cd44d851858501b7d60a83c3126698fd1feefd11da5a3bdf1d2deb02b78716b2

Analysis

max time kernel
0s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
05/01/2024, 05:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
Size

240KB
MD5

7ebb675622c9c09cddc2f01081cf8ffa
SHA1

f827ee2b8b81b5eb70cbdca4b461544a8ef7365c
SHA256

cd44d851858501b7d60a83c3126698fd1feefd11da5a3bdf1d2deb02b78716b2
SHA512

3af9711b54fa9e00828787e1d193d86c96e7af66d6d2815c8defdfdcd1ec7fe1971344744a8f7b055f7147d33f63d7e00b7908ab1d64f84708ce1cc2d1129da3
SSDEEP

6144:szz6iKJd7n/sGCf+iEuqOwSZIhBbkJF7PfZxi1i:szz6FdDkGStFwSZIhBkJVXZxi

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1836	gugoccIE.exe
4712	YgkUEAcg.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gugoccIE.exe = "C:\\Users\\Admin\\MqQkUkcg\\gugoccIE.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\YgkUEAcg.exe = "C:\\ProgramData\\gokQIAEk\\YgkUEAcg.exe"	reg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1776	2356	WerFault.exe	177

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
4748	reg.exe
3880	reg.exe
5448	reg.exe
224	reg.exe
4352	reg.exe
4000	reg.exe
1824	reg.exe
3692	reg.exe
460	reg.exe
2984	reg.exe
5288	reg.exe
5784	reg.exe
1444	reg.exe
1016	reg.exe
5064	reg.exe
3088	reg.exe
3332	reg.exe
3724	reg.exe
2700	reg.exe
3564	reg.exe
5584	reg.exe
5100	reg.exe
4348	reg.exe
5848	reg.exe
3376	reg.exe
2200	reg.exe
3648	reg.exe
3196	reg.exe
5964	reg.exe
2324	reg.exe
2044	reg.exe
3432	reg.exe
4940	reg.exe
5532	reg.exe
4140	reg.exe
3868	reg.exe
5984	reg.exe
3248	reg.exe
2684	reg.exe
2092	reg.exe
5172	reg.exe
8	reg.exe
5256	reg.exe
6068	reg.exe
2176	reg.exe
1664	reg.exe
3428	reg.exe
4940	reg.exe
3076	reg.exe
4884	reg.exe
2092	reg.exe
1540	reg.exe
1396	reg.exe
5988	reg.exe
2680	reg.exe
4744	reg.exe
2396	reg.exe
2792	reg.exe
5240	reg.exe
5292	reg.exe
3892	reg.exe
2324	reg.exe
1316	reg.exe
3488	reg.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4364	reg.exe
4364	reg.exe
4364	reg.exe
4364	reg.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4364 wrote to memory of 1836	4364	reg.exe	1322
PID 4364 wrote to memory of 1836	4364	reg.exe	1322
PID 4364 wrote to memory of 1836	4364	reg.exe	1322
PID 4364 wrote to memory of 4712	4364	reg.exe	1321
PID 4364 wrote to memory of 4712	4364	reg.exe	1321
PID 4364 wrote to memory of 4712	4364	reg.exe	1321
PID 4364 wrote to memory of 2700	4364	reg.exe	1320
PID 4364 wrote to memory of 2700	4364	reg.exe	1320
PID 4364 wrote to memory of 2700	4364	reg.exe	1320

C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe"
1⤵
PID:4364
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JuwUMMkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
  2⤵
  PID:3964
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4124
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:5584
- - C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
    3⤵
    PID:4068

C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
1⤵
PID:5456
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:4432

C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
1⤵
PID:2396
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1880

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:744
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:5380
- C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
  C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
  2⤵
  PID:5704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
1⤵
PID:5024
- C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
  C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
  2⤵
  PID:5160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
1⤵
PID:2280
- C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
  C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
  2⤵
  PID:5992

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
1⤵
PID:3308

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
1⤵
PID:2720
- C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
  C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
  2⤵
  PID:5124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xyoYAMws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
1⤵
PID:1484

C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
1⤵
PID:1704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CmYcUQQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
  2⤵
  PID:1260
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2148
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:5756
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:4140
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
  2⤵
  PID:4924

C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
1⤵
PID:6084
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VKQUQcIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
  2⤵
  PID:3380
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:5456
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4884
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1880
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4848
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
  2⤵
  PID:1932

C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
1⤵
PID:5616

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5212
- C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
  C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
  2⤵
  PID:1524

C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
1⤵
PID:928
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1064
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JOEMoMgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
  2⤵
  PID:4312
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:5172
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:2792
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
  2⤵
  PID:384

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2968

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4204

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1160

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1540

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3116

C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
1⤵
PID:1136
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EOQoYggA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
  2⤵
  PID:3928
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4908
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:2092
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
  2⤵
  PID:4572

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4492
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:5348

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4720

C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
1⤵
PID:2324

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2612

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4496

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2468

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4960

C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
1⤵
PID:2728

C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
1⤵
PID:2616

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4572

C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
1⤵
PID:4300
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:5400

C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
1⤵
PID:628

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3692

C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
1⤵
PID:4536

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1536
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GAgoYwAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
  2⤵
  PID:5384
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:1444
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2228
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2788
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
  2⤵
  PID:2520

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5384

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2244
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:3784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AMwgkUMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
    3⤵
    PID:4744
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:5636
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:4544
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:3740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
    3⤵
    PID:4020

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4760

C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
1⤵
PID:5104

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1064

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
1⤵
PID:5628
- C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
  C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
  2⤵
  PID:3876

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3116

C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
1⤵
PID:4024

C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
1⤵
PID:3868

C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
1⤵
PID:4884

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:400
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:5260

C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
1⤵
PID:1744

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4672
- C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
  C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
  2⤵
  PID:5676

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5408

C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
1⤵
PID:5024
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sgIggYEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
  2⤵
  PID:5676
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:5400
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4320
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3096
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4172
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
  2⤵
  PID:1932

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5020

C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
1⤵
PID:4904
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2652

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2984

C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
1⤵
PID:2356

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4776

C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
1⤵
PID:3036

C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
1⤵
PID:5540

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4184

C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
1⤵
PID:5656
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
  2⤵
  PID:5568
- - C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
    3⤵
    PID:5528
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jAwUIcco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
  2⤵
  PID:3648
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:3488
- - C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
    3⤵
    PID:3784
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3436
- - C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
    3⤵
    PID:4696
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1552

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
1⤵
PID:3868

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
1⤵
PID:4864
- C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
  C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
  2⤵
  PID:5572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BskwswsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
    3⤵
    PID:4516
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:3252
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:5684
  - - C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
      C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
      4⤵
      PID:3484
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:5784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
    3⤵
    PID:2764

C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
1⤵
PID:2840

C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
1⤵
PID:4596

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4572
- C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
  C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
  2⤵
  PID:5636

C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
1⤵
PID:1824

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4776

C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
1⤵
PID:4360
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TMYgccck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
  2⤵
  PID:116
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kyQMUIEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
    3⤵
    PID:4604
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:6072
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:512
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:5732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
    3⤵
    PID:5584
  - - C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
      C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
      4⤵
      PID:3564

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4496

C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
1⤵
PID:2956

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2468

C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
1⤵
PID:6020

C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
1⤵
PID:1724
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1936
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yMAosgUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
  2⤵
  PID:4300
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:2984
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:8
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hAkAEIIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
    3⤵
    PID:1344
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:1484
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:4552
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:4436
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:3536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
    3⤵
    PID:968
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
  2⤵
  PID:4492

C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
1⤵
PID:2228

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1940

C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
1⤵
PID:760
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\recwAQUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
  2⤵
  PID:3700
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2316
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:5332
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
  2⤵
  PID:2848

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2984

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4604
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TYYAEkYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
    3⤵
    PID:428
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:5588
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:5964
  - - C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
      C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
      4⤵
      PID:5196
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:5220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
    3⤵
    PID:3084
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lmscUMwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
      4⤵
      PID:1940
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:3172
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:6136
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:3636
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
      4⤵
      PID:1512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
1⤵
PID:4460
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:3644

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3656

C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
1⤵
PID:452
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OIQskUEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
  2⤵
  PID:448
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2464
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:5532
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4424
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
  2⤵
  PID:5324

C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
1⤵
PID:5164

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:708

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1456

C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
1⤵
PID:4112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vyAckcAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
  2⤵
  PID:3372
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:3648
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1524
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:3880
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
  2⤵
  PID:2096

C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
1⤵
PID:3892

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1408

C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
1⤵
PID:1436
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IWkYwUwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
  2⤵
  PID:4492
- - C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
    3⤵
    PID:5712
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1932
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3116
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
  2⤵
  PID:5288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
1⤵
PID:5784
- C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
  C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
  2⤵
  PID:3400

C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
1⤵
PID:3076
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UcAgAocY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
  2⤵
  PID:1504
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SgMggYIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
    3⤵
    PID:5112
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:2488
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:3432
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:5688
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2248
- - C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
    3⤵
    PID:4264
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
  2⤵
  PID:5300

C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
1⤵
PID:2044
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bKgEEkwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
  2⤵
  PID:5220
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4732
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:3724
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3692
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
  2⤵
  PID:3880

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4284

C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
1⤵
PID:2488
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
  2⤵
  PID:2244
- - C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
    3⤵
    PID:3376
  - - C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
      C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
      4⤵
      PID:2796
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rSIQAAEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
        5⤵
        
        PID:400
      - C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
        6⤵
        
        PID:116
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        
        PID:5756
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:4868
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        
        PID:2864
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
        5⤵
        
        PID:4424
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rscIgMwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
  2⤵
  PID:4576
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LCUMcAAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
    3⤵
    PID:5456
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:5984
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1420
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:5064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
    3⤵
    PID:4424
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:5848
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2836
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WAcMksYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
    3⤵
    PID:5164
  - - C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
      C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
      4⤵
      PID:2324
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:4300
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MQYgQUcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
      4⤵
      PID:2036
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:5448
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:620
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies registry key
      PID:6068
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
      4⤵
      PID:4672
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:4884
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FQAEMEgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
      4⤵
      PID:5380
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:3232
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:5172
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:5496
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
      4⤵
      PID:5116
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:5712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
    3⤵
    PID:5600
- - C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
    3⤵
    PID:3084

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4320

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4216

C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
1⤵
PID:3044
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xaUYMYEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
  2⤵
  PID:4904
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4300
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:3332
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
  2⤵
  PID:2960

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4972

C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
1⤵
PID:5164

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4068
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ggUQEkss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
  2⤵
  PID:364
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:5020
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1564
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4768
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
  2⤵
  PID:1632
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:5992
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\smcMgkoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
      4⤵
      PID:1444
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:3196
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4764
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:2024
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
      4⤵
      PID:1016

C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
1⤵
PID:2108

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1076

C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
1⤵
PID:1824
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
  2⤵
  PID:1384
- - C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
    3⤵
    PID:2248
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BWQsMIMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
      4⤵
      PID:5364
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:4632
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:3096
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:2860
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
      4⤵
      PID:2692
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SGsoMkIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
        5⤵
        
        PID:3264
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        
        PID:2672
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        Modifies registry key
        
        PID:1664
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        
        PID:3292
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
        5⤵
        
        PID:4152
- - C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
    3⤵
    PID:1316
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fQQoswYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
  2⤵
  PID:3996
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:5324
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:5292
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:5988
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2324
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\reUgEAIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
      4⤵
      PID:3428
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:628
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4360
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:3624
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
      4⤵
      PID:5100
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\euQIYMko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
      4⤵
      PID:2612
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:4348
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2044
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:5416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ImQQUEgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
1⤵
PID:4608
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2080

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5832

C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
1⤵
PID:6020

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5648

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4424
- C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
  C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
  2⤵
  PID:2356

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3400
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kcMoAogg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
  2⤵
  PID:4236
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4656
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4756
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:5372
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
  2⤵
  PID:2144

C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
1⤵
PID:5256
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QEMMwUgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
  2⤵
  PID:5600
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3736
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4296
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3084
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
  2⤵
  PID:3616

C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
1⤵
PID:3172
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EqksUIIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
  2⤵
  PID:4140
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:5620
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:4748
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
  2⤵
  PID:3928

C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
1⤵
PID:5616
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IEowEMYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
  2⤵
  PID:3160
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:8
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:1396
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:2200
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
  2⤵
  PID:3376

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:6020
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xQYEoUwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
  2⤵
  PID:4460
- - C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
    3⤵
    PID:536
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3692
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2796
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:3892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hiAoksks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
    3⤵
    PID:744
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:4940
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:5848
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:3376
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
    3⤵
    PID:4952
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
  2⤵
  PID:5212

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2108
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gogEQkwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
  2⤵
  PID:2176
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3376
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jeAossMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
    3⤵
    PID:3804
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:3696
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:5524
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:4912
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:2848
    - - C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
        5⤵
        
        PID:224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
    3⤵
    PID:1812
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:5172
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2200
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
  2⤵
  PID:744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2356 -s 192
1⤵
- Program crash
PID:1776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2356 -ip 2356
1⤵
PID:1456

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5164
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kecssgsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
  2⤵
  PID:5344
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:5476
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:3428
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:5260
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
  2⤵
  PID:4228
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bOAoIskU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
  2⤵
  PID:1448
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:2700
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:5748
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2312
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
  2⤵
  PID:1384

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AkgkcsAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
1⤵
PID:3248

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:3972
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CwcEUgoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
  2⤵
  PID:4348
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:3868
- - C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
    3⤵
    PID:8
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:2960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WQwcUoEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
    3⤵
    PID:1404
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:4760
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:5600
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:3044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
    3⤵
    PID:5392
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3232
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BgUgcAcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
    3⤵
    PID:1324
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:6068
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:3248
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:3948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
    3⤵
    PID:5136
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:1824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kWIEUoUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
    3⤵
    PID:2388
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\magkQAks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
      4⤵
      PID:1956
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:4228
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2228
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:2764
    - - C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
        5⤵
        
        PID:1532
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:2356
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KkQIwEkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
      4⤵
      PID:2168
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:2520
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:5240
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:2488
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
      4⤵
      PID:5304
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:3612
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:3144
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
    3⤵
    PID:2832

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4964

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:428
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:3892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
1⤵
PID:2932

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\keAMggIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
1⤵
PID:4996

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:2176

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2616

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:4940

C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
1⤵
PID:4348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
1⤵
PID:2792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nmcUYwAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
1⤵
PID:5704
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4952
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2844
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:4348
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3032
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
  2⤵
  PID:3248

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2356

C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
1⤵
PID:3544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
1⤵
PID:2412

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2848

C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
1⤵
PID:2692

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2764

C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
1⤵
PID:3972

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NkMkkkQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
1⤵
PID:3676

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:5260

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:5256
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HYQEQwcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
  2⤵
  PID:1504
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4792
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:6104
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3124

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:5708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
1⤵
PID:6104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IUMIgAIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
1⤵
PID:4912

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1936

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:5648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
1⤵
PID:5524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eIUgUUow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
1⤵
PID:5636
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kAUAUYUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
  2⤵
  PID:5200
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4336
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:5292
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dYIswkgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
    3⤵
    PID:8
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:6076
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:3832
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:5116
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
  2⤵
  PID:5304
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3060

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4152

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4004

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4008

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OWwgkEgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
1⤵
PID:4708

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4504

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2708

C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
1⤵
PID:2904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
1⤵
PID:4908

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:3692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:3564
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HYwwYUYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
  2⤵
  PID:2672
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FYsUsssw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
    3⤵
    PID:5288
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:4748
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:2044
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:4744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
    3⤵
    PID:4564
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2732
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1016
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4068
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
  2⤵
  PID:2880
- - C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
    3⤵
    PID:1632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
1⤵
PID:2248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pUwgYoAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
1⤵
PID:2396

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:2324

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:1316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1384

C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
1⤵
PID:4360
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bEkQoooU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
  2⤵
  PID:5304
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4184
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:3076
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2680
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
  2⤵
  PID:5584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
1⤵
PID:2168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XGsYMQoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
1⤵
PID:6068

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:3652

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
1⤵
PID:4672

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aIYMEYME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
1⤵
PID:2764

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:460

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:5748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1324
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:5408
- - C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
    3⤵
    PID:2388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
1⤵
PID:400

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1384
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rqwQEAko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
  2⤵
  PID:5384
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4516
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:5712
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4324
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2396
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lQAocYoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
    3⤵
    PID:4632
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:4596
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:5720
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:1504
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
    3⤵
    PID:5108
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
  2⤵
  PID:2600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QAUgUIMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
1⤵
PID:5820

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2276

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
1⤵
PID:2124

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dAwYMUQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
1⤵
PID:4136

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:3624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:3476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
1⤵
PID:5236

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2168
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:5256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iuAUcosM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
1⤵
PID:624

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3476

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:2092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
1⤵
PID:3984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CAwEkAsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
1⤵
PID:1632
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RwgoscIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
  2⤵
  PID:3740
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4904
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:224
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2104
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
  2⤵
  PID:4504

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:3972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:5300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
1⤵
PID:4952

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3628

C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
1⤵
PID:5256

C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
1⤵
PID:3232

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TYEskcQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
1⤵
PID:4416

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:5676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:5600

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:6020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fYQQAcYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
1⤵
PID:5384

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:5708

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4732

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:5772
- C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
  C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
  2⤵
  PID:5964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
1⤵
PID:4088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qckkwQcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
1⤵
PID:3180
- C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
  C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
  2⤵
  PID:1536

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:2680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
1⤵
PID:1880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QsYkwQIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
1⤵
PID:4912

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:2324

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:5288

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:3700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
1⤵
PID:4348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rGUEIoQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
1⤵
PID:3972

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:5568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:3628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
1⤵
PID:4296
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dWkAIUsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
  2⤵
  PID:5304
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:4000
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2388
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3628
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
  2⤵
  PID:5772

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zScIIggk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
1⤵
PID:2104

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4536
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FyMgMkgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
  2⤵
  PID:3400
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4264
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4768
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4924
- - C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
    3⤵
    PID:1348
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
  2⤵
  PID:4596

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:2684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
1⤵
PID:5964
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PEYkAsUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
  2⤵
  PID:5456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OEgckswg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
    3⤵
    PID:3440
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:5064
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1436
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:3088
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
    3⤵
    PID:3436
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4636
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4940
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nIMcQgsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
1⤵
PID:2788

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:5256

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1880

C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
1⤵
PID:5308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
1⤵
PID:628
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oesQAEMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
  2⤵
  PID:4476
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:5756
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:524
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:2396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
  2⤵
  PID:5540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\auYQMAEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
1⤵
PID:2244

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3264

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
1⤵
PID:5208

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2728
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yWAowccw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
  2⤵
  PID:5832
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1468
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2224
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4036
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
  2⤵
  PID:2092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QQwMsMAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
1⤵
PID:5604

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:5584

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:5384

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:5228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
1⤵
PID:5732
- C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
  C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
  2⤵
  PID:64

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FQsogYYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
1⤵
PID:2652

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2488

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:5784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
1⤵
PID:5408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BKcokwYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
1⤵
PID:5172

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2356

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4388
- C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
  C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
  2⤵
  PID:2164

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
1⤵
PID:5332

C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
1⤵
PID:432

C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
1⤵
PID:2672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wssQMwEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
1⤵
PID:5988

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:5292

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:3044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
1⤵
PID:5412

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bgwsUUAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
1⤵
PID:4216

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:3564
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uukcoIwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
  2⤵
  PID:5604
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4768
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
  2⤵
  PID:5732

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:4608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
1⤵
PID:2880

C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
1⤵
PID:5572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SoAggkcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
1⤵
PID:3992

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:6104

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:5584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
1⤵
PID:6128

C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
1⤵
PID:3564

C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
1⤵
PID:1384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tesMEEQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
1⤵
PID:2864

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2612
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:3692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:4004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
1⤵
PID:4320

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:4908

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qOogQYYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
1⤵
PID:4136

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:5716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:6120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
1⤵
PID:3488
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZmAEoMAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
  2⤵
  PID:1060
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:5240
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:1540
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4040
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
  2⤵
  PID:2936

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5184

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:6052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:5100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
1⤵
PID:3180

C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
1⤵
PID:2900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HOskYEUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
1⤵
PID:5676

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:3868

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4364
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4544
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:4352
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
  2⤵
  PID:2700
- C:\ProgramData\gokQIAEk\YgkUEAcg.exe
  "C:\ProgramData\gokQIAEk\YgkUEAcg.exe"
  2⤵
  - Executes dropped EXE
  PID:4712
- C:\Users\Admin\MqQkUkcg\gugoccIE.exe
  "C:\Users\Admin\MqQkUkcg\gugoccIE.exe"
  2⤵
  - Executes dropped EXE
  PID:1836

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1784

C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
1⤵
PID:4576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
1⤵
PID:220

C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
1⤵
PID:5644

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2576

C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
1⤵
PID:3488

C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
1⤵
PID:1652

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:5832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EuIcgAkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
1⤵
PID:5188

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:5292

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1932

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:3644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
1⤵
PID:5164

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3984

C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock
1⤵
PID:4296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RQkcQUYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
1⤵
PID:6108

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:5524

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:940

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
1⤵
PID:4608

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EGYkQgoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
1⤵
PID:1708

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:4660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:1016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
1⤵
PID:5684

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wuMMAIUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock.exe""
1⤵
PID:6100

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1372

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:5172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock"
1⤵
PID:4388

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

Filesize
314KB

MD5
8805c755e2e25fc64a2ad7ee116ef0c7

SHA1
e36b919c8b8b8a55c6f88ab716afd4b1ff26afca

SHA256
c8a77d960881c0d220dc07ddbebf513b3e9287f4e724cf4e38802bdfb1176204

SHA512
509d0d70f1681aa712c338865c1467b3f32f53059be3ec146227d2be0d0e2fc909d27c9e75f0ba14a76b884b5d3ca3a3180bc880a7861c3955d9db868f7dd2b6

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

Filesize
214KB

MD5
be82267b5b50df00f9341939ab68d65a

SHA1
5e4c4e5894f8e15912dd80f47ae4b090c9266c9a

SHA256
e6dc0200e6cde7198a6b4ed43828dcea71c8101adcfc51d4a9b1d1ceb4aa7e2e

SHA512
34ddd9faf856f52bbde7ba5668e128eeaef0422223dca77147245707770b6c7572c7f9ed7de73658eef441a95960b13055302e0901ab9eff1fc522b2f33bd355

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

Filesize
219KB

MD5
912f7737abeef72ffdd5c3f4e1564ed4

SHA1
1245f44313a07286166bf16d48d86321cc3cfcd6

SHA256
6ec2727b194636d6959245e29197bd0320f659f7dc3c4602500133b8b9b9efcc

SHA512
4dda8d2c66754ea5600cce1baf58649e3b5ba2fc61f4281baf1d76430900d049b7efa30a4a7a669b54e7726cc10ad51930545ef1a896855086c86f897b8cbcec

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

Filesize
314KB

MD5
876cc80b31f2f127268ad4b590facce9

SHA1
1a25e7b76a4bcb364b63433892a6bfc4536b3892

SHA256
b64420e9f0935ed4d2d9354ba66186f4dfaa2da3f0f0d6b81ca8625bbcaac210

SHA512
e17d51903df657d0bf9fa7f5555d2a9f1dc7e5d1dfe7b5f991dca1a4404241e72a90b89373282dfc806ed0403a87758b00a5892c09a5d7f568abcb01679330ff

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

Filesize
87KB

MD5
b0dc17ff9df04eaea2156391304d3470

SHA1
b39f11a15895cdbc3f7fe98ac08f412915a12128

SHA256
311c46d3a950400a5c63f998aa14ce5832643e3d2cf4c45170c2af041c945ebc

SHA512
dd18947e69c4903fe5be8bccc1b4ca0703bdfd26d92648dc19bc520aa243ff4e3eaac801e56feed2719e82673c3d93b2493eb79df1f10206430ae0b3a4e03317

Download Submit
C:\ProgramData\gokQIAEk\YgkUEAcg.exe

Filesize
195KB

MD5
c20111390e2b749430c2192aa0e8a038

SHA1
3d949bcd61518e1303f3dfd3a6f709d4d34a0821

SHA256
b1f3898cfcc6039f813f1a3373c19f9aea395e11d98ea5c2f7d11c9d88c4d9e5

SHA512
7a75be2fec7a532b8b6a036e6cd92f1847de8ea24e3f1d92bbe7cd6322fd20dcd9aba6f29c87cadf7761d5a6194633d4b93a6f4f7ca1ee46c337e76a690f1904

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-01-01_7ebb675622c9c09cddc2f01081cf8ffa_virlock

Filesize
48KB

MD5
b0de08b6aada24cdd3458113d175f1a7

SHA1
225797b52f320b3efb2643c55fe55ab3a5618ae9

SHA256
40015814487b93a8372f33284d45586739a4a1e9d2b7961ab8c6d4d9561d10cb

SHA512
fd59488e0223f49d66bb3ca7a70e74b7ca2052769f78790aee0682e0306f6e9421d28ab9a34487bd8934571cccb6798c98040b25934dfe1f0a13c7ca490ecbe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CmYcUQQo.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAoO.exe

Filesize
234KB

MD5
083527bc540788b95d6c1d6bc13d08e6

SHA1
0feb69a0d6fa777d3c46ac8dfd26bdf35bec69fd

SHA256
4f1b9dd510cdfe4ce28face901ce7c34efe9bf94a50a531c5ea64aa419fb1db5

SHA512
19d5b05dc9a85c4681d71652266ab98cd746e12013cdda994ef8c587aaa4d5dfdc3f9ab7347c93c45cff8f187389817829cdd6b6113d0d082014b551a400aa02

Download Submit
C:\Users\Admin\AppData\Local\Temp\GAQC.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAwk.exe

Filesize
41KB

MD5
4bc335ed37a0a9ef4f540571cac43dd6

SHA1
6f1736cf1ed772cc8456fc1629d13dab3f8a6aa2

SHA256
11a6ae2d8892bc6576c1e749e17a5dc00c754e6af12b9471c960f5518cf06996

SHA512
2f6ca7f115d52ae94bc8d6302d32a71c8e1e36eecf7baeefd4ce1961dab0bbaba89b50b88f3325a9fe05ef1eed4b6b545bb024ed4af891ff3bfd9b60f8632c39

Download Submit
C:\Users\Admin\AppData\Local\Temp\QkAo.exe

Filesize
545KB

MD5
821fb9006428d2b143aa4554703e472d

SHA1
1ce4e8957b834afbf9074b37130c47103729cd3b

SHA256
3237929162ff1cd666252c0f5ed845528d3e1395cceaf7f8981fdb546bdbb4dd

SHA512
1571e7c2cacd5272bfcb9420062466c306f2e41bcdcf5847c47b3be515f255258208bdf33d5cfd267debea2fe432ce48e2a1473a9def4be0d009b510d04d4932

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMMK.exe

Filesize
76KB

MD5
b3b7c30f1fe97026dbe0c74b83adc463

SHA1
9167e4f451a9c7d44698429669e50e36cf5cbc50

SHA256
a8c353db0cc035dee81553012b1bc30885f085590063be87e116f50e15d11513

SHA512
1e79987799dfdf0a1c466ee94653ac9e2fa849cd128ad21ddbedce54d400eb80ec649e268ed02ee464513e78822d884479785d253af6e5e423d2e9e92922aead

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wsky.exe

Filesize
45KB

MD5
96894aeaf6a5eff552ba5e95d06ab98a

SHA1
ce705bc45adf7cf6be3781724cfd17b06b424a89

SHA256
d096c270df9cfb13e775e1b00cf04381d5a9fd43603856da1b5759e55f9b1f3e

SHA512
bf9625ebd2fc97516e9ef6eaf8d7580756413761de85e007abadd639956e0572ae18c72fb39aa3c19df1e51c02f850e160ff8f5a07ba5cc20a94caf2e288e315

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQYW.exe

Filesize
69KB

MD5
4612b8f45c6f374bf7df4dd9f7fa7b31

SHA1
a56210d19983ff630c2007ce440f6b8b57392de7

SHA256
b4eb11566c3f181bc30cae69f1e95b17105ac92d375c8b56176cb34c57735fe9

SHA512
e8b8a55dbf6568e0699c1501590da3d11ce0423fca5ec4b6087422fea5ac84ffe88570df3f7d287bc392d5f6c541b16dc15ac8a480ed00fc5c485cdbc73051ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\YwoI.exe

Filesize
60KB

MD5
df3becfcd17f26a40c7b93c93f58a2e8

SHA1
789a7be0e98531ee0af0c1f6239288a70be071b2

SHA256
90536aa8d4509f5ae61131b2e8c6f42f740dbcbd1cd1e8eacef9ddb4115ba71e

SHA512
6fdd8d6b7f33c03281fd41cdaa0998c73589f8f46340641c93a6d3b7086ea87c0fe9d2f73721e668c32507fe546a31ac073d9b60ad4fb88e93a26e684b8219fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\akcW.exe

Filesize
64KB

MD5
5499f5db9b91ffa6a87b13968c05ac89

SHA1
cd53d5a70e27cbc0867216d0998a4b2d2743e684

SHA256
06c527411e775d6bcb59bee7dc041db2b47e924d8cdd43eaba70c8029ab9bf41

SHA512
6e84f1d7a27e770c5cdf6919b043ffad45eaf6a69f897b4b4de18385d8b39ad93352d3388f86efb021e1d1a13784119574b1956e2c953013b69045290fb765fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\coke.exe

Filesize
20KB

MD5
e03fe600e64d69e0853a5163d6de07ea

SHA1
27f83badf365625ea659a9348471e52b29bd70dc

SHA256
47ffedb97be742f113d3bf469c11da5c3fe09f58485af261937dc5aa76b7d604

SHA512
12e241e449d11221f6a055697ad65b33f4f5626f038ab76be4d54bf30043a5da2b2de82781a9750761ba4fc91cb02bfd76414efac61578300fdc7d0efb78372f

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQoU.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\iEMw.exe

Filesize
77KB

MD5
aa662608a8d9efe4ef2de873313da8f8

SHA1
962fb33bf2a0d221b7074020b69dc53508dc24c4

SHA256
593065cfe43c779fe4a9e4153541d41610912222175aef47a5b5da22fccbc584

SHA512
0a3df5304f0237bc420a3ecd1406aeb17483f1f5a3bb6ecaa891c0b99a6dfa8c61abf279105cc39449fe19eecc156838f85277ae1172476bf526395e22f6ada7

Download Submit
C:\Users\Admin\AppData\Local\Temp\uYAK.exe

Filesize
66KB

MD5
0c9688dcff78de727ac48cf3577f7f7f

SHA1
732bc1e9caddd4b4d5cf468817d444b2b6b859d5

SHA256
7b3b89f298581cd9a349574b9d5faebfe284e6be4d7d73ebe6c244602813c423

SHA512
ae1cea256506b7cf865ace993c5da40ec886632344ee27c0a5622278c5883795da31110480c9f612fe2b6619466441b669d978b61d84a6a706e682f891246559

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucks.exe

Filesize
52KB

MD5
20ec97321d002beab3233f63354a0dc7

SHA1
48b9b57de19e2312f8f2c7047521e34de5ef4cf6

SHA256
83537f3f83027145902ac13dbcee21bee9f9571ceea3fb904c34a35d7190b504

SHA512
cd2b3a3e21fd0b846c4a1636dbd68a4884b932a90886d7a179015cce7411bfa41e6f619049bb9690ac0ed39059dc3189f9c5e43063580b1c09f8d25843ae2727

Download Submit
C:\Users\Admin\AppData\Local\Temp\ycMQ.exe

Filesize
37KB

MD5
b2636ca7e135bf5f2cc5eaed28228545

SHA1
b107eee32460b414c88ffe9223e10fe0aa5573cc

SHA256
8f03c2b3602f4d0a54c0df9ce9b276d30b3131a49df9a799030e7a8349d1ac9d

SHA512
caa6864059fd506753853560c9662da5a537361317538cc2e4658d79ddff5d5129641295f105b8ed2b5901166fc1bb5192d0dba2e74deca0775930f666fe4f3a

Download Submit
C:\Users\Admin\MqQkUkcg\gugoccIE.exe

Filesize
191KB

MD5
a27e092c58a5f927371e9f18b818d6a8

SHA1
4a84029f86e1cf29b03eb4bcf78b482d72127f23

SHA256
e8688ae35eb47a2439230fe1d6d335fad65369d0d1b6b722b264edf27ce888f6

SHA512
e73d8a574ea66d1480b4f9ad17ef7db24d16487d5ef8fae19a859f5a6e1e30923d5f6292500a7d78fe15fec2be97750b0b97239d53a66f812fd89819ab8f7e7f

Download Submit
C:\Users\Admin\Pictures\MoveUnpublish.gif.exe

Filesize
611KB

MD5
37da1547392340fb30e1c5091b94150b

SHA1
ae9d4875a60f1e075c63c0fc728491db84dbb822

SHA256
7225d5498114965d50f90e077b97aeac96d39076e15a959443e4fa0cd7c7f15b

SHA512
ae2ea7d5662433efc215f0d7e7779d938342c49cae604bec218aac12e08ae95c32feb479aa850d3fbfea69ba7fc75e5c54047963527995f16c743e7f2e00abed

Download Submit
C:\Users\Admin\Pictures\My Wallpaper.jpg.exe

Filesize
225KB

MD5
81ab65298a81d207d0561795301cbc83

SHA1
92c2684af4919c83ad829c4597b8b7e6117a84bf

SHA256
9e5b495ca615441e41664c15de272de18ba033eb1285f9b374fa28e90e1df353

SHA512
a942fa9f6077459c9c09e1c9cf09945e0c2ae553069e52d88eea2ab0e7cc9dd933164900a2d0575b17b0460893b3d41f441ca7d45288343fd3c621df91099db3

Download Submit
C:\Users\Admin\Pictures\PushStart.bmp.exe

Filesize
728KB

MD5
238a0698dd74dac0403af674922ea5f8

SHA1
ab64eed6c101b04dc896d021149f143021753bac

SHA256
f286118545b7a62dc9b4993da668a5ba98f4dd77eadef1afb11636580c5da29c

SHA512
5aaa81b418b49ef7e314406a5d176dfcf0a5be473f58d619530d8e9d4e7b238934a04d5602f51877ebe2d77925d2885fbbe4b70be40dbb56e8ba3da6b46239af

Download Submit
C:\Users\Admin\Pictures\UndoUse.gif.exe

Filesize
701KB

MD5
32644b4bc011c88dc978dc3d4b8d0073

SHA1
14c1e98d8f2da006d564e2c699bfc8f3dba42d6f

SHA256
b3f9caebd0cd0417902d04c4eca7d1e0def79f8b82d95574f960455dc3a76ed3

SHA512
857e2326329cdec774ff00c42eef3a41a674828b0c82ba97365a2e1fa9212665b168bb7270bc73d9eba25e487cf65b5cba81a5333219afb569ee692d02e45dce

Download Submit
C:\Users\Admin\Pictures\WatchConvert.png.exe

Filesize
610KB

MD5
20f543ec0996176718661fc3b1a04a83

SHA1
d029b7b0572cb228c3dd240f4ac5ae9450f794c3

SHA256
fbf054448eb8e77a97b520056a42ed9b6ac960eb6184b0317b79daa90b674114

SHA512
7f012f929a085e4b3494f531fca2c7998b9fe34b9ad9521b36bb232cd0c9138bf4c6c32352cfa0750ffba03faaa2d80e3a8c62eb1ec87f5cb0a0e90ea41631d1

Download Submit
memory/64-324-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/928-297-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/928-284-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1136-333-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1136-320-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1348-256-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1348-240-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1384-305-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1384-293-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1532-358-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1532-371-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1536-214-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1536-232-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1632-367-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1652-140-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1652-156-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1704-228-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1704-244-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1836-8-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2164-42-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2164-58-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2324-115-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2324-338-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2324-353-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2324-132-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2396-84-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2396-66-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2728-376-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2900-190-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2900-206-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3484-54-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3484-70-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3488-168-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3488-152-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3564-315-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3784-268-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3784-252-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4296-80-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4296-96-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4364-21-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4364-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4576-178-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4576-194-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4696-46-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4696-33-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4712-15-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5124-218-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5124-202-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5160-119-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5456-32-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5456-16-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5572-349-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5572-362-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5616-275-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5616-288-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5636-329-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5636-342-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5644-182-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5644-164-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5964-92-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5964-107-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5992-144-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6084-279-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6084-264-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download