6e987d3a0c2243ab7ed4809763bed0429560698d416975416fa73c2ebe3a7620

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2024 15:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
Size

111KB
MD5

504af718858a2c430d2bfd4c2951f19d
SHA1

226e8ecd16f59c19b7748508f14191700d6d2ce4
SHA256

6e987d3a0c2243ab7ed4809763bed0429560698d416975416fa73c2ebe3a7620
SHA512

4a3e49fb6f5c6e63e9fd24e3158ba0c45ea8cbbde3e6249c73d4a5ece990346517951263617ba87ec33125cc84e0f7c6770fc4fd884accec2fcf30798959f40d
SSDEEP

3072:uMam5eOBP3lbL83kiPk1R1Fq8TxtkZ6hG2sG039Ar4aEpAxz0u57aoa+Ng3ACSav:uMaWPRiFCtkZ6hG2f039Ar4aEpAxz0u2

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (82) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	LOwswgIk.exe

Executes dropped EXE 2 IoCs

pid	Process
540	RSMgsgUA.exe
3880	LOwswgIk.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LOwswgIk.exe = "C:\\ProgramData\\WcssIYoQ\\LOwswgIk.exe"	LOwswgIk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RSMgsgUA.exe = "C:\\Users\\Admin\\jwAgQkUU\\RSMgsgUA.exe"	RSMgsgUA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XiwQoIUo.exe = "C:\\Users\\Admin\\uQwocwoc\\XiwQoIUo.exe"	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NAIkAQUU.exe = "C:\\ProgramData\\KccoAgoo\\NAIkAQUU.exe"	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RSMgsgUA.exe = "C:\\Users\\Admin\\jwAgQkUU\\RSMgsgUA.exe"	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LOwswgIk.exe = "C:\\ProgramData\\WcssIYoQ\\LOwswgIk.exe"	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell32.dll.exe	LOwswgIk.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	LOwswgIk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4012	2756	WerFault.exe	312
4328	1968	WerFault.exe	311

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
2496	reg.exe
4756	reg.exe
756	reg.exe
2212	reg.exe
4936	reg.exe
736	reg.exe
980	reg.exe
1436	reg.exe
980	reg.exe
768	reg.exe
3664	reg.exe
2944	reg.exe
4160	reg.exe
2016	reg.exe
2984	reg.exe
4988	reg.exe
2764	reg.exe
740	reg.exe
4388	reg.exe
3004	reg.exe
4544	reg.exe
2368	reg.exe
4116	reg.exe
3000	reg.exe
2992	reg.exe
4040	reg.exe
2756	reg.exe
3020	reg.exe
4724	reg.exe
4292	reg.exe
4852	reg.exe
2312	reg.exe
388	reg.exe
452	reg.exe
2412	reg.exe
3300	reg.exe
2956	reg.exe
1572	reg.exe
232	reg.exe
1852	reg.exe
1836	reg.exe
4844	reg.exe
4016	reg.exe
5008	reg.exe
2024	reg.exe
2116	reg.exe
1836	reg.exe
2676	reg.exe
4760	reg.exe
4004	reg.exe
2976	reg.exe
3320	reg.exe
4348	reg.exe
1844	reg.exe
4932	reg.exe
5016	reg.exe
2136	reg.exe
3580	reg.exe
2604	reg.exe
888	reg.exe
5072	reg.exe
4548	reg.exe
3496	reg.exe
2752	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2924	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
2924	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
2924	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
2924	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
1464	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
1464	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
1464	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
1464	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
5000	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
5000	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
5000	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
5000	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
4464	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
4464	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
4464	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
4464	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
4848	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
4848	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
4848	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
4848	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
5096	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
5096	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
5096	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
5096	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
4256	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
4256	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
4256	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
4256	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
5056	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
5056	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
5056	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
5056	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
3020	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
3020	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
3020	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
3020	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
2996	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
2996	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
2996	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
2996	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
4388	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
4388	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
4388	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
4388	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
4224	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
4224	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
4224	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
4224	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
4688	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
4688	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
4688	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
4688	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
2524	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
2524	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
2524	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
2524	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
1944	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
1944	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
1944	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
1944	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
1488	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
1488	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
1488	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
1488	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3880	LOwswgIk.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3880	LOwswgIk.exe
3880	LOwswgIk.exe
3880	LOwswgIk.exe
3880	LOwswgIk.exe
3880	LOwswgIk.exe
3880	LOwswgIk.exe
3880	LOwswgIk.exe
3880	LOwswgIk.exe
3880	LOwswgIk.exe
3880	LOwswgIk.exe
3880	LOwswgIk.exe
3880	LOwswgIk.exe
3880	LOwswgIk.exe
3880	LOwswgIk.exe
3880	LOwswgIk.exe
3880	LOwswgIk.exe
3880	LOwswgIk.exe
3880	LOwswgIk.exe
3880	LOwswgIk.exe
3880	LOwswgIk.exe
3880	LOwswgIk.exe
3880	LOwswgIk.exe
3880	LOwswgIk.exe
3880	LOwswgIk.exe
3880	LOwswgIk.exe
3880	LOwswgIk.exe
3880	LOwswgIk.exe
3880	LOwswgIk.exe
3880	LOwswgIk.exe
3880	LOwswgIk.exe
3880	LOwswgIk.exe
3880	LOwswgIk.exe
3880	LOwswgIk.exe
3880	LOwswgIk.exe
3880	LOwswgIk.exe
3880	LOwswgIk.exe
3880	LOwswgIk.exe
3880	LOwswgIk.exe
3880	LOwswgIk.exe
3880	LOwswgIk.exe
3880	LOwswgIk.exe
3880	LOwswgIk.exe
3880	LOwswgIk.exe
3880	LOwswgIk.exe
3880	LOwswgIk.exe
3880	LOwswgIk.exe
3880	LOwswgIk.exe
3880	LOwswgIk.exe
3880	LOwswgIk.exe
3880	LOwswgIk.exe
3880	LOwswgIk.exe
3880	LOwswgIk.exe
3880	LOwswgIk.exe
3880	LOwswgIk.exe
3880	LOwswgIk.exe
3880	LOwswgIk.exe
3880	LOwswgIk.exe
3880	LOwswgIk.exe
3880	LOwswgIk.exe
3880	LOwswgIk.exe
3880	LOwswgIk.exe
3880	LOwswgIk.exe
3880	LOwswgIk.exe
3880	LOwswgIk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 540	2924	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe	89
PID 2924 wrote to memory of 540	2924	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe	89
PID 2924 wrote to memory of 540	2924	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe	89
PID 2924 wrote to memory of 3880	2924	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe	90
PID 2924 wrote to memory of 3880	2924	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe	90
PID 2924 wrote to memory of 3880	2924	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe	90
PID 2924 wrote to memory of 1620	2924	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe	91
PID 2924 wrote to memory of 1620	2924	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe	91
PID 2924 wrote to memory of 1620	2924	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe	91
PID 2924 wrote to memory of 2632	2924	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe	93
PID 2924 wrote to memory of 2632	2924	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe	93
PID 2924 wrote to memory of 2632	2924	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe	93
PID 2924 wrote to memory of 2676	2924	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe	94
PID 2924 wrote to memory of 2676	2924	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe	94
PID 2924 wrote to memory of 2676	2924	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe	94
PID 2924 wrote to memory of 2496	2924	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe	95
PID 2924 wrote to memory of 2496	2924	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe	95
PID 2924 wrote to memory of 2496	2924	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe	95
PID 2924 wrote to memory of 5036	2924	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe	96
PID 2924 wrote to memory of 5036	2924	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe	96
PID 2924 wrote to memory of 5036	2924	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe	96
PID 1620 wrote to memory of 1464	1620	cmd.exe	101
PID 1620 wrote to memory of 1464	1620	cmd.exe	101
PID 1620 wrote to memory of 1464	1620	cmd.exe	101
PID 5036 wrote to memory of 4480	5036	cmd.exe	102
PID 5036 wrote to memory of 4480	5036	cmd.exe	102
PID 5036 wrote to memory of 4480	5036	cmd.exe	102
PID 1464 wrote to memory of 4688	1464	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe	103
PID 1464 wrote to memory of 4688	1464	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe	103
PID 1464 wrote to memory of 4688	1464	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe	103
PID 4688 wrote to memory of 5000	4688	cmd.exe	105
PID 4688 wrote to memory of 5000	4688	cmd.exe	105
PID 4688 wrote to memory of 5000	4688	cmd.exe	105
PID 1464 wrote to memory of 4444	1464	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe	106
PID 1464 wrote to memory of 4444	1464	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe	106
PID 1464 wrote to memory of 4444	1464	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe	106
PID 1464 wrote to memory of 4844	1464	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe	107
PID 1464 wrote to memory of 4844	1464	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe	107
PID 1464 wrote to memory of 4844	1464	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe	107
PID 1464 wrote to memory of 4232	1464	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe	108
PID 1464 wrote to memory of 4232	1464	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe	108
PID 1464 wrote to memory of 4232	1464	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe	108
PID 1464 wrote to memory of 1460	1464	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe	109
PID 1464 wrote to memory of 1460	1464	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe	109
PID 1464 wrote to memory of 1460	1464	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe	109
PID 1460 wrote to memory of 860	1460	cmd.exe	114
PID 1460 wrote to memory of 860	1460	cmd.exe	114
PID 1460 wrote to memory of 860	1460	cmd.exe	114
PID 5000 wrote to memory of 4792	5000	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe	115
PID 5000 wrote to memory of 4792	5000	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe	115
PID 5000 wrote to memory of 4792	5000	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe	115
PID 4792 wrote to memory of 4464	4792	cmd.exe	117
PID 4792 wrote to memory of 4464	4792	cmd.exe	117
PID 4792 wrote to memory of 4464	4792	cmd.exe	117
PID 5000 wrote to memory of 2024	5000	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe	118
PID 5000 wrote to memory of 2024	5000	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe	118
PID 5000 wrote to memory of 2024	5000	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe	118
PID 5000 wrote to memory of 5072	5000	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe	119
PID 5000 wrote to memory of 5072	5000	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe	119
PID 5000 wrote to memory of 5072	5000	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe	119
PID 5000 wrote to memory of 2816	5000	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe	120
PID 5000 wrote to memory of 2816	5000	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe	120
PID 5000 wrote to memory of 2816	5000	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe	120
PID 5000 wrote to memory of 3716	5000	2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe	122

C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Users\Admin\jwAgQkUU\RSMgsgUA.exe
  "C:\Users\Admin\jwAgQkUU\RSMgsgUA.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:540
- C:\ProgramData\WcssIYoQ\LOwswgIk.exe
  "C:\ProgramData\WcssIYoQ\LOwswgIk.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:3880
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1464
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4688
    - - C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:5000
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        8⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        10⤵
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        12⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        14⤵
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        16⤵
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        18⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        20⤵
        
        PID:3936
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        22⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        24⤵
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        26⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        28⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        30⤵
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        32⤵
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        33⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        34⤵
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        35⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        36⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        37⤵
        Adds Run key to start application
        
        PID:1544
        
        C:\Users\Admin\uQwocwoc\XiwQoIUo.exe
        
        "C:\Users\Admin\uQwocwoc\XiwQoIUo.exe"
        38⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 228
        39⤵
        Program crash
        
        PID:4328
        
        C:\ProgramData\KccoAgoo\NAIkAQUU.exe
        
        "C:\ProgramData\KccoAgoo\NAIkAQUU.exe"
        38⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 224
        39⤵
        Program crash
        
        PID:4012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        38⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        39⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        40⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        41⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        42⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        43⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        44⤵
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        45⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        46⤵
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        47⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        48⤵
        
        PID:3892
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        49⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        50⤵
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        51⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        52⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        53⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        54⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        55⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        56⤵
        
        PID:756
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        57⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        58⤵
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        59⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        60⤵
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        61⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        62⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        63⤵
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        64⤵
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        65⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        66⤵
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        67⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        68⤵
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        69⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        70⤵
        
        PID:3616
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        71⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        72⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        73⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        74⤵
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        75⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        76⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        77⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        78⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        79⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        80⤵
        
        PID:756
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        81⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        82⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        83⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        84⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        85⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        86⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        87⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        88⤵
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        89⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        90⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        91⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        92⤵
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        93⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        94⤵
        
        PID:3704
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        95⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        96⤵
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        97⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        98⤵
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        99⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        100⤵
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        101⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        102⤵
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        103⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        104⤵
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        105⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        106⤵
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        107⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        108⤵
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        109⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        110⤵
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        111⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        112⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        113⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        114⤵
        
        PID:820
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        115⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        116⤵
        
        PID:3952
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        117⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        118⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        119⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        120⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        121⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        122⤵
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        123⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        124⤵
        
        PID:3500
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        125⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        126⤵
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        127⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        128⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        129⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        130⤵
        
        PID:820
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        131⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        132⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        133⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        134⤵
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        135⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        136⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        137⤵
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        138⤵
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        139⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        140⤵
        
        PID:4452
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        141⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        142⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        143⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        144⤵
        
        PID:4528
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        145⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        146⤵
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        147⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        148⤵
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        149⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        150⤵
        
        PID:668
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        151⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        152⤵
        
        PID:1964
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        153⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        154⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        155⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        156⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        157⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        158⤵
        
        PID:3816
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        159⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        160⤵
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        161⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        162⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        163⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        164⤵
        
        PID:2260
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:4068
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        165⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        166⤵
        
        PID:4176
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        167⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        168⤵
        
        PID:1436
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        169⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        170⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        171⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        172⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        173⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        174⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        175⤵
        
        PID:748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        176⤵
        
        PID:4208
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:4016
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        177⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        178⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        179⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        180⤵
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        181⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        182⤵
        
        PID:3148
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        183⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        184⤵
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        185⤵
        
        PID:936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        186⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        187⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        188⤵
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        189⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        190⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        191⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        192⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        193⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        194⤵
        
        PID:888
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:3752
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        195⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        196⤵
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        197⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        198⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        199⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        200⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        201⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        202⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        203⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock"
        204⤵
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock
        205⤵
        
        PID:388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1380
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        Modifies registry key
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PUQwUAkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        204⤵
        
        PID:532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        UAC bypass
        
        PID:3496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FycwIQgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        202⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        Modifies registry key
        
        PID:768
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EKEckcMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        200⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        Modifies visibility of file extensions in Explorer
        
        PID:60
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        
        PID:740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aUIwIgYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        198⤵
        
        PID:780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1756
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cgUckEQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        196⤵
        
        PID:3364
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BkIwYwYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        194⤵
        
        PID:2112
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        UAC bypass
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSgEUMAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        192⤵
        
        PID:332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        UAC bypass
        
        PID:820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jWUcsAoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        190⤵
        
        PID:748
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        Modifies visibility of file extensions in Explorer
        
        PID:856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        Modifies registry key
        
        PID:4348
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JcgcYUIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        188⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        UAC bypass
        
        PID:980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kYcMQwkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        186⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:2036
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UegcIYMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        184⤵
        
        PID:3076
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        UAC bypass
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QwAsQIsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        182⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        Modifies registry key
        
        PID:3004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kkQwMQwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        180⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        Modifies registry key
        
        PID:980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        Modifies registry key
        
        PID:3580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TIkwoQQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        178⤵
        
        PID:4708
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        Modifies registry key
        
        PID:1852
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        UAC bypass
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nMIoMwYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        176⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        Modifies registry key
        
        PID:4388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OugkQEQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        174⤵
        
        PID:2076
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        UAC bypass
        Modifies registry key
        
        PID:4116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\smQcAUoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        172⤵
        
        PID:3672
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3044
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:2920
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        Modifies registry key
        
        PID:980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cssEcIcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        170⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        UAC bypass
        Modifies registry key
        
        PID:4724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aiEccMMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        168⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:400
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        UAC bypass
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TmYMwksA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        166⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        UAC bypass
        
        PID:4940
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZccEcswA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        164⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        Modifies registry key
        
        PID:232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        UAC bypass
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DCswcsYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        162⤵
        
        PID:4820
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        
        PID:5052
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        UAC bypass
        Modifies registry key
        
        PID:3020
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WCwwoEkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        160⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1816
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        UAC bypass
        
        PID:936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EaIAkcAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        158⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        
        PID:5112
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:4480
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        UAC bypass
        Modifies registry key
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EUYAEsUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        156⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        
        PID:4196
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NsUEUMUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        154⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        UAC bypass
        
        PID:456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DMEossQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        152⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        Modifies registry key
        
        PID:452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        UAC bypass
        Modifies registry key
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HoEkoEsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        150⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        Modifies registry key
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jGssEAQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        148⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        
        PID:936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UQMYwEgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        146⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        UAC bypass
        
        PID:3972
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KOAkwIkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        144⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3496
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        UAC bypass
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aMQUIscw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        142⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        UAC bypass
        Modifies registry key
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nEogUoYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        140⤵
        
        PID:2680
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        UAC bypass
        
        PID:3484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PeUAwIUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        138⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4040
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        UAC bypass
        
        PID:4724
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bmIEkkQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        136⤵
        
        PID:456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        UAC bypass
        
        PID:3664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kOMUsUIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        134⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        UAC bypass
        Modifies registry key
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OwMUsQck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        132⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        
        PID:4996
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        Modifies registry key
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        UAC bypass
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SygUkMww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        130⤵
        
        PID:1888
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eYcQgAwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        128⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        
        PID:4980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mqcoEcww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        126⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fYksIQcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        124⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JmwYcYYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        122⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        
        PID:820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LoYYsksA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        120⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        Modifies registry key
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GucEEUEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        118⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        
        PID:3984
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ymUIgAIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        116⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kiUMkQgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        114⤵
        
        PID:1336
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        Modifies registry key
        
        PID:4160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        
        PID:3320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UwcAUYcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        112⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        
        PID:884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PakccUUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        110⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bgcMcMEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        108⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:3236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DKgwwMUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        106⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        Modifies registry key
        
        PID:1836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        Modifies registry key
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wcgAgcUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        104⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AcoEYwYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        102⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GqokAUIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        100⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        Modifies registry key
        
        PID:4544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        
        PID:1212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\saoYsYkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        98⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        
        PID:4040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZCcUUMUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        96⤵
        
        PID:736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        Modifies registry key
        
        PID:5016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VcEYsQQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        94⤵
        
        PID:220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        Modifies registry key
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dqkEkUME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        92⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies registry key
        
        PID:4016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        
        PID:452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HUIQAkAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        90⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        Modifies registry key
        
        PID:4932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CMQYsMsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        88⤵
        
        PID:736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:4112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EGQMgcQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        86⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eyIMwMoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        84⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies registry key
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        Modifies registry key
        
        PID:3664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        Modifies registry key
        
        PID:740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oGAMIgEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        82⤵
        
        PID:452
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        Modifies registry key
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pIoAkYws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        80⤵
        
        PID:456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pOogQwAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        78⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        
        PID:980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZcsowAsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        76⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DsooYsYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        74⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WEwEcgQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        72⤵
        
        PID:220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WOMcEoMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        70⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AIkAAUIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        68⤵
        
        PID:884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KOkcYsoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        66⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        Modifies registry key
        
        PID:2212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        
        PID:4840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HAAYQUcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        64⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\faMoYIQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        62⤵
        
        PID:856
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        
        PID:884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SCIkIAAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        60⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gqAMkgsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        58⤵
        
        PID:668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iGUYIwQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        56⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        Modifies registry key
        
        PID:3496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IegUgEYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        54⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:3616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vkYwMIko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        52⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        
        PID:3448
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RiMssMEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        50⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LagIsMYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        48⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        Modifies registry key
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:3956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KmIEYMYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        46⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        Modifies registry key
        
        PID:4844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IecYQoYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        44⤵
        
        PID:980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SaUUcEME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        42⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        
        PID:868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        
        PID:220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uAAMksQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        40⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies registry key
        
        PID:3300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:3816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WgQgowsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        38⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        
        PID:1212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PckgUkoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        36⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dQIYMoQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        34⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        Modifies registry key
        
        PID:2116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        Modifies registry key
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XyokYUEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        32⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TcEYYgcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        30⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OisYAIgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        28⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        Modifies registry key
        
        PID:2992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        Modifies registry key
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cAUwccEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        26⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies registry key
        
        PID:4988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        Modifies registry key
        
        PID:4760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iocQAgsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        24⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        Modifies registry key
        
        PID:756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:3300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZWQIMIQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        22⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:4036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BiwgMMUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        20⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DcYcEwMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        18⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:4100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JiUoQssA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        16⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oaUEgIwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        14⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YeQwosYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        12⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IgMkQgMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        10⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        Modifies registry key
        
        PID:4548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JkIEwUgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        8⤵
        
        PID:980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:1532
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2024
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:5072
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:2816
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TuIEEEAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
        6⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:3208
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:4444
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4844
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:4232
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ngscAMIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1460
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:860
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2632
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:2676
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:2496
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JCEYMoUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5036
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2756 -ip 2756
1⤵
PID:2340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1968 -ip 1968
1⤵
PID:4756

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

Filesize
140KB

MD5
0288e396dc8aaca392f63a2657f32beb

SHA1
4d281a1ea5e4f61e43a4a06c497f37e66afcbea0

SHA256
1e742f3ad1c4c2109da1142d8b57d9bb9d6e250735657aabbe52232669bdcc63

SHA512
81d3607cf57ddad6b8a00425ebd6a5d37e56dd2a270c34c6cd9a89b5753da59f6e13a99624d19840d33c0e9004a665e3c935a18ae5a73969b92cc2c8b328407e

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

Filesize
148KB

MD5
44b28020d07e95f47d1a188278eaaf6e

SHA1
4de77104b13c6b49c950983e2532eec8467d57a9

SHA256
7ef29163a91777665b7bd7e5427c7f71053e02c06c0fee6bb1484297ee00fb41

SHA512
6d2c258d0aeee0b15206ae0a03e935756580ccf9f5a42e421642a7122b23b491249b2713dd8facb835d2abdca9a0d3a3a270d4b6d48eda415fc4edb8bd4205ec

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user-40.png.exe

Filesize
110KB

MD5
f6f796670e2cbcb4a6a57903afb0ce29

SHA1
4b92714ec754fd2446f1d16124b16a3e6d9f3ab8

SHA256
f5e4a36c82b0f026fcac9f23b6dc5d3b8aad989f69e8d152fa7a15422c57942a

SHA512
94dcf169114d5fd9f673ae64d05ac7cc63ffc6fca59d858b3965dd12a68c7b073980bdaa08870b6e8ff6a04adb32f8cd9efa256be9b34241755deab815f3a798

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe

Filesize
700KB

MD5
fff4ff54f2c543add7e1a93f0ac40336

SHA1
c7c4c6fb993b41ebdc0ae2008f16973160a4ce4a

SHA256
5eaa8b599e3856fb01492b1768b05d03525993236f499de7406ac2e3b4094640

SHA512
7fb25785606a5f9cbf8cee9d3cc3335c862290478e3ffda873fa6b936716b81d12b5861d9076826b9b373e5a82849d75a9714ebb219fa63684ca6a41214551f6

Download Submit
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

Filesize
742KB

MD5
7d3b048cf6033871e1cfb44feb967e3c

SHA1
e2f0b67f299dc599d70d23284beefbd86db7dd20

SHA256
9135478c93021d0b737e2c6defedc585e5de4577a684e8cc0678ca55b9f3a24d

SHA512
9012b2822a415ec1f86b2c5a47a8214cc33e779e7ab97a2e57cc9065c7eb84436e0de4a7486f7e2144f6bebe40697bc0c69bbff201466a7f3b63c1a23eeb9891

Download Submit
C:\ProgramData\WcssIYoQ\LOwswgIk.exe

Filesize
109KB

MD5
925ce23797deeb323df3198f091964d0

SHA1
1e252b2cdf0083f1659e409b79501607deca9963

SHA256
024faab2b5e1e6af4340f7bc1d019ffda216b898f056e8500f09254c7bc05dcd

SHA512
c9057689202c14a7abfc0d8d71c920102473dd84229f88252829e8bed7bf26dcd698a1b58af02e59211829765e47d08fe0f6298730fd069e4051451339b6335f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaCritical.png.exe

Filesize
118KB

MD5
8a29b4fd340008e1e8898653b6d2b0f7

SHA1
1f2c314787182cf225d277d1410a8bc868de4333

SHA256
e27724fd472ad27adc178c1ff62c8791e9ba033dbf3b1a40300d4a0b7f7abde2

SHA512
20ea44465edf6b7945218a5819d29d4836e47505adc592ddb39987ad28141dc66f3acc6af99d47f18dbd749e6dcd8a3670cb5db4451b95fc3de44521b9b1c917

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-150.png.exe

Filesize
110KB

MD5
f632b742a43310ec50dd181c5d0bb80e

SHA1
7ce9555c88d3d1714858ea1d6616208187b6d1a5

SHA256
5c81766fbe359368d1f1d18dcd21de501dbce01c4b53bf7866366ec483e630b1

SHA512
1db02dc847c54cf09a64c573548b660f12e70870c1aa5b1b3d3ee845961e4ccfdeb9ab2cfa50ac5f23d838b35f2b35c74eb405416f90a0384b83e6af3f4e400b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe

Filesize
1.7MB

MD5
90cbe62727903f3e53f73588fad78527

SHA1
30d82ffeaf4cb832b373d070f0d055cf28efcab3

SHA256
e6f0d9d78427cb2821300b0a914733a6719e7b7ef392b9e4d427c1f45fa1b966

SHA512
5baf0539af9e4298e3ca7e5031f27131fbaa94901da3c77b1bf070c3c0721a48e6695c743d9874573b78bd1fbdddfecef78628692371c6b10d93dd32e5b7d40b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-03-28_504af718858a2c430d2bfd4c2951f19d_virlock

Filesize
2KB

MD5
598ea3255fb276209072332552903ed8

SHA1
ccd234d34d488634569a4064a65d643e070e80ed

SHA256
fbe10c0c7d282e3136341735aa4a5716f2c32133828bca64f700c572d7492550

SHA512
3b80198ff6bbf9146d1f942d37ab3b1a01edcf634c89e4abeb36c29d7a80afb45f3e30d72ca3246f066c62fa1cac9ea6c3c9627ce5ccd4ca655516c0414632a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAQA.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMwk.exe

Filesize
111KB

MD5
8bc7619dcd8ba09e1d1b8eca53ca43f1

SHA1
67e8109c9e10052118eef02d0248c84aabcb3051

SHA256
d6887364e3b44ca9ce637684817bf81032d23bcf4082bde811abc036473b054f

SHA512
685c684315c84159cd7115686f557557ad1f9e5cf40962736d53cf9823cac2f0076e0b0c1c167e290a4c374cd771dafcdd7fcb75958c12b0e7225ba3942624ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQcY.exe

Filesize
565KB

MD5
98bf86b1dd139c610d6e07f396758a68

SHA1
6933db917b0f65ea416927a215505e4848cc6c26

SHA256
5e535499290099d1bfd46eb419d4167d42010719e25cb09101e38ca0afb02611

SHA512
c916ad55d65b203ce3f5f3e95cf7f075cf54d73d89bd26b982a84191be5ade9d6fc5ac3782a0b9eccdee191773328440d6bb2bd575e836d61f2e31b4186f0560

Download Submit
C:\Users\Admin\AppData\Local\Temp\Acca.exe

Filesize
111KB

MD5
36e5872e01fa446e6dd521c6aaff47f0

SHA1
05f1c03f5423b6948b5aa65396da66c8b2335d2a

SHA256
d35cd2f18810df91efd93cf7be71ee322cecdddb3896067f61407069c5f71ac3

SHA512
3f8d6865da11a12bc8c3a9024bf60ca8eec81997c8667a3522033b9dca9d4a123c2c898cf97e616fb824cd27e4c64f8d6745c2b7442936fde2e25b01ba314925

Download Submit
C:\Users\Admin\AppData\Local\Temp\AkcW.exe

Filesize
151KB

MD5
59ab34d121fb3b05988cda709b554adb

SHA1
3a4130b946a50b08b5fa5b37b6b42f374fe4c6bf

SHA256
e6b4ec0e62b246ad8e1148c60aa377f3777d6e381799dea4e3feca1efe39483b

SHA512
02720fe572c490127223ec2b62f984f35daa07dd5bbc32e451c8b3d9924e4d5bfa902a1f352340639a3f1cd33aa2ce9dcc4a83d03fb3cc3cd3401959867aaf39

Download Submit
C:\Users\Admin\AppData\Local\Temp\AoYq.exe

Filesize
111KB

MD5
2eaa979abf9542f2c43c36f7315011d7

SHA1
21f0be7cce7d1b05ffd31b944eff065010e77f5f

SHA256
2feb696e297d77139783319f11d8b03ee61027d75138c824e8abef54af55bc12

SHA512
72946fe28b1a091a81838b4fb8aef7f32ce64db94cb4c0cac82cf11f62ff4a89b6552f8fce564502618ea03671ae3ad3fda455cf90494a65b1efa711fa51cff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAgQ.exe

Filesize
207KB

MD5
dc63842fe5480f40b811258c1c269c21

SHA1
4a7368bfc91dc4e90daf57fdcdaab92a756e81bf

SHA256
4d4d8ac1151fa76c69a70f52a3d0ebf7001a51da47d53bd7228fe27951d2687b

SHA512
5bccffd3a47bdf5320f39dc0ac231bc90435e3abc6c1f5213164420bc15185ad8a329c878155138d40f0cf256f5e9820fdd21351ca9667eb3f40be0ba4488bbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMgI.exe

Filesize
112KB

MD5
dd4acef4ebe65f5e53f403c59d30ad99

SHA1
172328c23fe1ac8b71633adc4a138e92bb567ca4

SHA256
5d59af47c0b539e79e17dfdc7d57792787541920b61343eaa0b226d4b9a6a420

SHA512
c54ec9bd7df1b4d2070ceaedc31dd05e4e9c8f2d2feed1baa73c088811fad95d847100f4d99858f1b05fc955c0012e88f61452614284834e8700fd408dc41401

Download Submit
C:\Users\Admin\AppData\Local\Temp\CcYA.exe

Filesize
135KB

MD5
82af0d4fe7a89bbbb7f2bfe4f7775cbe

SHA1
aace296ef4315fbae81eb3da784b7583d821f66d

SHA256
215d2480ca0d0b74ff5871f6ecf9d00efe77cf8fb4b1b11ff69663d15ffc37d2

SHA512
a44097f9586ab63ef74c10d3a55bb3a00016aac97e025bea5c3b4f1ced7eb20887d5e5ef052aad2ee2831a5fc9a67a52a4b75ce6af2c253934c4fc90e797d8ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\CgYm.exe

Filesize
115KB

MD5
0aa6c4000950a5057b2288fb18abc866

SHA1
4ec4732544fd6ef9eb745062480d69be2de8bfb8

SHA256
6302691ba0e2874ffff9bd4f575efb1f97889c79be2879d47303c48c24c83e49

SHA512
0285fe4fad434a673d2e0e1fdb0da20c7047d4bff2d612ee4489f0b46d35abf942c1337ba067c1eeb9c03c7a06fe65c697d165eb4568853bfe720de90ad601cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CgsU.exe

Filesize
137KB

MD5
7363b5f20b5fc60297f7a4e9c49a4733

SHA1
25675f17ab8fd67971769e869c6810f751dcf16e

SHA256
d69fe8fd8709ea72e546fed580b4ae6dc3f2ed66208a3e06830c3b2374d054e1

SHA512
d4979275bbb942f60560712fc19805f0d4a2a85117efd3c64d1e017be284e450f70f43ea051b586f987ab436b63104e38189f43b4a707051ccd9e55407cd19c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAsI.exe

Filesize
110KB

MD5
e8924f8a3d5963c8572fe87ef5c8ea37

SHA1
1436566b76bffc9fa2bd4624b7678f13b058587e

SHA256
bab320afceaefbd248eb88ea6fe44f2f7dbbd2ea8fcc49503b3fc8d3c3681ec2

SHA512
da59c67e28d7eabb7fb8e6e16f71f2403f7b0452e66c0140670d9203c6e56bbd9886178f460ea59f998979b66c53df6e7d6817ae01ab01fac0dfb48d0c9d1f8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQky.exe

Filesize
109KB

MD5
7fdcfe64f80afad61b88221d314f90b9

SHA1
82944f3ccca0fa35a29fe3241b94fc1d157e2ab9

SHA256
7ed548fededf50e7a19d6290e8f36662d94fae29ffe24557002b7d1d707e0d95

SHA512
b48f07455c0e1f82211934ba4228756b3bec2faefe8923f551753b1e75e2583a05b61b0328a35169ceff22c5e0db5c982e0a2a82475bc701b655fdb7996cf9d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUUi.exe

Filesize
498KB

MD5
f9a6bb675b575b0059af097d54c4f10c

SHA1
ab0fa8cbfee9b949931b06af0b43aa8ea03ff027

SHA256
62808efdae84dcd76cb942d406762d3e5afef6cbf329a3088e83158f584dc940

SHA512
2916f54043b3bd90090f8bb87dc101215636ccd26e1edbf2218124b53bb05ce030e359510e142f4be24bc67f64aa9c77f40ddb639f043dcb1a828c0372bdab05

Download Submit
C:\Users\Admin\AppData\Local\Temp\EowM.exe

Filesize
116KB

MD5
979c3c95251e0a5d51353fc4f0e60fdd

SHA1
238e4aafca3361cc8782865d256a13d46999ba9a

SHA256
1c0404a3e3235eedf236374e6d0acc03e861833f5e35319ef4d7a78aa301a730

SHA512
8a078c492653d88b6cd3897e6eb1ef31d6afa145dbf728c59fbf4bf3fcedfc9d5c2adac964fe01ea710b4c5ec7f2e50e388a28c040427443a78f57f7d2e9e2d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\GMII.exe

Filesize
113KB

MD5
4d8db8320c367dbfd562100194b78e13

SHA1
8dde2fa51358b5b0e24381089eca13d2b62055fb

SHA256
0fb5f0c06291da7092b92b89fd2a47fa8405ab78e2772defff2358340663f43d

SHA512
8071c3cf9e647ca9d4d56cb546fbb1f38fb0b9d3730d4a6b27cb7f826557f6578f324e1744d540beaf6a1cf238502e6987b888b5edf4b4bba0c50ba91bc47282

Download Submit
C:\Users\Admin\AppData\Local\Temp\GMUi.exe

Filesize
111KB

MD5
1c78685e8992676cbef7e6d9949177ac

SHA1
f9ee872f4417217db6c0b36ed057dab546f4d90b

SHA256
c59c5b34f31d553dbc42685c473fe9b20c97e49e1c8bbe37cbee2c71bef79d8d

SHA512
21b2537c37909f0e6cff64fd88f928e67feb5e28152187e844113edbc0d90b27bec0234531ddb51f679277ef4eaac3589aa8653e24c83a76cf032d46413c69fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\GQsO.exe

Filesize
5.8MB

MD5
6e52913df2c8fd4283a3c6d1ec7ccbeb

SHA1
444e6094e2d5c55ecd05b5b872173d7cea0f5e92

SHA256
d50e76142ea49b6a9b32a46259ee680a86f2f6ce17f00ee5a65779f5cd049a3b

SHA512
5556cfd00cd19b321a17c002fbc96d70e028d142fdc2ddda0f14f21e78928e9b21b1bd7f37f99d6c10eb95c4777adb52854ed99310b8f15c2ff765e9e58018c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\GYcw.ico

Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GkYS.exe

Filesize
898KB

MD5
b04c6d9e700cffa6a7e26d202dead2c5

SHA1
321476bcb884bd969fdcd369602996a988d76243

SHA256
5cb83d0201eef325b980bd707edd951e4e418e5898b253a121f968de429a8d88

SHA512
1d751b1f69c336fffd15a5b27d8fc7f8979c14336c25a4321f6c02f0661449e2254f0a9cbe1ce0fe6992dd6befb22f6b7cb7a55170174c54bdf4320b9f00ac8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GoMU.exe

Filesize
114KB

MD5
118b2efbc727ab2c6bc9a8703536a37c

SHA1
01f96e2b6e03d7ef362b5997e695ccfd157bc7dc

SHA256
9f7bc891d3ec5ad228871e1bf1a501404199e6c02e6145713accdeb468ef0cd5

SHA512
f92bc0c56205f375c02408b34972bb02bb1e6068b020dd4956c93b743796b3e9907326d18d1e2813b27fa04c789553ca813303ed57368740c2b8c23c4b91b563

Download Submit
C:\Users\Admin\AppData\Local\Temp\GoQS.exe

Filesize
5.8MB

MD5
e34365fdc96ef6a1197ccf6b638e2085

SHA1
d260d6ee667db5d0e20bc0be596e48aa3c5163ee

SHA256
6dcc09b07c41e022604f393ebf7bb8ecb3281a297684fb296d34f2d5a6161038

SHA512
1d3dddc33f616768bc75578df49358d99a1df59fa3f7e9e89749082172bc8e08b3f69d1555e7898acc76b12dea2160b414bcbab357377dd68278818df028ef5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GwAE.exe

Filesize
110KB

MD5
775e48d0516ba688ec7e2d0f5eb02a03

SHA1
daa13f88d23f9e0c474d58944384e063161c8a64

SHA256
2bafd2c675f5be61514cca878a916b54a5a06a2b49a8087365891030e041efe9

SHA512
8464495255d2d44202db9261e92edb2f98e0ae90c3cc5477ac2e973e72efc4b6ba3ce94c7c027dfda9b59d7c9e6c0fef3d36d2b1dd48d7c3b237254b5b447105

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMIM.exe

Filesize
123KB

MD5
aa20a27d844f95df67d28210d6c41cfb

SHA1
5ce21a0d06ca545852a9ad9fc3e282ffe28e09fd

SHA256
f86fd688c3104d6868d03875af4fe6ce96f2f95214bc9bd3f82eb9ef3dcda3ae

SHA512
a0303ff842b60e279fdbd8520cb3b73695e0b185178f51c1e9b34d5cedc02776c1242e23bf59a266ffec8c45fd13fd3c04438f24969b428be8f319833df165f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IUUK.exe

Filesize
237KB

MD5
9dd6c878655dd90805f4e34afa697548

SHA1
7756bc2b14b6d76a52d1f50f2158131129e3e7b1

SHA256
ef77990d453a8ecc7814075042365ae871406fb5fcc86ed8e1d4482ce6f358da

SHA512
0a6eb9e594ab54358b51297c6c1a301ca04bad96b3fd54a452f933a680dc14f065a9e8ed224b94069de853d86cc212b96f1dbc846388d5c93badfb2b93a15af4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYEG.exe

Filesize
699KB

MD5
0c8d49b108b8118fc6add346ce309e37

SHA1
c86757a0fd775c89e833d32c930abb3ddb651f40

SHA256
c0188b36fedeee283bac857fdc0e0eb0a4888b5d8691616537a7137176d728b9

SHA512
c37962199916fb9fd6bfc332d426784248c89db26ac4e34357e9deb0d29fc8fc5dd84210d729980a0f2386d42ce4ff86ff28a31421c8b1e41a1151489c6a7b14

Download Submit
C:\Users\Admin\AppData\Local\Temp\IgYg.exe

Filesize
112KB

MD5
8528156c335f9b54f23c8518913ca26a

SHA1
75e388b7acd725905cf598d729dccfc5e62899a1

SHA256
7f501c30ebffb74043c21c00987d596ce0d7559446cd12ad3cd7d16f2d90c79f

SHA512
b4f994a501ce4addec2bb48a376128b2b325f8f9c59995759b00ca7169f8a2e3f5762eb273740923b4d4f0575a61da7b1d5021e2ee0cd730ca9231dba23a3c6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\JCEYMoUQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAUE.exe

Filesize
111KB

MD5
5bd853073f13095b57034f86d48bf1bf

SHA1
69012c03e29f47cb342b0090e08a6369efbe994f

SHA256
d8a01b6202375169973618adcabfeb3803551629c5ac541e0137e22a9085f71f

SHA512
c2002749ae6670cd8f59df92485d57d90f981364482470f025d93e7141a70d82027bd10d0e6ac3de04b0ef9a1a7b9c9253fd7de265851e68e2cd2e3618802213

Download Submit
C:\Users\Admin\AppData\Local\Temp\KYUE.exe

Filesize
121KB

MD5
fa27999267ba0e542b8b00f4d078d784

SHA1
6f6466359f1c75432be4ea3a74172b427387a28f

SHA256
924265212faf411384f264fe82944c9b2f2d046c365b8860c7accdc824455f06

SHA512
816771d9aea68f167d71664d501ca9cb558996d7764ea3f347f0b17d5c261278dc737367ee9ff1930f2a7b4ee5efad04d9299b527fd8fad3c6bd8b35943f585f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kkow.exe

Filesize
114KB

MD5
44a1cd220a4eb3ddf0f6928e99b74907

SHA1
dcf98ee973b10b5c5203464128570ae89fe6ee30

SHA256
720cc66ff548afe60c8fda80c8cd3103e3efe4cd85c280238d24ff8bdeacc2f2

SHA512
a12e0174659bc38ca58256d95b15b615ede4202283693bdcc1f436d40a15fd62cf233dbdb3ca907077217795d4e307dc45fae17fd909b1d019e4f6c8eebe3d7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYoS.exe

Filesize
110KB

MD5
e6d32e51fe53147144abf3e0b10a64bf

SHA1
c2c8bb25532de40ba75bcc5e144d953a50419454

SHA256
b89b2862892e7f4816a19a7ddef2f8cd96fd80ebdd720e00b9fe51b4fcf82a64

SHA512
d9d7acd279bdcde75a16107cfda3dcf1e2eb51c1861cbba6a629ada3b9b01b746fad8bba93bf4863091c7e21e1eff4fced04f62b650e2ae5b2e6f4199728419e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mkwa.exe

Filesize
123KB

MD5
3aed2238fa172faaf0d3b4baa0a2e247

SHA1
75d13cdf7a85825b23500576e92245104a7c6a76

SHA256
6d998a5331eb817fd8e299e8bc16b0266dfef426fbdb239a93a24aca3561df65

SHA512
e34dbb6adcbda1c0569e5d52fe85e32619003025474762f05a24d23392e90846456725d4e9aa2231358e87350e0ada9dbce5574870e19a76685ad40345aa1857

Download Submit
C:\Users\Admin\AppData\Local\Temp\OMok.exe

Filesize
113KB

MD5
ec79baefc672118698cb76927193e706

SHA1
863f63995bd5e819c7808b3756d3ee6d2360cf5c

SHA256
235f17a2cc4e985a2f8c5a5ff19f1af5aa5c3fa84c385b90df81e85fcec9aa32

SHA512
ce3002005d5bfc7dba28db871627d8d0f3812e99fd73c0f56afcc9ddde9e635a69492a9f1ce332ad298446338fd3e14b7d9a39e66742186df70c92af15fd2e23

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUwi.exe

Filesize
118KB

MD5
a63de1090184fd2023bfd7f6b8ca4440

SHA1
1d2f56362c55d900bd59bc1de6bdcf8191025b61

SHA256
173d4e7bcdc72f52b47a44882627b687288e1bb96e83fb218ec9b784ff8126b6

SHA512
bb61f3a297b5d0261239ec43387fd8c34d57836afc19dc82a64e827b492b0790799a7b15ce4bea3c1db5dee621c273bdb825559b09ec08bb27b3c8f8e20d7070

Download Submit
C:\Users\Admin\AppData\Local\Temp\OYEu.exe

Filesize
721KB

MD5
11040147b000a5b85a2724d63a3c4641

SHA1
a74cbbd4f1944dfb01a511fcef14683b3f7f95eb

SHA256
ccf4b7665d218f501001c081011d7c699a9053bea99e61b978c6468c2f23ec77

SHA512
a303582d1563808180d287c6bdf3cdcaef1c780ec617ccf65faa351289b1c3b8f5facdcf773522cc96e404e905066a7999a2427a22c91e9e1e251aeb40928c73

Download Submit
C:\Users\Admin\AppData\Local\Temp\OgAU.exe

Filesize
110KB

MD5
b1283a89b0b18e806e8163bcec2a9d28

SHA1
fc9367e790ae401f29689be0ad3b99d9c3187d60

SHA256
2bdf41beff5bdc0b6e8043b6063fcdb0ff5f60f3172bd6f2d78b847fa7c96dc7

SHA512
fd2f9c51926dd7dc337ed323d3ee2649d1357bff066ea4c3896e74cfdb758aba3c9dc938621f2d8cbfea20b3e6d2d5984cf798e1c17cffcca1aab3919f423ea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\OkgU.exe

Filesize
110KB

MD5
d4d026e7afc389bc5fa4ccce553527d2

SHA1
4c7e7202d20868f1436da03fddf5142637ca5c6e

SHA256
0a6fdf9c6e18eeeee934fd6ba0233a4a12de9dd4c99fb6f253d3b7165e244832

SHA512
49a0991a429c82f5b4320761a76675452bc7868cabd284e8d514aa6cc4062c1b3ef98ec9fb2fd070d2b8f0b8d13444067da696fd9b7ebf0193e32d17bf61ae71

Download Submit
C:\Users\Admin\AppData\Local\Temp\OoII.exe

Filesize
113KB

MD5
7e09097a43dd66f4091ff4082031a935

SHA1
85394296a5e3071ae7e4ef4dfca54cfc1350134d

SHA256
1a5b6af5b90ca0d165fbec9cee9928a46b67737c79d9b0f848f27521a6d33473

SHA512
7ace3aa1c4fc5aaf4362c98d46735145e10ad5555375d821c4f90bedb4b5bcab0a6c9c13de27e536d241efc1e340882f2c4896230f1245b5793f2afeb4f5862e

Download Submit
C:\Users\Admin\AppData\Local\Temp\OooS.exe

Filesize
235KB

MD5
5a6eb32eee3c89dfc218863785285165

SHA1
3c9cebd904512dadd16efd52459374d97544eca6

SHA256
2ae44b1d370525e3eb82f1680b0a08e11eec367a4ac8d62b062f945bd94ed93f

SHA512
e1d5a6e8c7e9e681a0221593e3204dc8734c663c50d7b3338102cb7e913b15dc2be715833a07c1436a3816c3aaa748b0fa34db0710785a8210a3ed0e647085e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYky.exe

Filesize
111KB

MD5
e7d148a29f241128a5bba451934cc266

SHA1
348127279e3ff88a4dd766e9e6c5338e5fd41b0e

SHA256
09be973ebf1e09939ce05bedaaa871964be00d6b8832078e7716716918e8854d

SHA512
53bb3f4485baa47770ce7575c8f87313a0827e2f5695f2ce57ea5eecfce0a3cfebc9597db64c20ea71c7c00c31adaee50e4a337338a31ee9ca6dc742bc5cd8b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\QsEi.exe

Filesize
118KB

MD5
f936dade433de53aef0cda6fe755d87d

SHA1
172309f6fca7dcf56f8d85b891094b3007d33d21

SHA256
de2faa2fed3b2223184d34521f7c84828ecfda74fc0cb5a7a43366ac19960336

SHA512
6b41d75690409b1306f768eacd0ec26cd6ea4b061be19c50e75e1edc428648ef7866bfeb5d1ed29166cf24763eaee72eb873980bf4cfe2754458f201e7a3caa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\SEkI.exe

Filesize
110KB

MD5
b7a6b96e3f0253bfe2eeba237a29b27c

SHA1
738c80be815e147d33d47376f2cab62af79cf7e0

SHA256
1b06060b923e8e55520f33461c76b192de7bc1ace2ea66e56c73cbe6762d4d9a

SHA512
d0246c420413ea3d452df6bfba9c682d1cb3247d497269cb91286f5aa573442623e0e957834f824008c3403cde4f9a17b381eb8f4deeea295774abc1da45c584

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMEW.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sggu.exe

Filesize
721KB

MD5
308e68334f4d09d221704b4bf196d92f

SHA1
becfc2a05ab2a557ef5e5cf30adf28fc15b6a117

SHA256
02449b7b11bcb0b1a5d60232bb944c5c4f41498ad71bee6861e2babe6467509f

SHA512
cb70676600f3a5b7f1f514ed03128f6a2f906946385e256938284ccecd1d75e6a0c2ed831a6d7eb9cd8bc389b2d9bf0c1449f4ff59531811d5f478dedeb4a921

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sksk.exe

Filesize
323KB

MD5
2827b0b40eb27a6e3fcbf19b33c99cc6

SHA1
188bc59166e2606d7c7db64fbacf458dd49a82ce

SHA256
dac284f6b404b0829684bb989acf3a6ac9a109bf8cd50ac8272186b7b85e801c

SHA512
689b8fbbfe0b86c08e2e69cc95d8086ab5276135299d2f78fed3269408ac90a1b5371612c83e7d7f7756f611ee263c639cc05125489e63bb6b543f8eb440fdd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\SsUq.exe

Filesize
115KB

MD5
efe287837672f645a016982f99a12c37

SHA1
4e034c826a77392506363456524b5907a07b8f5c

SHA256
7729ed2abdeab398d762b1fa35d991740ac790d4e1715c6f354e1a1fdd327b44

SHA512
17b82619da7bb73e8a8d0740edc6217e24ae9772ea6e7e711c08e839e7436f5ad544d06a01c02160037d151ada35bf6709b167e3900a069bfc6e1859057e754e

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAsS.exe

Filesize
1.8MB

MD5
dc5c1bbd8a304f941472f1b82e3a2e1c

SHA1
a833d72a8aaadfb38ca1feedd25c9c8ca05c1577

SHA256
f9713d6a11e4ab9ba014a209f09e74bc7e4a855049bd0e4bcc7afc94e750eab1

SHA512
d60b22dce1b1101db24751224e379a2f8cb159eab22345cff1f7730782d251b7939de319d0e5f6cf7bcf72ea9db9cf6e1d393c05844caa9d9ee35ed7c07b7e02

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIIy.exe

Filesize
113KB

MD5
277bef4689fd385020e7718e69230b02

SHA1
8432f0e0d2e35519748660925be172a1eccd55e3

SHA256
420c0c76042770d8862b1017e0dcbce1248db775914f27da2c53b4f70f8b0efd

SHA512
846616dee0bdd9825b79df3b5e77493e05dd539ce4a45549ff460d7ac849b4412ccef51ea5583942d123ad27a9b70c299f6f0403e68c7691d32ade4d4e2f24ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\UsUQ.exe

Filesize
5.8MB

MD5
0a324985cd53c316f2e32ac8caa0023e

SHA1
cd931763c4660525ae0089e90d3b918717318475

SHA256
a0a27004c4aab91973d17b173db9e1b3b7a78bc10e927863725850458f3be44c

SHA512
499098f1b1b91118583dfc44df857545a8ed2cc2e4dd8aa365369464d48c873d8eb7d44aca879bca384d65c42ced05432b2eada0481ec7ec20ef18c6b5f063fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\WMQi.exe

Filesize
111KB

MD5
0ab48bb8b84ac0f0cb7699862fc08fbb

SHA1
a8a9a673cd6574b6e3149910165141b0e2707086

SHA256
beda79693cb4d1bc74162e352d349773a96627033432e38de4eb6271ed4ceb83

SHA512
9203916c0bc85a374532c00d15ff708fa4ae03fac6c2ddf69cf3d99a2999324f15cdf5cb1f73448fb190aaa0e3b6c13148d52db654462a24849f92c8c40174b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\WUAg.ico

Filesize
4KB

MD5
d07076334c046eb9c4fdf5ec067b2f99

SHA1
5d411403fed6aec47f892c4eaa1bafcde56c4ea9

SHA256
a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86

SHA512
2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\WUQe.exe

Filesize
110KB

MD5
ba91c067d43c7e404765c245115115c7

SHA1
6e0d386a281fc962a1bcfa7b96389003cfd62810

SHA256
4c162c41c36922dc7c9b619de4ed89512ea530881ff9fc2d36110914e05b8735

SHA512
d2ca057f82c77e980b000f80cb15f32850472963e195c872811c7bf3cf311131da9cc49c9f4e3bcba94a7433b229d77fa003d0160ccef85e04b82137d6acacef

Download Submit
C:\Users\Admin\AppData\Local\Temp\WcEi.exe

Filesize
115KB

MD5
0cf77fdfe02f6b2f1d058b3eb3ad675e

SHA1
55b4eb25387021ecdbd4b9463e35a73e3b476ca5

SHA256
37c773d91feb64525e8d83e7912b1ecfe763e762954aeb57b98f8ebcd4c8bb13

SHA512
80ec9896cdf10269600440363a871630ceded1520fc276035e81c39fd85ea9d6ee95511832321f82b8329e644ce6e3196c118e2ced9a3b04c7499e4f0fc563d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\WkYm.exe

Filesize
236KB

MD5
bd78e65c931aac37cf962c339aa75eb6

SHA1
e40d536abf14f9a8ccd6e83bf435018792254764

SHA256
fc19ac6c43f60f8d67b4645ebf4cc40ea946f1e62cbc5dd85c95395e5202a2c4

SHA512
a65c12bc43c910a54547b7b7996d3d14a6635fa2a7a4b4f21fefa8a38efb07adf84e2a246833d713192bb6955c5b4ce0de40293dee7aa2e19610c677873d781e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WkkG.exe

Filesize
110KB

MD5
f2a5f42941e13852cc00af3f094c953a

SHA1
45142b983ec2cd42387d051e46649739a5bc78c4

SHA256
d9f52f8ebbdfc0c7148f99a6ed9c55fa62b86249971619f9c72e17eaa6b24e9d

SHA512
9232c2e4eebd6ea87d04106f80b2624c48f482fd687ec71230a86136749e8a34843c208993a74fab322a807487f45e3c661c3a561504cabe95880d0e42b35cbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\WogU.exe

Filesize
743KB

MD5
4336ecbb048474449e8e00c00570f3f8

SHA1
e17f6de0e46c5cbdb87dfc7c85e72bf7e200d949

SHA256
2684c194eb4c1b73402d2ca055335ff2ad226c9a32768464b627996a7f4d041d

SHA512
babca115599be423105e401eb779feb0836c3147ef88d6b1b8d7bc43d2ac723f63b5d2dc55edbc4e4418cda8f01fad2856963cbdd264d946ecc33b8aa932680a

Download Submit
C:\Users\Admin\AppData\Local\Temp\YwkU.exe

Filesize
555KB

MD5
ccb53588367eca23538f6beb8ad73a82

SHA1
bf1273f7c200817437b9cd477921998e5b5f2187

SHA256
01ec06bf718a6a48f56fe0d1cf568b68c237be8cc764d8da4b2d6f242b2788b9

SHA512
128c68c295a4a5078e049c2cdcbde0911f7ecabf095c9599c522b10d3b964f1ec22a40432a0e605261fe7f8e61f9a5a8df30eb2784f3fae27b787e2b201c3962

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMAC.exe

Filesize
112KB

MD5
f5f970068cd460464edcc9220fbca7ee

SHA1
5403716d60abfcad6e43d7c8e7fe303e77f495d8

SHA256
0a55a44b5ad63b5bafc1e34eaae28d889010cdc72a113c643e957668b62043ca

SHA512
f7bb4e5e81feeab1c4df7dc717aa5f248e42a9b912d209ccbb476488b16b06220417eec18cc9b651027d426a180b0735ba01250eefa129a602a69879775a2cde

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQsQ.exe

Filesize
154KB

MD5
bd1b4b1731244769e2f6d382c3eab214

SHA1
aafa47ba051ca60c94956ddb1d4cbfa44741724b

SHA256
b306be3e399e18a25ccc2d35645824b4e7e466f5e86b0760a5ca6bdb53221335

SHA512
e3dfa9922284119c523233c531c48ff27fb137b56c3b2f8253e754dac5402c306e40b222373609ae9ccb6385d5930ae0972945c8306ae456cc67d34b3e300fdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\awcS.exe

Filesize
527KB

MD5
d4591848d6bdcb0a583830e536127928

SHA1
70d4e8e104b57212dd97b2487eed5f8d140f9db8

SHA256
10be9ec3afbce75a83da6aa8bc065c643c3af41af5cfddaf36b0e38ebb8e9b39

SHA512
9fed4324b837a09d6ee6000fccee9e29634d3599db15e1c3709a4e83158189dc3000abdcf445f73b62bd8da3af8c3968061f051e7926fe199f9854266e2e9077

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAoa.exe

Filesize
555KB

MD5
b97eea19e832d3b58e60b017b2813198

SHA1
7843598066fc1e15056a83b1c228de881d4bd89a

SHA256
cc8517d93f8d0b1d860399cc95fab7701e8f0d9b60a87a74ece4bfedb8b299c5

SHA512
23db31c270495d6dcaffe236f237d5beef9daefda724a6c12ddcf44cb02017b04b125a6fe4d599e0ace0b181519b7d0c9c7dbc4e7cffedb7a964c53ca3483a47

Download Submit
C:\Users\Admin\AppData\Local\Temp\cMQm.exe

Filesize
112KB

MD5
3c733e6dbc4ece76dd11980d7053e6d4

SHA1
4d7d0afcd4d9e4b4a61fb4a1e485cd9c17b94d64

SHA256
9418333bbd2366ecfcef5446860c288368883acf5137fbc4aa55d3069b0eff2d

SHA512
33b3b5bd54833c4ef41aa7cbaddc47e7fc224635eeeb15f4ce5862cc0135daf2b003adc0e813a6e0ce28c5e13ec4a479cee2200771f44142323b27f9dafebdb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cMwy.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQYW.exe

Filesize
111KB

MD5
24c003d8fbfa724da210e7aff3c724d4

SHA1
2a32e4bcbd25f98750cbc64bde6202b64a372d3e

SHA256
47378f4939d966e183a24b3a3105ba3dd08db7143db371216adac2c972a4f110

SHA512
efd7081a8e2ba23249fead4a178057cdbb2ff03c44be328dfb797ffd9853cdbf63aa463acf11d6f8cfda8d6fb111672f37e1b6bb256b76d5ee0c540d067b3206

Download Submit
C:\Users\Admin\AppData\Local\Temp\cUYc.exe

Filesize
5.8MB

MD5
3432b1ff5cbe0912d8e5911eea8b3e49

SHA1
3c61f7b4350b7bcac03c321b7d26c6e3f8760e76

SHA256
987d3ded0b4dc13ea692d50d74984b222b459f7fb5e0c0752c2c5504916dcd4c

SHA512
77fa8af0016a53445c2469b732ef25f6f84f5fac3b44269727f810ccf740d0971098f55dfa28e149c51d10a238e0f328ea01bfc97ba397adca030a3af6247794

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgUE.exe

Filesize
110KB

MD5
4cb6a4094465474598e8745d1bb97cfe

SHA1
bca49c5c9287c09fceb1bf9200bf78a6b84c92ce

SHA256
8ba32d1a875ee678ff3166856f4c076123c3a28cd4a64871b5b0b70cc8ab31a5

SHA512
5853e23ca1c88ab458164806badeaffbc20bb10de2e81e010cc1718e1d3cc5781ff007ef8ccc27489d24e23c2a4c6fa693eddf50fa10e01ed5088a35801300cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckci.exe

Filesize
110KB

MD5
1ea88aecc51b53126a17518f06a245b3

SHA1
2b36b0b3a999627a62ba01e03074fde671dbb6cf

SHA256
15442b8a68e64c282fabf98da12abee2967e64b3a1b25b89e3fd124c2bfc6a34

SHA512
78b788805d1c51f0535db4054c262bbb0200e6eaaf029017f20be922d0b889b8674fa460251b2309ae2861d206f227a48e2d01f930b2218bb032fa9f9f9b7d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\cogM.exe

Filesize
565KB

MD5
f9f8c2dd8bd1cfe1973e939ccd9b7c8a

SHA1
677c8bdc2b3e377ac323d8f792d5aabfbb041262

SHA256
e29b12b51e1510dfdd093b7d97dca3746068f4702f6f776d5c6703ce0948a1e7

SHA512
1fb7370552481969cb1fc2f89f6ec80dae8f5db23a8f853258ef04406dc8bd3e9f0b2c2311e8fdf780829ec23a2558cb0abc5575dda7ef79728a055ebad4c295

Download Submit
C:\Users\Admin\AppData\Local\Temp\eAsa.exe

Filesize
112KB

MD5
6085ad2558435fb42d4fc80784b3ac7e

SHA1
fbffb2eaf19968e7e54ffcbb7d4f5a70c156e19f

SHA256
f40e302d2ed7a275a0a5937472e8d9f91e489b5b4c25d1064486cb19ae5ddc15

SHA512
bad3197181b23bf40a94792343f5ba1ed7f884052ec0b69243f94013fca58d9a6e106ec8b2f829bd04d630b754517ea5acf7331f6a3e622bd56b5b17310e5e54

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQUm.exe

Filesize
115KB

MD5
c2bbcda230cd13258a9335106f7b7ec1

SHA1
38590cb227c9a1448e24bf49ef7c90c5987f0be4

SHA256
5261eb9c157a7357a6bcb107a9c77180a340e1119513f6945cf0cd70535b959b

SHA512
3dbc2e08d26e14ae3f4ac5038ac273a00331a68de5941271488155134822eeccc06c7fda2feafeb6253c03f037fe3c3acf2bf0f2a8cbe935a56e3bc72f129111

Download Submit
C:\Users\Admin\AppData\Local\Temp\eccu.exe

Filesize
567KB

MD5
73390df418eea509c14f23ecf7844958

SHA1
4987512111cb6e5ca36e153ae244df8e80681e84

SHA256
15683cd2eb59fe414f2847b3386b1608cc88006ed01c796a39f2b4632253d02b

SHA512
0229bb39b2f7e9cd3641c64c9e4d04cfb9385fa5b0e3ca03f83ff67bee8a1a4d5e339e436390d310a63b34b42e3bcd4015487042c80fae921c7275e4745909ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecke.exe

Filesize
299KB

MD5
7bfc0ab1f548a424e90568d2bcc53a04

SHA1
b52e5a2d90194769a7727e2103dbaef3b90bbe49

SHA256
4e8cbd027dd633d8af818f218ca31eb8a1a0e22b7cf970ccae7954017f0a8300

SHA512
754756126100b9ca7a7dfc6fd011d6f8931dcce325b0517a258f6868fd65f1386dc4b2aaebb3a5118f0d67d8e42e7692543595852bb0fdc49174465555c00057

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYMg.exe

Filesize
112KB

MD5
da14f637d02616df1c240f28c32166f9

SHA1
34e1f78516cd18a0a1412c0a71b0d911061759bc

SHA256
5d1faa3aa305f6c65313759f58911be4d38b0d3b783be1b79ddc0bd8b9946955

SHA512
1b2dc8de26221fb1a805a2d20d40219d92e3f46bc23a982c6c88617485419467c64042024c2a04a90c7a8085a6aa439629e07dc5912dc6f980b09e581e40b64f

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQMm.exe

Filesize
111KB

MD5
bbc7ee2d1e77aa2438d2122ab47cdc43

SHA1
be1573819b39a676875e9fe4342b339d5bf734d1

SHA256
c88a931b23ebd80a979cb6be90720ecb9cfc2a34975b3462dcff239766894fbb

SHA512
738470e56d5749be3ce4cca31414ca3026b2e04ef2bc658868a933a7388df437f1ac1cdae20e02cc1527c14473985144e6d6369e1a6861a5fa014dcbc2a7c30e

Download Submit
C:\Users\Admin\AppData\Local\Temp\isMk.exe

Filesize
110KB

MD5
845934c9b3fe6c964706d009ad8ec2ee

SHA1
70d41b3c6658b47bb99c8b206125c1260e7f58c9

SHA256
4d189e1ae37a725eb1560396ec5b5ea7366793e2b0360055dc00c4385eb6aa6d

SHA512
86d758d0890c8e1b220f8b443eb066ca661b2fa4f930592a5d237e687826ca1c844e2427cc1701f8bb836e662b09696e6b4ec630702cdb3400b9c5611a0d6197

Download Submit
C:\Users\Admin\AppData\Local\Temp\kgEM.exe

Filesize
113KB

MD5
df8e76f4817e773dd74e863b2fe4e788

SHA1
65282b5d9c09aba1679e207215db2aa2536b6126

SHA256
203b3b6b72b92c3db53206165b9bcf5e657f3ce5bddebc19359d4f58a4ac8581

SHA512
39ead52a9b51411f6b5052043a9eb3b4ff1162513041aac5bfbc50321b885599dd31b424417df1eff7157981e94cda49d4f437ba0fddffc6de9bf66fcbd301cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\kggC.exe

Filesize
929KB

MD5
58998404aa4979dc8b01c50a31b7fee2

SHA1
f06794bbe4f32d2468b681495c269ed9d1fbc6ae

SHA256
4d60e1e700edb94f3eaafa7fb0d2a6db4d48fd9599c0c0592cd4e031de62e664

SHA512
96054386fb1f41822419d80ee3c94a30f43763fa6208da803be292f55d0be80a9713e61266a08378dfb3b2675c9a16df25ff2f5dee14fd8bd5867ee62fc96911

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkYW.exe

Filesize
5.2MB

MD5
408e50504d058c8e05150464f523bc91

SHA1
3ff1ec5ab752624eabfb46f14959f086071591bd

SHA256
b2ebb4bbfbcd59b98f3bb325a4680fb90f1779dc3f4ae610141a032cb9e2afb7

SHA512
6128412a7389c134792bcbaa02e9ea4f78554855edf5cc2529d14c576ee744f93ce6ef4c2d9c9c2d5e3c31669914bf10134ddbb2b45dacddf49eb5ef668e5151

Download Submit
C:\Users\Admin\AppData\Local\Temp\msMe.exe

Filesize
111KB

MD5
c5ed13fcf1dd839c8cba5237fb986a0d

SHA1
ab2ca0dad5052d296efb150abdafd77f946c6e6a

SHA256
77d93dd9b5136ac460b38dd823cf394dc4d5bceb05ccb7921ae3bdbf35e97fe6

SHA512
495d2a34f7f1c30d234a3f589642ebf5758b3fddc71ac4c5b992d01f86bffb7546fd47d5e1f7471eeac138cd8be5552a02271614bfee8eaa2ebac31887ca2427

Download Submit
C:\Users\Admin\AppData\Local\Temp\oEEA.exe

Filesize
112KB

MD5
355da2915db1cbffbdd0ae01787d7d3c

SHA1
508861c3556e2b7856a75d1507184b94f051dba7

SHA256
fbd3f6dcd86e26bd77885ea0c55bb9134f4147999cb4539ed0b318f2d4dcb6aa

SHA512
2ead34cf1a0f4ed64f3ca31da575d1d19e2fa77d376e6ed4c86bfe5fd05a76b6c2764b68be45abe974ffba4f20444cfe898ecbfbee11f40330fa4f9022ca9cb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\oscC.exe

Filesize
117KB

MD5
bdf2460fd10f2122fcf0ae48ac2331a3

SHA1
3ff1968daed6205209e10177bd842632dee910da

SHA256
3c88a843ade4d361ecd3faa9501c6e6586194a41a67f4ca9338f5f8f010fe27c

SHA512
4e0f91ff8e8dead9cc5f710e66234442055fa0d4108c80a8bcaaf78a37e85fa393e53c4065a1c71269931fbbf47198f9afeeaaa94e3dc6f1f342db07c2ff364a

Download Submit
C:\Users\Admin\AppData\Local\Temp\owcO.exe

Filesize
408KB

MD5
6be0fe27f8ea57550191d15fcf0a4221

SHA1
0ddf7da63cc1de0460109872e39da79d1e3f343b

SHA256
013449cf67e1243b1c1b36751fe79d29a87335c2b8c9209a73b00f58e3b9bade

SHA512
75e86f1a15ea9c67dc087bb0802013d7ea3580338da9fdd1f50be02ce19c2aa6fce31bdbebcfe1000b47166974a19ca7a9d8beaf70332e7033bf28d148a87734

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMEO.exe

Filesize
349KB

MD5
ba8cb4614a83b034862b540c8aedcd62

SHA1
382a64cf98a85f6bcd8351c98fbaf3280e81fd90

SHA256
f5e08cb559b8809897bf8f4b0e3a4b354c6b708a4176544ab0ed048e115eb7c0

SHA512
d90b92b1e6587787418678fe0e9f8a1bc169602af01c02a587463085cbacb4994a1b48a7a1bb317686b73a50c032ada9d2f5a1ae270e3a7e71223cee88c3e9df

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUIw.exe

Filesize
111KB

MD5
3c613fdd1aadb48d99f3c255f507ef4c

SHA1
b7a0cea83f7587d439f41bcaf2644860f6ec57a7

SHA256
ae66b2cd6e8a91d5acd4b81b720172f5c3946c630113ece11417739ccfcba474

SHA512
ef043f56045bc191799207e5d0b6ca02c6965c530af41e79ce63d917186339a4bc2952544804e7259389461900d9c4385b0a3ecf33858c49dd567c19d578624b

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgAq.exe

Filesize
113KB

MD5
6c5b3390f075ecca5b704f9336757fea

SHA1
e024ad01f41895b24a89d0aaf5bd2e6e4b6cb202

SHA256
7aa3a9ca06a57c918d648a1d0bb79a7fbdcc6e65afc44bcdcecebff0bcc3b37c

SHA512
b3d91660d54a06e03b2661cf19741b8aa1829b11b537535cb8b50df69bfd130526ef97a3de384d7ad42f319334eec0159e0f31a736c2e73b5c1b4379659f4541

Download Submit
C:\Users\Admin\AppData\Local\Temp\qoAo.exe

Filesize
138KB

MD5
a678719b30488cf5c6132980c30299b9

SHA1
6ee38d520ab743013a932677817d9a0d7193249d

SHA256
f65d1b82e35ac24ef7e00291df536ff02fc46ce56e738907fbd677f321e74ab7

SHA512
210371c3e14076b17126f62fcda4652461a16078b2d98a46c1639b8706e6e9638be13b3d8b0b2e60fc02161727d46c391128face300b88afdef7299ac8d9a546

Download Submit
C:\Users\Admin\AppData\Local\Temp\qoUs.exe

Filesize
125KB

MD5
a142762fa2a869534f8d1b29568ddba7

SHA1
c63ebfaf30e14f0cb8d82d310670d1f7a114bc6c

SHA256
768ffd8a8bdaa819d835b4a64bdab858dcc93277d2d8d3e435a27901281342cd

SHA512
d63df07d5ca25d294fa24c02205636a3387b94b061fd5d43fbcf91e161fa0b1c1dca79b9edba25ea64ab98ddc36a1bfe1d25b470b12cadb507fe20c082f28ed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwEg.exe

Filesize
109KB

MD5
a392ad9b788af37b5722e89ee8e92092

SHA1
2f11be1937e226db44c2245ae33b4d3cf8064722

SHA256
1a458339fcffa104ca8357d2b25981e16d144aef2770c791ee5181ae8d9171e5

SHA512
37c448307221a489293f70de364c7e27ed8263310304e98adb1d638bcb674ee4188ef624c4595f61549c1949828e900c8b0c5ea22557eba867b025368f43227c

Download Submit
C:\Users\Admin\AppData\Local\Temp\sEce.exe

Filesize
119KB

MD5
f60b918b7eff82ff14f653de50ebddf3

SHA1
ed1686019d3b0b9f968ec61e5f138ffc9029bc67

SHA256
5919cfc866651ac3baf7534190fdce84e4cad043dfa68b0ae888c5d6aaea273f

SHA512
859a644691f0aa20a15a148597c8a090ab6745b03904bb209bb7780c194ee65e11f8183fec230f466770970ff985a205285e3b04262e9282a9f329c6697fc7c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\sEgG.exe

Filesize
856KB

MD5
43626ec9ee937436ef07844c1c3f0aa6

SHA1
1b6e6cd458159b322d911add661c91c45d1c563b

SHA256
e2d053f2ee0b5cc4525ed9f582463fedfbfd890d38f8323fc49d1663c2e38826

SHA512
0a698933756dc42af6a6348c9b93e003ce8fccef0d64e26b242df96ba9b71e9b8c33c46bca15b48864d33e6f3aefdcea1ea69a8ff287fb05ff06180ff3251133

Download Submit
C:\Users\Admin\AppData\Local\Temp\scIU.exe

Filesize
118KB

MD5
51285ff04ae4b784859d4c09eda36380

SHA1
d16a89b21b832fd589f3a044bdc6fbf3d5f8ad75

SHA256
758b9fd5dfaa6b6f4d7c659cfa3bfb69e41735dbce0bd221eaf1d1094beed975

SHA512
68b660e4c748166da614d6914a9f4610ccecc5e32c39acb1990420d5760f51c260799278768771a7442d18b028d7428f1cdcb62e4f3443acf0daafba7325719f

Download Submit
C:\Users\Admin\AppData\Local\Temp\skMY.exe

Filesize
116KB

MD5
acac2015318d228d7f69ab2b4be7554b

SHA1
90a9ebcd753a7e12af56cb83b6fddc6210dd5c6c

SHA256
fb7c8a30b359575605c000c727dc1b19a6013689f3a17eff9ac48fb7d02de444

SHA512
b4143ac0c0ab8c84d3e0eeebaf8aec39c107a6cf7624b936e4364c919b10902e0395dfc06d822dd3971048903cdb3c3ca35d9eab81130c92c3d9d2efa24638a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\swAQ.exe

Filesize
111KB

MD5
ac436ad5a2b28c7876c0baa3c1c34437

SHA1
3efab5dc5d11be59f18b619570df545989a47cd3

SHA256
332d2242e70df7e8f0e3728a15a61690ffdd1d89b826fd087a3bf0e0102968a7

SHA512
f8f5de96e49dc44ac6922db3011b3f73d780e8d3dcc6f2baa6f39c7f7c9d40d480bc8c7f9eeab42c59591cc5f17ad27f0bc395d0a3b1451173d65e51bd55a152

Download Submit
C:\Users\Admin\AppData\Local\Temp\swYY.exe

Filesize
138KB

MD5
2c92ef2f53b1d7545359dbe17ca5af65

SHA1
95e94b6c74dc2dd5c64f722e9a7af690833bad78

SHA256
505bd5ec42d81c56c5ed28c9caefd7c6595f0fa69f00eb112a9c44ade92e12e5

SHA512
90c453eae50f2bdb942b3e3c87b8fe19de0c986e9872ecdc89cce0d8e904745a87b6aeb57591182fccb7f88f8759ebd652a61a3c41089ad09b4534635a848b00

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukkO.exe

Filesize
111KB

MD5
2443a99c15c65f2f5a20a0e671e73de9

SHA1
4681672812ee5477dbf952a57a1d86bfc3a17c06

SHA256
ab7ec0682a741449ea6f0c0ba6c22aabed80e991d43f20bc97e54e46c4705ebb

SHA512
70052416b01702e695b55505beef071e875e486e127070c612cf99a8cda603e91feaa04722a50cc9fb5aabf72de54382f2c17e255bac1f137247ab2111d52f8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\uoEA.exe

Filesize
515KB

MD5
b31d9fe4b4bea3521b4633d56e2c6722

SHA1
2a4f01cf718aea526f85981f6a333cf7196fb93a

SHA256
1ee328a21cc593a017b9cdfa1b3e9aa6a99358ad4a516e5e388128b90d909475

SHA512
216144d74f247b775f0f2a875fe3ca1f95f7b8aa81bb05a43f187894257181f8d911dbcad92b1db308d8a1222a82fa4ba8b713b108afd4c59ef7fc0e327a7856

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAYY.exe

Filesize
111KB

MD5
be8daf405052fb94129ed7b3685bab76

SHA1
a774307f260484cb9d00c0db14407a575949899c

SHA256
39cb41a2fe9e2ac2c2b61c0ed8b8cf949240b783f47e6c68c0d5d0e1dd7a18d7

SHA512
66bcd85a775c9c177c2c0ff0d45bef97d2ed63cd4ad2a8482753bc991099da670fc88d2cd9f58aba7f132caf8f19e17cf1ca779d33d79ca3e0141086ab5c2953

Download Submit
C:\Users\Admin\AppData\Local\Temp\wIcU.exe

Filesize
488KB

MD5
11058f89e6c33e620ae9383bca0c5a9c

SHA1
80a3cb4868b2d635049dcafa0a292dd423ab3f0b

SHA256
d557a819d54636600f6ad64358f69121410358037a2915976a7b20971089ab9a

SHA512
ca0918dd227fbd1d2b9c8a0eb0750fbf2ae5c67664574e8ddce86190f08445573cde3392e21f36e9b607a708e497ed31d31c84a49a3ea7e69cc3585b3330297f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wcMK.exe

Filesize
121KB

MD5
8247405296d8ef853faf38b7df031af1

SHA1
4263094b29bc72a9f93b43cea4b934edc8d20135

SHA256
3f208e40922dd4ae29791fb8888d94c82827e6595b5d0a3bc114afea2545d418

SHA512
c340eb7711a048623ffca4ba1b723df538950ef25c9d30b0eae2d403c4c920797ef20b4302b3391866f4336ea986284e4251a49b2ab3a8aad0f0b918e920d6b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\wgEI.exe

Filesize
111KB

MD5
0b03cdcf372259504bbc444f87fb6d5a

SHA1
9bedbd8a199ba7a94d83b1337293c866b52c263a

SHA256
126570fb2ee3fac612fe3a169583360e9b0cf1b673f03bf3626df2ce698e959a

SHA512
28c37f0ef4e1337ce95257d907e45beb03ddb5ddee7ab3db0162a1b56bbe15c5303241da58860873bc05e69f2de2ff650a87d1402cd22ac75b63b16599039a8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wgEW.exe

Filesize
152KB

MD5
0654318107424a5e68158e852c9baa6a

SHA1
4d10b7795719b0a3408447093e2810e7919f8d5e

SHA256
2deb61ffeef12619d9c0087acf9714a93e72d4a8205a436507a70dbb02f8930e

SHA512
65ba0515b8943ca3bf28683320bb0518043e27c253494f16d07ad11b9d9c6540774d024095305e14fa96eaa4e6a7b01bf8a073b1a2fe972acd120e9a0fdb2f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\yEEm.exe

Filesize
744KB

MD5
9cec120abe8fffdd73039cd1fb15de91

SHA1
da2656c3a8943a1e545d220d2dfeba0a21b3c8f4

SHA256
8c9fe4cf0359b934657bea571c888b011ca75cbc8e55fb3f3d41c50d2dc70713

SHA512
25296ee948136d4ed2e71fdc8686833c4ac7da1cc868edf82776c8eda102efbe6adfd6cd3b884d21c29afb15ebb72812bb45df94312791f98737107fff9aba07

Download Submit
C:\Users\Admin\AppData\Local\Temp\yMAS.exe

Filesize
116KB

MD5
c8951048d754e371a5970bcb99d59236

SHA1
fee6b3107e126c28641f75a6906f31b1eb7510b3

SHA256
0b8728ddbd5a92bff8281b726a3b50cf8c4bf4043bd0d53744c72966fb9bb1e4

SHA512
889621da36b3e79726076e13f743ad5ffd3529ab0faec5423f3f5168d4778ff214794d17861653ff976cf286f58731f76686965cc3edf5a99ca5736163092eb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\yMsI.exe

Filesize
237KB

MD5
b6c9f6c11905f98f189a7e000aeb07fe

SHA1
e138467eeae3095d98b0d59529e39031471dc7ff

SHA256
f0212a05c59ea5638b88a3eea6f8639a16e6548052cd69f0178a8b3d5e051b9c

SHA512
76b3b06f451eae5d310b31e4c91a7e604176b3c9af18e33f211e0c0b2bcb7b5b9221b85a00a565f4cb99d02aba8697c4ca098c89fa8d971e1b9c1a0502f4d87b

Download Submit
C:\Users\Admin\Pictures\ConvertFromApprove.jpg.exe

Filesize
318KB

MD5
9e78f7e26aeb8c3b16b85df0fb2a4b0a

SHA1
5af52b557f10e41042753b14c93cfb82ea33a566

SHA256
ae67e8800352fb635804827ca94eb607115d62cf2853d333ac0b386d80d319e5

SHA512
0fe61fd6a3a89865a8b5a0d30d2bebee327f4fe74552e1a1f5deb4f4b55f56901703cffa5c416523f94aa6c3892af7796092826e01b414bf873ea31167bad8ea

Download Submit
C:\Users\Admin\Pictures\HideConvertTo.gif.exe

Filesize
285KB

MD5
422cd8c67556a119a55aa0e5e0408dc7

SHA1
5c73ab9757f9149f17eb0a4b839e07ea52b2fd4b

SHA256
43f7dd96e9783f7fd0617c992dc33768427e0a970a929689b5ad156aecee793c

SHA512
2a5f4aa1551b37ae978a2fc838fbb966991781a4af430ffcff7748027486b840b02d9f177109a613556d28e06c9aac3b6ce66675cd97fa881dd984c025e452e4

Download Submit
C:\Users\Admin\jwAgQkUU\RSMgsgUA.exe

Filesize
110KB

MD5
5e438787c09c2472fc4a0460ea0ff26a

SHA1
f44868966658f0e16ef066cacae4443a455eeae4

SHA256
9bdcd32d64c968d945c295adca06f648970ca8fd9f6403634c9e73a3db19b1af

SHA512
70174297fb42d54b1fd55ba540eaac16314bfc53291af5325df723e5e3cad2e786d044026fb6e31e24445019fe20356e9973e7e8b6b2ef942417119309f73b78

Download Submit
C:\Windows\SysWOW64\shell32.dll.exe

Filesize
5.8MB

MD5
87d99a500e3618bf117ce71bc5fd8d63

SHA1
ba3463361b7c795ad0a0c65af71bf9a0346c5e88

SHA256
c19754765ce9abe580244df62c6426d29f43dc19fbc9713cae49d02d83f19e06

SHA512
826734efb8973e7ad74d54853d6a3c6548298c3b96b73fd7577079b6a2bdf63e92728df6c78320cd40e156186eca6af167b010ff8c70d4001687f558ebddcbd0

Download Submit
memory/540-11-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/888-346-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/888-339-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1464-20-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1464-32-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1488-195-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1544-217-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1544-225-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1596-294-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1596-286-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1772-224-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1772-236-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1884-248-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1884-233-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1944-183-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1944-175-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1968-222-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2012-348-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2012-355-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2264-256-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2264-268-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2524-156-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2524-171-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2756-223-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2924-0-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2924-19-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2996-109-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2996-124-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3020-101-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3020-113-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3260-259-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3260-247-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3380-363-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3380-218-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3880-15-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4224-148-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4224-132-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4256-89-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4256-74-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4340-329-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4340-337-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4388-136-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4404-369-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4436-277-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4436-265-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4464-55-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4548-274-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4548-285-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4620-312-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4688-160-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4688-144-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4708-206-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4708-192-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4792-311-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4792-320-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4848-51-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4848-66-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4920-328-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4996-295-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4996-303-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5000-28-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5000-43-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5056-100-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5096-78-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download