMsUcgcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        64⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        Modifies registry key
        
        PID:2236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EAYgIEMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        62⤵
        
        PID:692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:1372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HeEUwYIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        60⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4244
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        
        PID:4836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VcgAkwEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        58⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        Modifies registry key
        
        PID:1684
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zEQooAoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        56⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies registry key
        
        PID:4440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        Modifies registry key
        
        PID:1156
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        55⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FowUckEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        54⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:3368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zMIUYAoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        52⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5108
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        Modifies registry key
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BoYoEsMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        50⤵
        
        PID:1796
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2692
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        49⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        Modifies registry key
        
        PID:4592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        Modifies registry key
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RAYkIEUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        48⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\woUwgwkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        46⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies registry key
        
        PID:1828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        Modifies registry key
        
        PID:760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AIIQosko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        44⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        Modifies registry key
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QEEggMoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        42⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\smAEYcks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        40⤵
        
        PID:2904
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        41⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        Modifies registry key
        
        PID:3896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        Modifies registry key
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GKQswwIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:2816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        Modifies registry key
        
        PID:432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PGowoMcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        36⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies registry key
        
        PID:4596
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        35⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        Modifies registry key
        
        PID:892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\euAksoYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        34⤵
        
        PID:536
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        35⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        
        PID:516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:3620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\luwQMMMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        32⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        Modifies registry key
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AAoskgYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        30⤵
        
        PID:656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bWkkAwcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        28⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:1876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:3840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:3856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ygIcwcwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        26⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        Modifies registry key
        
        PID:4208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        Modifies registry key
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qUQgIIcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        24⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:3692
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        23⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VCwswAEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        22⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cugQAIsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        20⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1080
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        19⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:3424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        Modifies registry key
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ugwYEQIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        18⤵
        
        PID:1404
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        19⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        Modifies registry key
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fwcggkAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        16⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:1128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bIsUsYMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        14⤵
        
        PID:432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xGswcQQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        12⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:3592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qkUYwAYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        10⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        Modifies registry key
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FasEMwcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        8⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:3152
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:752
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:4700
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:1076
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\okAQQssk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
        6⤵
        
        PID:384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:2780
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:2452
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2808
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:1320
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hOAwEkEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:800
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:3156
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:3912
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:5068
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:4556
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FkksUAwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4712
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3892 -ip 3892
1⤵
PID:2900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4244 -ip 4244
1⤵
PID:3476

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:4368

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv ZXIH22ZdFEqEqehVSGqonw.0.2
1⤵
PID:3164

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:3736

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\DiQIQgUo\fGogsEAI.exe

Filesize
110KB

MD5
04c2ca3119e1762dc3acec1c177d99d4

SHA1
e5036f4d915703671ef0b9566b908a4702069b6a

SHA256
e416af18123025a107e8072e73f6126e4051842274a9d44fac5fb94bc9c19cfe

SHA512
4100314c20b6786fbd625c8f8bdf40d8bf0d5b8bb364faa133d9c97f9693599e37c1c112dc42b365faf9e49b31ccdc9a033e1770350d6620c55b77720a05b739

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.png.exe

Filesize
121KB

MD5
01a8081b753428cae13f92d0887d7a68

SHA1
1faa50c1759a24159bb524cbfd5ed80d1c7aaff4

SHA256
e115c5dd0a06f76d3525bd4114d279a21268f1885e501994e8ad2f2ba2f5bdcf

SHA512
3f11560956ed26ee6190758d03d525e327b7b0e85a45e5ec984cbd1ca12dd5bf3bad47d81838af7c249c0e7b2ff1a74ee546c4e4ad6b91f0b3cd4ba2fae14570

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Error.png.exe

Filesize
117KB

MD5
131698501e62bc49fc44e6cb09ec0b05

SHA1
424beba66dab71b1c290414f6b10330c20244834

SHA256
3a25974a001426adb5baa28e6332c2f28b4dbfbeafeb5ceb37db8a658112964b

SHA512
08e22eb32e5f5a3c5e6e84f40447d8690156daaa4beb63f574fbdf537197dcad3c13b5268f10a6f00f8e3111a91aaa7f10f2e980bf2c3197b89e8f93f73de25f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaCritical.png.exe

Filesize
118KB

MD5
732c80ba3dc906d3a6474a5c6ae9686d

SHA1
54ed2bc47d0b71dc6597298982ff7797b3d90121

SHA256
a98625e13a2fbc74f6d7d25587fa1c88b7b5e076446d226455ee3ba1d626a124

SHA512
c10303e148a30a744ce30930755abcf50094785ff9ab32c83f4ad58d460dfd95fe30ee0678545ac928cade2e3ea41a6968dd72b12adc414e9ecbf1bebcea979d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-11-22_784d6132ccc958a3e44ac9b8f26b64e1_virlock

Filesize
772KB

MD5
d25529e9080d702963a5a244ecd0f316

SHA1
f01716bfbe0018688834ea7015d2453f058efb2d

SHA256
ac61d8db9f5dd07d2719b46a1cbd859e65b55f4c64a7a3a433f005353daf1381

SHA512
641c2b15b12688db80074d06a59d871b59aa2d6b8ae5b9924258b68abc5ddc3aa2ba4f7db1447cadf051a2957fc082d3ca0484feb219896ea33a4c3391cab1e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\AEwg.exe

Filesize
113KB

MD5
a16a4c96a765837ac5427eb20a0fd8ff

SHA1
95000513c0bc1b2a23e74314d03dc3b6dc840840

SHA256
9b427137853cf8d8528a34836d111e7deccfda0ce4eaed0cd98509ca3497c0b4

SHA512
7d0cee7cfbdeae0015859fae74100525f8523f0a9fa1c93e124df102da0c396ce8f9098da5b885398a64e25dfdb0bb037b34fa152a37ac32fa21ff5fa50758a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUsE.exe

Filesize
110KB

MD5
289a36d64c4c4f87e69e71544a4f4d94

SHA1
5788e3d71417a4191f99d6187cf07350f76cef7d

SHA256
8ab167fe60521c4f6936c539c7f1e4913fdc5a00a6824e5801842a3e69f43994

SHA512
2e8780375865371b3bb4e1049fda7d044aee227212e091c480128209e714ac9acb38f4cc9fe6f85f4f6867b5f1b8c78c3476c912a5a8f2b599d2f6266c73f7ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\AYYi.exe

Filesize
744KB

MD5
9f1ecbcd683849f83797e3c1402d01c8

SHA1
9117fa934a82af77bacb493745dc87c5e63a44b3

SHA256
fe9d069e0933d3c31c8da5973b889ee2e3afc86de0ee6fae668c9ff0fe01c472

SHA512
15c76e354abbfe9107fb1bd40259b5f5400a2e9bb980af0687396afb293550778630d0ea15a5d0710137a38c7dc5dc0f4a15f75c9f92877222d602c0b5e16b7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\BEUk.exe

Filesize
116KB

MD5
7104ceaac5b6600efc684fdd977ddede

SHA1
e137f5d2d8a88ed965800c801a0ad16347f05abb

SHA256
bce840645a49fe5e7fe9f8049f56391c3a678548a7df3a3f90781b9f6e170fc5

SHA512
515a6e3fc112943e8b9215293916b7a5d5977646acc11598fce99575bcea85c6f5b494deb9b9cc79dc97dc2b2d9996bf6988ee8b5c053a864bd93a6bdecf29ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUAO.exe

Filesize
139KB

MD5
d7cc60b57be118fada86977888030c0b

SHA1
fadf5f1c3bc80144b2b67d5fdc4ecccba2abdc0a

SHA256
33efc8bae5759d33d855d8486b1623d0e9b9da8a9caa996c6f66264de5eebcbe

SHA512
7c177e1d5652f470786105aeecb788ed521ca0c0687ea3553a1f7e3fdb8c790c90e5e64a19f6b53217fe22904fc4bb78190b8e816fb31dfca3a29bd5a9be4f25

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUMe.exe

Filesize
113KB

MD5
cf5fb5f1c5e0a9838f22f8df9edcb486

SHA1
3e2689177dc3b14e9ff5ffe56c41384c7632a8cb

SHA256
f4ff8e8af4b2d233a6d8f9075cd57d363c6cf93eb29f8fee0ad025eb91269422

SHA512
33e14537052c57c63f52f4afae72b1f77736fa3599441da27d03994d4010575c9cf3640e1805abcb8a44e96280903ce5700b3015d97d927275c226b93a1b54bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\CgEE.exe

Filesize
550KB

MD5
cb27c9bafdca454e3b682b84f3349d1a

SHA1
c1213eefc8effa729d62e8709c5368409a6e47e8

SHA256
bbcb053b149d4d26655fa336d29592f8d43d60f04e6dbc1d3941f53b7847391b

SHA512
ef44158496e077653409292ececefd3418c27f3d13000ec4dee205ae9b04332e639ec4b549ca6080d217b22bb728920cbe138cadaf0aa7dcee6b20d4dea55e11

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cwoq.exe

Filesize
110KB

MD5
bbb39f0f091cf73811069fbf04d94a87

SHA1
c3b0be205ccab0ec5d83ae4e9750b9b6f4276c7e

SHA256
4d48c1eef728f61c07980f0254ae4905bb5c528437a4cfe88746a9c19508c87c

SHA512
1e3ba92d55fb5e4e2646dcd3209db00bd078cd68219b9fd616d1f7576447de1a404ecb14183076696a12e1990e774070f974e265a41fa7d53ce9ee977bb89efd

Download Submit
C:\Users\Admin\AppData\Local\Temp\DIgK.exe

Filesize
110KB

MD5
4436e3afb45391ba498bd61820f637fe

SHA1
9df1a31b4ee520114e75276a0d15d33ea6766cd3

SHA256
97c15d92f405c63c239ba60250530586b2b7f1ae8079ad7fa3f5166fb9bdd2a1

SHA512
fbd4149a47d23d6e3611298eab768c7db314fbe153c7997c8e1ba1e076e9569fe073abebdccc5b28031b98917ee7b324ce42e2ade369a2b6b677df6e68cd2a2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DgsG.exe

Filesize
112KB

MD5
27f377d0a6f6e004fd1648580ef78f86

SHA1
8aeddd85088698a6babbdc0290653afdc601153b

SHA256
132a5dbc4d18778fe3e86b425c9c25c112290cbaad33beb7cfc9baaba569d0d7

SHA512
c16f8ad67d7dc4e2b848f6ec6c4521d8c0447398783f19c7b4062ed7f94d735c3f014cf43027425373fcb82f90451523aaf45ea2eb72a16e384d487af3e2748b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EkQk.exe

Filesize
566KB

MD5
56cf58126ffb99b892396d2c6ca2252d

SHA1
ffea13a9f8c5ac1f71bc26c31d42564c7d56ce08

SHA256
36102eaa53e09b8fbc9fd5c8e54f0ca4020948d1532bb1ed4aaf9e63aa0ef230

SHA512
0914527e5e31f10a5b0b6bc6c4eb30038a6eed46fcd68d56c7f0bbac983b190df77e84197978d341d0929555feea18a21761080145c0a10fe59a49366711e3cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\FAkA.exe

Filesize
109KB

MD5
f5ea4d18d41f578a1f013d1408d657f7

SHA1
5108018e89e3dee57c4aa2db51a0e7c31aa9e2c6

SHA256
101c0937a64dc220b48445547ec8cd2e6b1cc9395e94cdba2b79599b1dd4e29a

SHA512
03211b39e550383d77942978e82851922fa9608de4b686bab5cd64637e8aeb04171bcde8f463d430f23b669ad18932ffb8ca214433ed14de4fef05f3d791c233

Download Submit
C:\Users\Admin\AppData\Local\Temp\FQYq.exe

Filesize
634KB

MD5
f39c935dce6fbc36022359a55c91d7c4

SHA1
3c0892849fac4c1da820e95732ee96b5328cddd3

SHA256
90a96944a27f00b81932ff37ca00cd6b021446f5f195261505e2c37b5a4cecce

SHA512
182ee96ebdfd491c2fda7d0b61cc1372dbf05859e747235555fec591f3963d0ee6f67575e27a07cf7e74fedaf679f687bcd249bc32de3d10f216f4b6e5dbc3b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\FQcG.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\FcwW.exe

Filesize
112KB

MD5
a58c815226e8c24a95d159ffa1fb66db

SHA1
5933c752c536ee8cc934e50210f74c6147efae7b

SHA256
6da56d16143df7b7825edd93a678594ef8f2c5d6ad58bb1baa8de0b4dd251f69

SHA512
1e015f052b3831a7ec96b43d41901d65a33d4c9aa8fbf7e3c5d2ae3750e1cd7549dd6bc63589587126ba9c60390b4c2c7fd714900f4d9132512bf4faf22617b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\FkksUAwA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\GwQc.exe

Filesize
116KB

MD5
ed3a5a82592ff49904822adf8633273a

SHA1
a0e791f40f28ecee6860bb4c873881b4abf262dd

SHA256
3e53cc141dc5ef54acc25f0c16b0d9a6110a5736eada94e875659deb5211c361

SHA512
7aece292a3d797da0a7c45d7ec01f81bcd2cb8582b817aa94b76b32d41a851021087431388197d3c2f4d96f6c3d8d754f74a1e21b56fcc066cad3fd6d91d5275

Download Submit
C:\Users\Admin\AppData\Local\Temp\HAYc.exe

Filesize
110KB

MD5
e80c6a6433c5bdcbd0fbecc375d0d2fb

SHA1
fc21e386e678bff3c3120c7332567f43222e6168

SHA256
288a1881340bdc084ec20fa32ffde9f03ca63f4087d680786bee13926e4b6aca

SHA512
93c846c8920dcf193f0f648d01b33dc0d810a78223b9afb2bfcccf1a7778f4fc3db0e7facbbf294673afd363cadca4e7d33f74fcdcd3b0c74694bb99398a45b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\HgYi.exe

Filesize
113KB

MD5
9035e86122380b4aa705cd3a80513303

SHA1
c9be52e2b46bdb2666b156115e147e27d6c35424

SHA256
0ebfc8dd46d919be38db2df1c9c9c4e3f41212c497d062627bad913446e65f3a

SHA512
15d4895eae539bf806154010e85c0baf2d0b6c002a75b3d43e40944bc17f4ca62934d4794f882a14e8618852ca8483b57d01f26c1c24e554d4c6ea5492567991

Download Submit
C:\Users\Admin\AppData\Local\Temp\HsUq.exe

Filesize
554KB

MD5
8d25b178444fc74001ba3f008f4cdf96

SHA1
61d52e38eebd31e16de2ff65d96080e7c84874d6

SHA256
3f70568eaafc68659a8c03e05cabf2eb3666807f86e59b76143ab910de127368

SHA512
03c1d4fa10d6efba64de28b450ffcb69a67cb2060117870c74d3677815c1bfa2615dc1a06033f7b3ad9a79dd65e4a262cdcf0eb94081e935dd6d409660382425

Download Submit
C:\Users\Admin\AppData\Local\Temp\IcQc.exe

Filesize
137KB

MD5
09f1f37b0810a63294b9c9d96cbe3dd9

SHA1
10f9bf0b99c0f6aaf72f1c21c939928bab3506ca

SHA256
10b5e545155bcb40546484a06b20ec719c5ccb6113f27686c8935f53741c0f6c

SHA512
52a072825796baf88f180bd1c778de2f86c83d70ef5f9fa7a3296a5b8c889c7c6cee8113aebcf9da43f582df15c9c9b22903e99b83ecc667f532ef1776e2ba15

Download Submit
C:\Users\Admin\AppData\Local\Temp\Igoi.exe

Filesize
112KB

MD5
b504d747ad82294d54427d22998330f7

SHA1
9ec05e890c3d334bac0d52f3c653659079325aff

SHA256
8091c308088d95c894c080e3d88ad9dc08f10b97c28d2b2336e6cb88fe17e6e2

SHA512
2781b36adc41680f8227e37c64e9749b2c4ff470d4a89d4fb36f2a6291aa3e4a9ac41259a5f477d790a47f9431e7f1e34bb78602b69c0fdbf4faf8a98fc06e1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\JYYA.exe

Filesize
111KB

MD5
e19dd5bdedaabe35a76a0ac441431606

SHA1
6edd5e3fd9212b3eb1c078e65858aa73820dbfdd

SHA256
0d5ebe310e4edcd69ddc8c6a9455d014ed100ba6d37d2360c1b9376d51c7e916

SHA512
3e37331740ee5266b603644e8cc5c62c93bab04348f84c6e7480033eda186541d2e8af528a3687fcb10e323c8777e538d58374c657c37b67a1a5e8d73962d36a

Download Submit
C:\Users\Admin\AppData\Local\Temp\JoYo.exe

Filesize
5.8MB

MD5
1561687d55cfb5d07d37fa0246815814

SHA1
75dd757b9f873a26a28409a9883b89d479c9e442

SHA256
30b9b23bc28eb6fa2f5e01f7442a2902d6c331393daa07f81ed39d0a6ae7d942

SHA512
3b407451ab185232d22dd552a6a66e0452a967aad12713b72650b97b400ad39fb3f5927092f400164f1818a7e1d77f0ba8e82bcea1da5a191214a454a641f66a

Download Submit
C:\Users\Admin\AppData\Local\Temp\KIIq.exe

Filesize
110KB

MD5
918002eb2cf1b0791c5bbe9c228e1e24

SHA1
12680743f7b12c24cddb623c25033e87c591bfd8

SHA256
4e1f6ad5b9a1ef877c65a25186493ce4e291e985752cb92e93ab129d84043425

SHA512
f24e6c90e0fd1b2afb2c3504ca3419aae4ab1aeab11db6289e4cc51604f463de606fc0330fbb1b8cb95fc8263752c24ae93362483e6200faffa9541814c55db2

Download Submit
C:\Users\Admin\AppData\Local\Temp\KQwA.exe

Filesize
110KB

MD5
a08ee691e0f7fe02446b5e410027b42b

SHA1
b476e77c06d8f3ebe335f01b87c459b1a83ded69

SHA256
08beda1f3285f7a5cfe6ad2831607091e0e3329b8ad2a1af3449389017696734

SHA512
4f4ccb388655d3e455f12779e3ef0fdf564d3976ae7cddc549bff702ae95c4e7adebc0bada29a6fd6f0744e2716b255f03ad8c93d1ce78881c6cdc07a826f504

Download Submit
C:\Users\Admin\AppData\Local\Temp\LggA.exe

Filesize
490KB

MD5
f559bd8979472772c08213ab749a9525

SHA1
d942ea8b49c11bc68a75bdb76c6ca83bf3cc9c30

SHA256
6fde900b0c46b881a1076134e5ffc6d1a4ccf57447e81b02486a1b5646cf703d

SHA512
1ddb6292c316653db2fe1542f1c71eb74846b1677d93f79a90998a6bb1419292bc008dcaa0cb6b83d105b8755185bbd879f73456e79e788d159905c2d915abbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\NwoK.exe

Filesize
484KB

MD5
afd4e13ad27ea4042e417862c1253b07

SHA1
25e8a6fab4fc077522f114b78a875346dc8ab7bd

SHA256
65ec14d0031e23e90dd0792b75730da4877a6360f5ff1156561c3476b02ab72a

SHA512
d6b1deb11a686bdf71fd89e729d25f36ea7ed3dce5878ecb199b5d7e485d3f1d6a7f7edd4b6492d304ef0dc313153229680655e1f07c687947339e3343044649

Download Submit
C:\Users\Admin\AppData\Local\Temp\OAEw.exe

Filesize
115KB

MD5
dffa7aa201ab3046b655e36dd9a77356

SHA1
9fd30d62fa48d4bd4745d332f23a32f006005315

SHA256
6b51106bcd590ff4de3320de428787b313e2c1706da5d49805a0cbd481466407

SHA512
8b05b7793a8d2dd53f2f5226a12af8ba53d8f39b1cf28c5ff2a8e22faf5dad50b907ee0335def4c68ef50fd7adede68628e7c0efb8a7bfc8562ff11b77e9d2dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\OYYw.exe

Filesize
111KB

MD5
29161dc50ea14347318d486863d0f4cf

SHA1
933ce33b8ceef811c2fc432b4d7109011371b103

SHA256
47eae8be64e587a1e4e38e9c6828755c03b6768fc6cc84ec84f9082a5f25162a

SHA512
feeaa825664f36cae0d60f5af083dcedda503f79d8f53db2382e278a631dabe39df50080bb6ffc6c4585c698fb8980769b7e759c5ce36d6f77bb449078a03209

Download Submit
C:\Users\Admin\AppData\Local\Temp\PEkk.exe

Filesize
112KB

MD5
7c63a88d243e0b46d0a5e296e83f2871

SHA1
2e0b12888fa5bfa261ccf4814e566ccefbeb4a82

SHA256
97638ce30a808daa81885ac7e206dbb4aff4385b01719ea11a72fda7c7b7d706

SHA512
f3a49b93e010c4efa7b7f52236e6cdd08932b942a06256913dfb40730642de1b151a1de4653ce0751d97b976ec4e086877d4e6b7f412058f018ef2654b7d399e

Download Submit
C:\Users\Admin\AppData\Local\Temp\PgkM.exe

Filesize
122KB

MD5
5e6366a280767643250bb21b5ac2c03b

SHA1
733c4ea3b8cb03527b01d99e6c4826f5bf10d4a0

SHA256
bb2ab6a582905bf25dc07f810c5f5e9d7143e0e91af034155d0981c0b5c8799d

SHA512
94f7f66c450a41cd72a4143c6cbe7f7b6f717efdda23c8a0c59207ab8f9911dd4bae4652c568b421231839bebbc7d4d3cd8efb9985be977183eada286804b74a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pswk.exe

Filesize
744KB

MD5
c1b256edecc7b3a75e7187ae12161d50

SHA1
05b39c1650f1981b268527e9d6a9b037b83cab7b

SHA256
6693668379b0d8c088518ee41865369d144bd59b2f69e221147774629d61016b

SHA512
44f154353e60cca4faf4eafefb34eb7d1d949151cee26caf2fbc72265a6c4845b46a9c5db15d909ba740804d62943d318ed2fa1b7d3d04d103ce8e7947b9a98a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qcsm.exe

Filesize
566KB

MD5
28e49a129c804900a5574dee401fd46e

SHA1
56f069f39a42ea550dbbc11c252fc18d3351eecf

SHA256
b54efdf1a8867464d0e308b92e3d95db1e590353111050634544d2ff6a48ee8e

SHA512
df08546d1f54ddb8282c2cf2aa197f5e0fc5d3735500460ec05263de015fe28edab4c78c4e4ddce66843f4f0f793ea22243bd9a4ec4ab242547a44ede9519fc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RAck.exe

Filesize
110KB

MD5
67dc1f4c05357015c56095697d37cef0

SHA1
8a800bec2bd52ad5127dc2d7af0785e35a7fd297

SHA256
60b84489e2e1ed0b12e672d9fb8afc2512bb57a4c286186bc95111ba2c6ee353

SHA512
a2f9b1a1a8a8998a3142b158163ae764557fba9b2e4d76463d5b75f9a3ff41885a5cb35e2491c01b7aae3baa0738797cc7e29bb53183ee042aad098f6c987010

Download Submit
C:\Users\Admin\AppData\Local\Temp\RAkO.exe

Filesize
111KB

MD5
4f8d78243c7e8984d0eef1d37abf948f

SHA1
b2d70066683efa41828dc6da16cf7ef8c519ac52

SHA256
eac889fcca675735f3cc813517022022a83005b6d17526b48c2f20cf74b74cf9

SHA512
163920eaeb02139fa187e2d69b571890832735c1ebc3e30df02a5fc000c0e5115e022b418d7c08aeb565cb4f28a998f77c760354a5872b610f004329205b066e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RAsO.exe

Filesize
111KB

MD5
c6c4dd4612df4384dc1748070dfd1850

SHA1
eb117a01604ecc5bba22600e6b80755316455f78

SHA256
a1edbccaac23fdd96cf28d71a2364f9d8f98a2dd96bd399e4b10f0684552c909

SHA512
47316439e2e1906270f7dc91c0cd54cfd05237c20013bbe7bae8f8827b5e8c52a1c76907498efba6055cf307549c3db12d18d60d10efc7e2426fd23149c18257

Download Submit
C:\Users\Admin\AppData\Local\Temp\RgQi.exe

Filesize
719KB

MD5
03b45ebd28ca3743823f2e4cc22897f1

SHA1
22cc2a24a4652fc8f2fe1c333cd48bf7a28136ad

SHA256
a2286a0f0918019820c8d71bdf839eeccfeaa64934a15f00097fa95933a325e2

SHA512
cd4311b509e1a99a3d390ae8e11bfd71eacb5ec269609df5f647ca549b3776a73d1d72bd6364e7aaf7dcf445b7ed5dbca484b2bca448dc0036499272d91c4f8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RoMo.exe

Filesize
112KB

MD5
4c00084fbdc54a506ced606e36311e14

SHA1
66ea12375d1935fcf249c92cbd2505cd0d0be315

SHA256
d0bbafb75959e791bc3409de41590fea36072e02d284bbadb615ea3bf5f38d45

SHA512
f20fe8ed876f740b6187c4ff704b89b874662039bebf9119cc5bbb44791517978bbead4200399b47917314655164af97b9c644d91433fa531dd65fc8a0d4f5b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RsgU.exe

Filesize
119KB

MD5
e57686a9992c5e087f0f0b91ca268eb8

SHA1
8c113baf35042167ca0d956c4e3b6a029048c8ce

SHA256
cd0590432633d21a19558c9e43b13959ca84748e266120c79c9d297952d402a1

SHA512
665eb0df0ae06e6c85c83025919af9acdb5a652c647495e1625ebf7cdf7e3312dd0f5b3df23886a9bfec4bf3226891a7a37e90ee535b2053983328c756e552c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RwAY.exe

Filesize
149KB

MD5
20c8a0d48c37993d50caadba57106094

SHA1
e3827d3c7cf65c6ad00aeb1923e5cf56cd2e6783

SHA256
0d28c754c1fa6c812670a2ca776094059dd92a1a60fb9cc7740c4ab8a3325dda

SHA512
e9fbe713267b3177f1c443b81a8185f9ce54532e178e5a6ffcd2ab522fe737c3f715fbfc1fc3d1c5f016dcb81f66d7814210187b6e4866e1ab13a40f1e76dc9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUQO.exe

Filesize
113KB

MD5
6add150ed1f9cb70e489b8edf69dbaf4

SHA1
2d25256961892b6eea000e62192a8f6566881e7c

SHA256
0266039e49eed3d170b60a179c17a8d871287a4e3915020668c4896e67d61d65

SHA512
5493d455fc83bcf1030e95f27a416c46e19d7b206d3955b69aa953c007ca29c46274f52935518f542815600d9ad131fa9a20224642d4c8bf2544a625f492548f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SkgW.exe

Filesize
719KB

MD5
788aafe0ae568efddeb00ab447cea7f2

SHA1
3f31398ef05394705481997595b855ef2d6ab582

SHA256
33fd779f41faecf9e3cfa1ed1e5a7d7932fad330360603c7f9d88b102d225fb7

SHA512
b49c9ce4feed3af496f969f528085faa92bd9f614200a25d801becde88ef738ef143f10b349cf31ebb18274e40eaa2227b94ad4f9b1251319223100b681f2546

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tcwe.exe

Filesize
111KB

MD5
9b864196edd3f636ea2e2e634c38f6ff

SHA1
baf243a20fc4795793244859f86ec4e55c26cb7f

SHA256
8759862cff8f9035ba33c11c2a2f49946810f03e9cce225c57b1cde2c1ecbc85

SHA512
b4bed549b7370f298119a08be90dc35d8930c8e543df5c3fc8d9e945eaf6d0fc1a549ddaa2202223eabb8b49cbd6ac42c0fd99c7a89825cb61f3f9b86a493459

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tsce.exe

Filesize
1.7MB

MD5
10a69db5d3c4852ff53472ee6199a763

SHA1
c79249969cf9a267cc76c8166a9340e56441228b

SHA256
00cf03e4726c046a57aef41e234e52bb30b781a099ef0bb92ba3eb95aa9dc86a

SHA512
b1d9c2d86132558e701254e9fa8432d48d9d756c33d581864c0b4bab4307e2c937eb4d0ef5fe332a2c110e214939404202f1723ae107d6c9c0e8f0d3a4f3e1ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMwm.exe

Filesize
113KB

MD5
2906163441bd4187dcc4e7af55901897

SHA1
0e2b465a9f8a0dbd1c083c4214e13d2cd2268fa0

SHA256
0fe97f7140ce4fcfafa22ea4ec9a65c4b34aae2605158174aeda9ab47f5772ec

SHA512
134fef2136668c1052146d8318c13adf7bb820e1f0902a3c107b73c38c2a46c13c88114342f6238c5cd0b53986da8c4c1f4c9fe90a172e5f4b4f0c0e6d220084

Download Submit
C:\Users\Admin\AppData\Local\Temp\UYUQ.exe

Filesize
111KB

MD5
d1ff63cee8db622c7514159a5877c25a

SHA1
5aa18d3f3ae72c02dd175f88d8206708224b50c5

SHA256
954719a1c93304bf8a2eff1c7750fe4ca47d09f0f98457e2d4c5037bb64e26da

SHA512
0cf0d2653bf1d51ff73667666a0c3cbd80b6428c46f6d39e9b8cbac2c68c1997d4bdbfb3ac8bd5c073a6ad5594ddc4bcbadaf4c4ed899df6a9980d4d1fa672f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\VMUc.exe

Filesize
697KB

MD5
445670c1331c4a4f2a9a829587584bd7

SHA1
727b90cb5d5b5e05dfc06aec58a72264c999fd0d

SHA256
10eb94448d7b5976ed26b4e2edca7f137b76b03c71cfec97b942e1e8e7c7f498

SHA512
31c14006484b753016903ccf9323a203cdb1ab5084bda0c907c352e229472c72bc7061b18802eb1d21250804996c2f9012389507641e53898a2f1c420d4cee22

Download Submit
C:\Users\Admin\AppData\Local\Temp\VcMw.exe

Filesize
134KB

MD5
cc1912a9980df84384b25444b93675be

SHA1
fc9a74d88adeaf4cc410fcb68c5e9dbb27846909

SHA256
0b6ec32e38e34f19ca4466e478449681b37797e92065718e4567ee21b7e80fae

SHA512
3a8847fca17ed2647a961c0f88409528b17eeebdf688639adc609080d3cd04b1f379307b1a151d18c49754976bcbbf23fcf16f939dea96d725253da3952506bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vkkw.exe

Filesize
110KB

MD5
f45e20b525773fcdfaf8141828bc011c

SHA1
a3c6352e4d33fb7cf9fd2beec985e446be92daed

SHA256
dc94aed39c395e81dac6009ba584c26f27a3b0189933a58d8a51060c4fcc5f64

SHA512
87963ce4baadf2de070776dc145da2392cb2bef1f809b2fad3ab107137496eb3dd2acc75e89ce73330f041593181bb67c29a6be572920ec3d0e19e90024cf0d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\VoYY.exe

Filesize
790KB

MD5
e4a94745e787d00fe6fe6fa03d2c583f

SHA1
989d0308c7d406789ec4290d12b22d1a75c2c00f

SHA256
edfe0d3f57915a2e9cd3a23ca72b4cb200cc2e5d090c2b9d9876af7fb88cc751

SHA512
5af770a3255d8296eae993203a38f60e21e164531fc3c6b04ea60fbbfba2f64d94fb53a5c38f6eeb50026ee7b15179bdaa3642af6f68ad60a8dde21b17ef6b24

Download Submit
C:\Users\Admin\AppData\Local\Temp\WIUS.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\XIIw.exe

Filesize
763KB

MD5
a3a6da192e434b166f1f3c4b96467b88

SHA1
9f4294eb4ec4de77dfb05b71fe166e0bf1af2b2f

SHA256
ceff3f31907b576e77400596040024f1433f013c5d4c9ea7bae29467c47ef6a4

SHA512
4d610c6599738f385753476ad7adc7276b4f2b0ebb2b9cc43856dc53222becc1b5ac64b24344d232191e2733d89fa4a7d4041b9d8c767fc93b84e25a741e1951

Download Submit
C:\Users\Admin\AppData\Local\Temp\YUoK.exe

Filesize
853KB

MD5
b4f4a830fed93d109971498fbb840a57

SHA1
2925499236a2a45dffd04d1d59eaeb8ff1361cb2

SHA256
b9b8dfdc45e2c089c340c724f5e572449e28bd0b3e2a03633d6616f7a20b3707

SHA512
4323379f16e8f04a4b5e9d078f20e5bfe6d0b7fc4c2cd448725c286040cef99acfa268ec74ff73432b172d924d11c9653bef063a188b2f20412624e526f70a77

Download Submit
C:\Users\Admin\AppData\Local\Temp\YcEc.exe

Filesize
111KB

MD5
62439f1d06ed9a436949494d2660524f

SHA1
8f8736db3f1a98d5d08c871f5fe83caa28088b43

SHA256
d548e361cdbb538546af2d565a1734ea2e37d54bdba208243260116f069f7463

SHA512
3f4fb85f308e537ad1ea852bdb2d36c7c86a4c417f18d4b1e3beeb04359651859a4528b01ac1ee074a63a491a43319b8caa6d2b8b64ae62470534050f4c57a57

Download Submit
C:\Users\Admin\AppData\Local\Temp\YgIY.exe

Filesize
349KB

MD5
21af425035722e66b3713c4b04bb93db

SHA1
aea3164d7b57b01d383cb99f71872e8fc0450654

SHA256
878bb585c32d6b462920f4d93cfe69e8449849f8254d5c0cb4ca63e7820b887c

SHA512
94d4b5a0f393a7e5bcb471ea3941015535a3888f17f0f98c6c52ccf71da7b6125e1ebcfad5f8839f17b6610103ff3ad528fb5d9fd41bf5afda50074620227c3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\YkkY.exe

Filesize
111KB

MD5
1bafee9b4fbd263c9f5ab01ed805b297

SHA1
9bc15f71e91a7b908a4ac6897176b03416da9d67

SHA256
470ecce0274520db2151986515463f545819e30132f666de0d3f9c55a4da8287

SHA512
5aab7c09f0176aac8131d855b4688df7481766cf15dffe17acb54674c57af4fc683d37f91a2c57f0bb840c7ae2f9c55253f7d45660e24a7709d9d83c9aefbaaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\YskQ.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZgUc.exe

Filesize
112KB

MD5
ce6a64be3e47ba90f8b899d514e6f563

SHA1
0f10989a2c3dc04eb340a0edc2386362e2528c12

SHA256
c3bb71203c93c4e4a7691610e6b62e15ecc6c61377e7eaf01ec66dd3ccde01f5

SHA512
1c2144947fd9ec31cc3fb7abe557f1d6dcefff37c9d5e7e3b41f9ee52c30f9c23f32a9711f68c235a2c702f7cf0ff3f5136341528033ff4628d65b30e4e23c66

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zkwa.exe

Filesize
775KB

MD5
d2bca58f396df5329ae616b1953d6741

SHA1
5bff3f957636317471c3c12e44c57fc3586d0079

SHA256
0cacf8a022366eeb59fa58c798be05c1f48fd9845e0d6daf26562e160b98369a

SHA512
c8fc387192049806f66e5852fe0a22c39a7fc4ccac1dd8c99eedc40963c4a2f641f8325fa1202906d11d7ce79118b0fe2bf2d4d21be8ada34668de4292eee56a

Download Submit
C:\Users\Admin\AppData\Local\Temp\asYK.exe

Filesize
236KB

MD5
95102992644b3f66f1115554d38740ba

SHA1
0fc65a70f1a70ec33ee837afbe6e9e6cf41f0607

SHA256
eb4d815a67b7885f24e8ab29318cf54c875b2ceeb7c49c142236fa68de1446b3

SHA512
bc3b95d349c0e03c3ef09b9a252d738e9ab7d28c6c37eaff8bdb80b2934462210c57b27eff9d2b96713ce46707f0efda8dd1cdfa148dc4fd190f1ba7d00b0463

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgAI.exe

Filesize
121KB

MD5
6ea47a8e510ea256efcad551bdb5d1da

SHA1
20311b4619dd52ef90e0d2e256ad806a1682d72c

SHA256
921622f883631d8ad82901895c1521424ba015fea0b8e5db78031bcd0f1358e4

SHA512
57c510e23a4adf504af3e833053b3630123a8f1b7cd2ac3850b4e5be32243a1fa79055de0835af5f9bffcc71a4e7686ef33f43dee75fd8927d7b7ce645e8bb3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\csgW.exe

Filesize
556KB

MD5
5562ac7392a4478e579ced7aaa9f3ff0

SHA1
c75dacbba4b4963905937149697f30b988e20a93

SHA256
45859d50ebf82fdffb82ff68e5e26a10fc31604fb0d844c596c804ccb2a3a47c

SHA512
053128518e9520b44d066c642822ffe0b90e055280ed8ddff56a11b47870289714fd47433c8120a035da9fb024f3c41dc10636147aa4cb056791c69fba6400d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\dAMW.exe

Filesize
113KB

MD5
3d2d7376db68f68da2da652eb3301fbb

SHA1
8884927148059412874dbf5dd9997eb0d5fcf363

SHA256
74ff2115d6c241fe8bd23f93d2ce11eb7863009318918ef248309624ab866e2b

SHA512
558ae09d17cc8012ffe771254f9dd766685b2234d2d0420d72207ca0c8ef61c1290101a78f6d3f396f20d58379b756115427144b1029e46b61d06e050be6eed4

Download Submit
C:\Users\Admin\AppData\Local\Temp\dwss.exe

Filesize
117KB

MD5
d02158bdbf487b45b7c6e263080b647c

SHA1
5f182163716ebd37f891834d2367cefe8dd84bad

SHA256
8aaae83601c3cb29ef2077dc733fdd7eeb7924c430c3694410d8b5d5fad7bccc

SHA512
df391dc44edf5e5830769fa7920d98c07881334841d2240f203e201bee8764715c9efb5702c9a0781402b10ca7571b103db781a7b124c82e92d6f7edad8bbdf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\eMMk.exe

Filesize
554KB

MD5
eb7a99fb95c003daa00a85f33c5c5c33

SHA1
c27d115c4c0d32b2253353d8520635eb2ba5acdc

SHA256
b5dde4c73a936285b775a404a6f263a058b61e6f003313fa7d473e776cfb3329

SHA512
5a8fe8f7ea3f154f0b3ad2564bfd7310f9dd1ea5516318a60c5c4fbcb69a1f1f1979585ff54e48c99aced4e0ca3ea4d8d718b85f14d40c191b7e03f3c39d462a

Download Submit
C:\Users\Admin\AppData\Local\Temp\eMsq.exe

Filesize
117KB

MD5
8d31363fe2d8161e5a5d0b6fe049fa36

SHA1
6dbd726b24d7576f769d09c4ceef97a7ff271843

SHA256
d2a59e64c28dbd06a8612cbb20ff6d639ae0dc3050397074acb9661b67f66ef2

SHA512
df857bf1d0ec573e1e14f95c1c67d2eb91d849a261e3f12b61d2bf7eb0a219295b6a80bdfc84a39485368128c96d09a1b611c2f8ad1fa8a56febdc229514c6db

Download Submit
C:\Users\Admin\AppData\Local\Temp\eoEc.exe

Filesize
111KB

MD5
88df90637e4ddbd7c975a40700ec2f53

SHA1
03965ee1ccd5ec96fb35ed762e7c799dc20f129c

SHA256
8ad079f449ea5d0866a813996434983b5c4c60972be1feeeb65bc80087bae51e

SHA512
32c556d0081fdde3919ab723718492c35843770ccc310721af41506bfcaa6a8d08f05f961ee0166275915da3c436d865826fb73df8fc0242a7b600f2755d7793

Download Submit
C:\Users\Admin\AppData\Local\Temp\fYoc.exe

Filesize
114KB

MD5
344237f4a58351c458f080c526118a28

SHA1
dda408f8a22994a6d13ede357399bc82b35006f3

SHA256
7ff12cb141057ef26574ec71b129ad60ce6938d4833f603927299d79f78bc19a

SHA512
5a7e95f2182384fb3d89c815b2e5a6b2fdc72f2e0016f3488c279f5edde55789a1033e61d3c07c75fe457473d57af4b2d3ccbb258acdec7fd0cdc95f63148e16

Download Submit
C:\Users\Admin\AppData\Local\Temp\fYsU.exe

Filesize
5.8MB

MD5
1c6b4ddf3b85cf1165e83adf571a5ab0

SHA1
78ce507d4ccd34c331f24cf72f27bf8d36afe95a

SHA256
05dcc866a54876daf09a5dbd4bf8ff88043e8191dc1c1b02dbd86d640c1a9daa

SHA512
75545bf3250fcbfd9f322874e91cccd53393ce363efc8c0b36ca73df8ae33a446bf9a2af32d3a03609139b886626a2251a56badc8cbe51e9fe4a95c5013a7c75

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gUws.exe

Filesize
115KB

MD5
6910d1337ac7639b281b3991b3d4ef90

SHA1
aa145ea836e8ec7dda562d4bddf67a5cd3848986

SHA256
0f33fceb64d822f0610e062a7932502a9a2ff6c68f259b54b89a191c94efd9e3

SHA512
a4c72aa2038d316952b1ba33480dbdbe42a3e220c0eb8674fc8af2ef42857f5f29b9fd1e24af864a3b2edc1f9e2b1b9549c883b41bbe6ed30c53cee125e19c9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsci.exe

Filesize
113KB

MD5
6e5f76424351ad46f39adb1ab53fe377

SHA1
fd5230ec0d3994ed6fefaa940f00996aa971d896

SHA256
64307d08de96f61ae519304063c7ab736300f81dbfdfabd29f32371ec72ad98b

SHA512
3cb5f250da26ef1c9fcdb4c514e2156523c106ba936bf7e69eeee7bdf9dcaca53e8182401449e1075a9c3888dc234802f8a8b6d336680739449677ba928149d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIwi.exe

Filesize
139KB

MD5
ffd79737d77ccb31e54bffae1caf8bf8

SHA1
1ddfff5f3f38709c7a961943124fb242f42c49ec

SHA256
6072acf534344dd3e6b459a3c37e1077ba1808fb9d54fbc78dd850b4633834a9

SHA512
de588c018d68d68bfb85c4da520919ddcb6267261d50145fc110bdfec7aedf3695112a2acef1c03d38dbe2ff87414150f548fc7f6878c68b01aeffaeb7b5a82a

Download Submit
C:\Users\Admin\AppData\Local\Temp\icIE.exe

Filesize
240KB

MD5
9573c4b87bf881ed15b43383f3637f35

SHA1
3bcaac86ed52d60dcb3d51c2158acc5e33cc838f

SHA256
f19a14087369534878bd29490cbab847dc15e8f55b7be02e5520ea6af4a56852

SHA512
bd9b5dd221e2159f4cf554930fb6878149ea1ccf991cca363ff8c5ef1e8356df1c24e31fabd38779d4fed623752fedaf1a42d700bd8192fbc7fd08f23c83e8e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\igIW.exe

Filesize
113KB

MD5
11a796dd6e055f2f412939a237d633f3

SHA1
40d45db3e9a96897da191e5fd8e0fdfe57cccbe4

SHA256
8355f1261a78fa13385f72f4f8f058bd2552a09a159a378cb6c4fa69b1f22865

SHA512
2356009f171a3dbbb7293328112b987f8fb29e7e2525f2d4c787c39a394a4ef73dabbaadf51f36e5a1502ca452f939e60fc8ca35d243545db6b9f56e63074036

Download Submit
C:\Users\Admin\AppData\Local\Temp\jAcE.exe

Filesize
148KB

MD5
fbaaee4e7892fbfa86c25f50ea10dd45

SHA1
963c3ced6808f368f14e149933c6610bf9acb997

SHA256
02828982fe06cd73251f5c7cf033112b908f1cca4e59d25a42c3ff4833433a17

SHA512
565507eac00f7f85919c64ed9d728dec306a5fa695b27de876c5f1f7685b5fa5d503705e1fe694b27d88a2471f06127143508a875fc702b8664c7e2b47b2eb1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwYm.exe

Filesize
126KB

MD5
894611dae01c751e53688af8e1eeeb72

SHA1
87b2f9a1de0aef10353cd5ef08692b6d9dabcd06

SHA256
b6ff6d6683c9c687ed388317ec7e8891e18b2e70b077cea49890f9d5800db862

SHA512
54d4806b5c5710ed763c606e1c0b67d06b034c0c60ba4cb244298d975b13d9c0d0441277d6597eb23755f342945fc24e113bd3345721f1209bc2588e884b71d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\lQEI.exe

Filesize
112KB

MD5
3dfe25a3bf8ae3710039d22b5c21a897

SHA1
9c6785f0d040629ab0fa88a455d339d53341fdbd

SHA256
7eb889280dd7091b1a200dcfdfba3e150f52a7b34ba1036dcacdc618fc50c915

SHA512
1dc1944ebee46c43f902db82289f649b8cf115bdff8be30f7bf17f6413dbdb403a4d2d1ee9b59cff3e9fda3be739582a6f526fa33b04acc31ea20421efe3be25

Download Submit
C:\Users\Admin\AppData\Local\Temp\mAEY.exe

Filesize
110KB

MD5
113415f053e7a9971ba0ae385d945750

SHA1
deb84ceda497951a9964091adeb26caea5162cc4

SHA256
6b7e5fabe57f831b6e07e3cab95532a14f1e375f3769ca0a4d039a03918c7c30

SHA512
5a809c390c73e89961c36b184dfb9470ec59457a0cafac30010acd6aa0e10b1651ea54a13c03150f5552073dae8672b4a9033fbbf67ea214f26948918527a21a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nIAG.exe

Filesize
236KB

MD5
aab1fdd2b39370c33871b3bef00c1412

SHA1
4cc84e87e82e85fd165ce56c25acdc38b8895ab3

SHA256
0edf836db20ed85b02dd9abc3fce15482b203e458c18a055bf8960a9fcec254b

SHA512
fe9ebb1ee7f4fc2192a4d4ad280cdeff6c6ff9a143169430be121dada7b40ab78897c33c52bb9ae53e7f3859b4bf3c98113dcbd66de72a545f782e8571ac6248

Download Submit
C:\Users\Admin\AppData\Local\Temp\nIIU.exe

Filesize
111KB

MD5
f0b2acb983aeeb3744ddc8b62e58a806

SHA1
2d44a3b0a2a8c37216f9d2babff79928270ef819

SHA256
8fbda7559a617bd20162c32becb459a88b68634543835085718d12d212c93365

SHA512
049e494404a4d01740a1769c62b58f2e0c83e2056e043d7dbab8bb714df44321557df1609beab30a81586a0e27a3ee0cf530ccfeebff04d89d9e9871307ff7a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nkoC.exe

Filesize
112KB

MD5
fdd196a83906b482d0c1dc30f0648a87

SHA1
b27ade45d5b37a39f7b0028308b7012518008224

SHA256
81ba6272a8f866a0e3a12f87edaea05cb97f102776311c25ff5dea67d05eeb4b

SHA512
2f53f7015ecf5e6183eb4f70b4da4b9bcfaf543ddd15328d094e33252fd60a1fdc562bd1cda47f06e831fd69be9df91e05be0df6963eeb36c96c1f3663a2094b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nkoa.exe

Filesize
110KB

MD5
8855bfe98bed5704a5b8bd5397294b2b

SHA1
0327c827c4931ff8dc8d9234dfaaa79faad8dbff

SHA256
ed7647dc35f4a11e33e3fbe502281061d19247cad51b6f323d93845aadf2b6f2

SHA512
d77310ab8b8de29e7b9e8414420011717ec19863ff3c53be3222a9095e591a5a5ff50510f4f226cbab30faa66b8d5d7b3485e4b5cd935a2988f131aab5861a5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nowU.exe

Filesize
113KB

MD5
fe7fdfbc36a7641c748da4905ff8425b

SHA1
d53c6156febab682227dde32d737c2bb8db48831

SHA256
ba22e089162eeae4a05376c72aa3a4a0eadf03c1f116da289c7e42ca9801412e

SHA512
48204bf25075fd8200b2a6db9d5151ccc2cc4702dda074340951157135d53b20ebf6aace9e1b9349c9ea528f8646012e93026c8e03e12d6be2bd697a04a0c22c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogIw.exe

Filesize
154KB

MD5
5adc0a4e796080339c26bd3d59e3a188

SHA1
197956dc6744a98d69e8fa762a53309aba3fee67

SHA256
08584e596e0ee6258d53c8c8518f81144cfe0f70036aa9ddbfb42a20c218102f

SHA512
6a8c629be1aeaa20bbf61fd2c6be516c3b9709e4ba696b02cb0ee7860404843baedaf6d1573b359bc4bd5c30298b1495ad1a292f250cc9393bd6899b0fb655c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcUU.exe

Filesize
236KB

MD5
da73d5e40f8a4dd66d0328df086f16e4

SHA1
d5251e7c9fe3508289eeeca77ea3e0325b11b944

SHA256
dd02e2bb00a4e5ee2fe12b8ac86f44fc6adf91746b38f34670f706b34956d7b7

SHA512
9ba592bb6c31f2986fecc86411164aae70e7224a4ae5650ce3be46d305f27d66e33204c7e93639cf3cd049ef4473a959117847d3ed5dd9574723496329fcae46

Download Submit
C:\Users\Admin\AppData\Local\Temp\qcAs.exe

Filesize
721KB

MD5
8146a0cd34e2bf453231acab1848a1d3

SHA1
5f4d1a167b0967103a5bc4c9a8903505e41826cb

SHA256
e2e3280b8d4fd5488e96c3829dc6b03fdbee14d90e8fdd5c54a5ab57d9abef37

SHA512
3d5b86010fecf1461c9191df4b23496bcc56954a43865b43fc017814ac84a00e493993c681b750f6900388e1dcb06abfdf588d9475dba7bf79abca61fc09e825

Download Submit
C:\Users\Admin\AppData\Local\Temp\rIMM.exe

Filesize
115KB

MD5
4dfb1b6dc0f265e64383d12ee983f131

SHA1
0a2360c68074df45fd08466621bd6f5ac441c902

SHA256
0d65ba50dd063e96cf63f6e82b938845f132ac4c463e2e4dbeeea5018699f950

SHA512
f95d82001bc80d523f7c729ba2d94a51ac5217855011e0391b66c8f400efa6c5904db506cadcaf018151c61aba60ebc37a9b8a2ea09d0588a8b2493820b5f728

Download Submit
C:\Users\Admin\AppData\Local\Temp\rkEg.exe

Filesize
117KB

MD5
d35d36f7fc5ed927fd7b72f1a3cef3e8

SHA1
fe2a5db6e3e0e6570a7c6f5ca926e4cfe75c431f

SHA256
ca2025a904028c4bb950af435510d0344911d5130a3a1c4464284664d727e730

SHA512
cb0a33fabe0f329d591d14239506315c666b1e22daadbabb9e5eb91d8623aa1e794d1bcf1815490a7bffb268c8e2a52e39f3e14f5fcdedaaa0fbad1e21fe6e34

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQAi.exe

Filesize
155KB

MD5
aa711cd74d9fd5a2fbaff4f30d1fe1cc

SHA1
72c9ea8caa4f25209e7eedc12932837554cd7344

SHA256
73cbc3373d1ae13b4f07ebcf60050cd5195e28581c7fa8197594ae849775e8f8

SHA512
917d2ca6c4ec4a403dabf2776595809c5ed1788d73af4d890fe4d11c01c9ef576c77cc86ac6d3e433dbe3408cdf7bb60f61f46000957551b2edee24909954d53

Download Submit
C:\Users\Admin\AppData\Local\Temp\sYYM.exe

Filesize
111KB

MD5
782bad3438a1dba28bd2b6e3cd9b5cdd

SHA1
407fc35a6e588af499453b6e2acc7b77c9d5b445

SHA256
a97190bca562df254d7723700bd228081b22a29b3c4f1401a50435a6800823ba

SHA512
d22717d44c2273856552e235c625d3dec5721708f6193c4a7870d5953214d9e3f7db2d30e1f83a80a95c9c1606e037a7e1a41ff2f94a6fff8a3a0aff496f9081

Download Submit
C:\Users\Admin\AppData\Local\Temp\sgsY.exe

Filesize
112KB

MD5
4692f74f6c3eb3c84fb864ea60cf0034

SHA1
a8c5653ed293a08f0678d4b501c91fa37bf2cd00

SHA256
504b49debab582f8ea33536b7f949547e88c314aad054a24e87c7a316f19ab11

SHA512
11175246f420486b94af8abd623591cffbd64fb4086c1e311421e982f46d4162321ccd08c8999390394ed62d76f26efe4dc617fd3d4571629dead0731cde40c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\skws.exe

Filesize
111KB

MD5
fc49b4cfca6dc14f698cbb7b4a9833cc

SHA1
445faf0afc7a50f5694223cf53c7b0f07a97c251

SHA256
63ae4677fef897042bb260103cd20e8cd8cec5b99411147b1904e11953c471f8

SHA512
fb044cc130ba795ea56170f6c3deada8e06d2a7abf170b959d0855004e13898aac38faf2bd14653dfedc0399dafb82eef961557dd678ba4d08ec488940de9230

Download Submit
C:\Users\Admin\AppData\Local\Temp\tQgY.exe

Filesize
518KB

MD5
f730c698c6f86dd84ada062103562621

SHA1
bae2de9745d376e7ea689b750bbfce1eac8a01d0

SHA256
4ce2de6b5555de4aae25c3d2d0d3f6c3114b9520c254f84cf89133b48505f274

SHA512
859d137f6d5af567f446bebf01325b8a261d353fc729aa8e70eb7866501f0771e1aeea7db0b2e988747b3cbd4e183e33c681557efd4b09c4d35af8565fa1cd9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMcY.exe

Filesize
139KB

MD5
2f61f8930420ce5b84bb9b565caedda3

SHA1
c8e302df89c68509c743be66ad791f716a860ca1

SHA256
e41a47f9e6098cfe5ed3077e4325ed03e5eec8ef60d9bb0606ab60c65e04c922

SHA512
1d872037bc6d842693a68f7696fb4603cf359d1eaaa0108c7b137033f7876187e24716e2eccfc66ab7ee0a1ae89ddb19d33e0eb765c1e97b205d701f43fca668

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugsI.exe

Filesize
724KB

MD5
2a568918f1bef3b7401d46448478bac3

SHA1
8faf3a5b8a204f95fad9c4f64dbe8ff26658e420

SHA256
85cb0c49d2bb9399fdcfade79a60eaf6f8cbac03fb97e18e8f1095cea02d898d

SHA512
0c78be0675a9679fe219802ef18ec3b069a2f716e0e0f50e706c4fa5413f1fbf0faeb0885c00be3577652da2ca4bb0e1d896c3e7112433151275789e4e3d1afd

Download Submit
C:\Users\Admin\AppData\Local\Temp\uswo.exe

Filesize
564KB

MD5
8b6d66f7f0519e0ca1f1cb36440d94a3

SHA1
67194594fdf0cd37feeedafcfe28aa62332be77f

SHA256
bbddf179c45c3cba7b61b5d2d24d03c24748cc807bd02d21a3cc82540c283de0

SHA512
6254dfb2c08b290c92f8e6290270e5eb9cdc609ad55c0140cf5c7b1565ee7ad9d21b287f7afad89f501ac5f5d4ccd7015dbfc6cf43421ca7513634a2d2c63b1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vwUy.exe

Filesize
109KB

MD5
7f4d3cf952ba36bf0b5e113c6cd68849

SHA1
5dc0861a3cf31c97bd0d0ec828fd6b0605f0252b

SHA256
826ed4f3921ab1e4c6ea10d3f8adeadec33c64d7f077a81c0ce5b8e5b7cbed6b

SHA512
5ac471a5270b73caf6608740ebd4089ad464fb7effd7ca9fc036c3c201aff0dda7e2cd8b028f6ea79837fcc4ce4b8bc62858e12edcbb9afc04ba8989c1ab1851

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAMO.exe

Filesize
733KB

MD5
93794a9f2b67b04d859fb38dc998ec33

SHA1
c2a4331d37fd58e4bf259cb10d53d1fe7ce0651a

SHA256
09dbdc3225f7e7745dbd7c7f6684cd98ef2e686399eda6220bed2c8e9339da24

SHA512
761021a16addac77555152ea9457f5d3ebb2be9c012d0b99bcd2622e4eb2dd8d2959be855d83fab1c36e9cec0de8b4991e64594005da1588154d9b71eb1ed337

Download Submit
C:\Users\Admin\AppData\Local\Temp\wEgM.exe

Filesize
114KB

MD5
e984bc7b5a62017d03e75eb246fb15e1

SHA1
4a5dc16e555b42fb39f9d104f83fb28595a2d0e6

SHA256
e88c6b1acb3f3f4accb4b5db37eb15a6f6c10c257bdd9d0b858d5fec673ea11b

SHA512
08c26f6e6c3f8a7c18cfca9f83a097a761051ddfc3479fd52f0198f3aa840111b7d8f6d476f45b290efa6f940d13f70bc592d2768ef500c9147450248ff9fb9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wIQm.exe

Filesize
110KB

MD5
8fe129294eaab422f254219875793e08

SHA1
069bc169546b2aa18deb5909e0ccbeb8e56057b2

SHA256
39b4cd7f9b6554eca5b3e97964eb130f860806e954309b784a20b54ad3dd7045

SHA512
f8d3d9af83f56b0dd23ccb45ba4d02c57ecd45e3833bf3a7413ce19ddfd2d399709c862de7dc029551be776b9cde033fdb7de662a52a164eddacbaec72eb932d

Download Submit
C:\Users\Admin\AppData\Local\Temp\xUMc.exe

Filesize
114KB

MD5
61145100b1a71ae1727cfd96d21b5c59

SHA1
2c9f4640601b80c039127cd67c3a3c0f0b76610a

SHA256
8167b8e52171a307a8caa032846204ffecdf96cd6df4f673a6a58825a8984d26

SHA512
2f76466203d31e50081ecc7722ec1be05e9aa0b5378d577a0556c77304d01386fa0a8caaf99c60abac64040ba704f1132c43d95a106e67a1f5d27e730bcc0ca7

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUcC.exe

Filesize
122KB

MD5
b970146fda4713a5633f3bcba6609864

SHA1
5f4e2d0541e64582a67a86f2c0df7af38f7e2004

SHA256
0cccbf386e09579e6ff48c450ee879eec68a38f5b2808a75d61b4774cac847a2

SHA512
90f0d725933a70cc74825a5ef7ddb91009386c4550d59263584288771c5fcaa1ab799b792c1c73948208e1cd45e63f667da9a2f60b89808675ded32dc0bea463

Download Submit
C:\Users\Admin\AppData\Local\Temp\zYwC.exe

Filesize
337KB

MD5
4ab8b34e67723c7a8952960454d05082

SHA1
7607c9617da32592c9fb2728ba68c856aef784de

SHA256
34b1e96d4e6af6bee94f29d98d6832ab3f51f6e5308a64ed76747d7256e20493

SHA512
1cbc2d9f017648766ca7fa84f508f87e3ce0a2d48bb0ada854d16421389953a542aa1af10bda8b5512b2e3f5e160d34c369526d8ab1b221c7bd8afa13df5c60f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zcQI.exe

Filesize
699KB

MD5
2862f4d945d12810fe3ea47ac93fb040

SHA1
38315bf6ee1db99f83ae9cdb76042f82f2174a3b

SHA256
b1ab7a19f43ecc225f8922921af2518daac8a5d1a5c8a02c62cd4355d455556f

SHA512
6e4beb61c84b9672ccece7a8f1166ef4e8f6a434591ed19c6d7fb0a163be45efd179e0c6724c7917df50c944f9897cd8410cfae2745f6678cda64f00a10aa5e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\zsEW.exe

Filesize
110KB

MD5
93ff4d01a397e19b653b38c3612ea77a

SHA1
f18c8c950a4db44f34e64bb35f12e5a93bd51bbe

SHA256
eaf453109d14e424f51102d55860cf5a9d97e4d4f0bf8d1ab8da43ec3e6c5e35

SHA512
56dca46ee72cae139f288760b2fe2352a8333aef9c89e51f7ab923016e456733e9e5d00c84b7c858300b2fe7b382ad1f773d037d395030b4fe253c393a0a116b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zsUA.exe

Filesize
465KB

MD5
05510f99369d26db87dcfc1c25b84ab0

SHA1
aa3b88358f71ee09b88adaa9e3c1ccc57df3c9ea

SHA256
ae1d54a4ab015c68feb0814ea2eb3eca30bdf87e5bf1bd58cad35df2af04227b

SHA512
964d9168a5d4b4104efbff36c9e9f39763f0fdefc638b845fbbc6f85055010589862e4302efb1bb04b57010fb5db70eec7f29eaac7c3e5fc64bbd977b87d71e2

Download Submit
C:\Users\Admin\AppData\Roaming\DisconnectInvoke.mp3.exe

Filesize
347KB

MD5
d9aafc2b89edb118d89d14a3636f2792

SHA1
f6d6c7c6035b492f4c768b840e792e0a2abb7c0e

SHA256
87174e5a1af7969ab47416a5db22ab0f9e56501e2dd09e33774b2135fcc2a2dc

SHA512
fabdc1a52300f828a7cc61bc30094731bd0eaa61af454a5d5d7fedffad471ba417120dc599466bbd47f964409ce8fad4ab1b24abee49f75d3a041368e64ec699

Download Submit
C:\Users\Admin\pWEkggkI\icUssEIs.exe

Filesize
110KB

MD5
692303395b42b0894478c4f9d626c08f

SHA1
f0308c2e390c0a97d2bf604cb330de90376bc639

SHA256
84875de6578b050fff0fb9df394cb555e1637a54eaac601a0a28d7db12954677

SHA512
450907f0d0b90a2ba2e78f13a45c414691490f88e3db04290252ac8667e4bb4423827f9f602fcfa71f9da60b233b3dee6b2ef7f5f73b3d70d8bcb87211cf4464

Download Submit
memory/32-273-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/316-286-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/316-299-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/368-1150-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/368-1201-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/384-410-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/456-402-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/684-235-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/684-246-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/760-394-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1044-124-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1044-110-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1192-7-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1232-222-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1236-360-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1416-370-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1416-378-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1436-460-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1760-77-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1760-66-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1812-352-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1812-344-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2068-533-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2168-136-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2168-125-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2404-54-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2404-38-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2408-97-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2408-113-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2464-828-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2464-779-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2516-148-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2516-139-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2664-386-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2704-419-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2704-411-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2780-225-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2780-234-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2856-88-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2920-42-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2928-290-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/3240-281-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/3448-188-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/3500-101-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/3500-89-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/3624-361-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/3624-369-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/3644-1059-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/3644-1022-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/3728-647-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/3892-152-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3892-171-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3900-864-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/3924-30-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/3968-1251-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4040-200-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4072-1151-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4124-50-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4124-64-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4184-304-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4184-317-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4224-497-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4224-461-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4244-153-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4244-172-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4280-957-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4280-893-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4284-583-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4292-325-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4292-316-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4324-14-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4452-295-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4452-308-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4480-713-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4480-662-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4484-709-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4484-763-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4556-265-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4592-177-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4632-335-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4632-343-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4640-1021-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4668-420-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4668-429-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4716-326-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4716-334-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4772-154-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4776-211-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4776-196-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4792-249-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4792-257-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4948-164-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4988-0-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4988-19-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/5008-425-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/5008-437-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download