758b5ff52d62f1a2410eb2025dd119e4a6828d2f44e02741165820e66374ca0c

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2024, 14:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
Size

111KB
MD5

cf79f1139e7ea8dc69a0d4201056367e
SHA1

fb5f77751cdaab99fa462db4a8ec802947ff3e64
SHA256

758b5ff52d62f1a2410eb2025dd119e4a6828d2f44e02741165820e66374ca0c
SHA512

1cce2b955e76f564029b0f76745bc850b594d31ba4619b4a4c46670e7d753a212ccc8f13bd3e486bebb431fc601fcdbd145719ce9a2963fb21799a361bd72566
SSDEEP

3072:msiuaIALGwtDb8oNTQOIt+MpR5GdlHoW8AyzFuWszUIvM:NiurAxDbHNsfpbGPoVA3

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (78) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	iqYYUIQk.exe

Executes dropped EXE 2 IoCs

pid	Process
1796	iqYYUIQk.exe
1412	uWQYUwAg.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iqYYUIQk.exe = "C:\\Users\\Admin\\pyMwUIAQ\\iqYYUIQk.exe"	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uWQYUwAg.exe = "C:\\ProgramData\\YWwQosMk\\uWQYUwAg.exe"	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iqYYUIQk.exe = "C:\\Users\\Admin\\pyMwUIAQ\\iqYYUIQk.exe"	iqYYUIQk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uWQYUwAg.exe = "C:\\ProgramData\\YWwQosMk\\uWQYUwAg.exe"	uWQYUwAg.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell32.dll.exe	iqYYUIQk.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	iqYYUIQk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
1000	reg.exe
2244	reg.exe
2036	reg.exe
2108	reg.exe
1420	reg.exe
740	reg.exe
1172	reg.exe
1356	reg.exe
1972	reg.exe
4048	reg.exe
4692	reg.exe
1912	reg.exe
3144	reg.exe
3204	reg.exe
1604	reg.exe
3148	reg.exe
2024	reg.exe
5080	reg.exe
4588	reg.exe
1040	reg.exe
4532	reg.exe
840	reg.exe
4548	reg.exe
3108	reg.exe
4928	reg.exe
3736	reg.exe
5060	reg.exe
4756	reg.exe
4680	reg.exe
5040	reg.exe
3712	reg.exe
1720	reg.exe
2764	reg.exe
4004	reg.exe
3144	reg.exe
2720	reg.exe
880	reg.exe
2788	reg.exe
1040	reg.exe
2784	reg.exe
5044	reg.exe
1104	reg.exe
4680	reg.exe
3504	reg.exe
3452	reg.exe
2936	reg.exe
4336	reg.exe
3168	reg.exe
1492	reg.exe
3984	reg.exe
1180	reg.exe
2952	reg.exe
2400	reg.exe
2720	reg.exe
4972	reg.exe
4592	reg.exe
2484	reg.exe
2736	reg.exe
2172	reg.exe
1444	reg.exe
1880	reg.exe
1604	reg.exe
4176	reg.exe
1364	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3908	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
3908	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
3908	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
3908	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
2264	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
2264	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
2264	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
2264	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
3532	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
3532	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
3532	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
3532	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
4820	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
4820	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
4820	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
4820	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
1908	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
1908	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
1908	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
1908	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
3776	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
3776	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
3776	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
3776	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
5080	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
5080	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
5080	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
5080	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
3244	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
3244	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
3244	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
3244	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
740	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
740	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
740	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
740	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
2520	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
2520	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
2520	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
2520	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
4548	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
4548	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
4548	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
4548	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
4176	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
4176	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
4176	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
4176	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
2964	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
2964	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
2964	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
2964	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
4568	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
4568	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
4568	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
4568	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
4584	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
4584	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
4584	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
4584	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
2948	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
2948	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
2948	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
2948	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1796	iqYYUIQk.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1796	iqYYUIQk.exe
1796	iqYYUIQk.exe
1796	iqYYUIQk.exe
1796	iqYYUIQk.exe
1796	iqYYUIQk.exe
1796	iqYYUIQk.exe
1796	iqYYUIQk.exe
1796	iqYYUIQk.exe
1796	iqYYUIQk.exe
1796	iqYYUIQk.exe
1796	iqYYUIQk.exe
1796	iqYYUIQk.exe
1796	iqYYUIQk.exe
1796	iqYYUIQk.exe
1796	iqYYUIQk.exe
1796	iqYYUIQk.exe
1796	iqYYUIQk.exe
1796	iqYYUIQk.exe
1796	iqYYUIQk.exe
1796	iqYYUIQk.exe
1796	iqYYUIQk.exe
1796	iqYYUIQk.exe
1796	iqYYUIQk.exe
1796	iqYYUIQk.exe
1796	iqYYUIQk.exe
1796	iqYYUIQk.exe
1796	iqYYUIQk.exe
1796	iqYYUIQk.exe
1796	iqYYUIQk.exe
1796	iqYYUIQk.exe
1796	iqYYUIQk.exe
1796	iqYYUIQk.exe
1796	iqYYUIQk.exe
1796	iqYYUIQk.exe
1796	iqYYUIQk.exe
1796	iqYYUIQk.exe
1796	iqYYUIQk.exe
1796	iqYYUIQk.exe
1796	iqYYUIQk.exe
1796	iqYYUIQk.exe
1796	iqYYUIQk.exe
1796	iqYYUIQk.exe
1796	iqYYUIQk.exe
1796	iqYYUIQk.exe
1796	iqYYUIQk.exe
1796	iqYYUIQk.exe
1796	iqYYUIQk.exe
1796	iqYYUIQk.exe
1796	iqYYUIQk.exe
1796	iqYYUIQk.exe
1796	iqYYUIQk.exe
1796	iqYYUIQk.exe
1796	iqYYUIQk.exe
1796	iqYYUIQk.exe
1796	iqYYUIQk.exe
1796	iqYYUIQk.exe
1796	iqYYUIQk.exe
1796	iqYYUIQk.exe
1796	iqYYUIQk.exe
1796	iqYYUIQk.exe
1796	iqYYUIQk.exe
1796	iqYYUIQk.exe
1796	iqYYUIQk.exe
1796	iqYYUIQk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3908 wrote to memory of 1796	3908	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe	86
PID 3908 wrote to memory of 1796	3908	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe	86
PID 3908 wrote to memory of 1796	3908	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe	86
PID 3908 wrote to memory of 1412	3908	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe	87
PID 3908 wrote to memory of 1412	3908	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe	87
PID 3908 wrote to memory of 1412	3908	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe	87
PID 3908 wrote to memory of 4112	3908	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe	88
PID 3908 wrote to memory of 4112	3908	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe	88
PID 3908 wrote to memory of 4112	3908	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe	88
PID 4112 wrote to memory of 2264	4112	cmd.exe	90
PID 4112 wrote to memory of 2264	4112	cmd.exe	90
PID 4112 wrote to memory of 2264	4112	cmd.exe	90
PID 3908 wrote to memory of 1196	3908	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe	91
PID 3908 wrote to memory of 1196	3908	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe	91
PID 3908 wrote to memory of 1196	3908	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe	91
PID 3908 wrote to memory of 2924	3908	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe	92
PID 3908 wrote to memory of 2924	3908	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe	92
PID 3908 wrote to memory of 2924	3908	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe	92
PID 3908 wrote to memory of 540	3908	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe	93
PID 3908 wrote to memory of 540	3908	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe	93
PID 3908 wrote to memory of 540	3908	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe	93
PID 3908 wrote to memory of 1008	3908	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe	94
PID 3908 wrote to memory of 1008	3908	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe	94
PID 3908 wrote to memory of 1008	3908	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe	94
PID 1008 wrote to memory of 4344	1008	cmd.exe	99
PID 1008 wrote to memory of 4344	1008	cmd.exe	99
PID 1008 wrote to memory of 4344	1008	cmd.exe	99
PID 2264 wrote to memory of 3484	2264	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe	101
PID 2264 wrote to memory of 3484	2264	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe	101
PID 2264 wrote to memory of 3484	2264	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe	101
PID 3484 wrote to memory of 3532	3484	cmd.exe	103
PID 3484 wrote to memory of 3532	3484	cmd.exe	103
PID 3484 wrote to memory of 3532	3484	cmd.exe	103
PID 2264 wrote to memory of 2244	2264	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe	104
PID 2264 wrote to memory of 2244	2264	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe	104
PID 2264 wrote to memory of 2244	2264	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe	104
PID 2264 wrote to memory of 5060	2264	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe	105
PID 2264 wrote to memory of 5060	2264	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe	105
PID 2264 wrote to memory of 5060	2264	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe	105
PID 2264 wrote to memory of 1304	2264	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe	106
PID 2264 wrote to memory of 1304	2264	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe	106
PID 2264 wrote to memory of 1304	2264	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe	106
PID 2264 wrote to memory of 1588	2264	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe	107
PID 2264 wrote to memory of 1588	2264	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe	107
PID 2264 wrote to memory of 1588	2264	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe	107
PID 1588 wrote to memory of 4692	1588	cmd.exe	112
PID 1588 wrote to memory of 4692	1588	cmd.exe	112
PID 1588 wrote to memory of 4692	1588	cmd.exe	112
PID 3532 wrote to memory of 1948	3532	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe	113
PID 3532 wrote to memory of 1948	3532	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe	113
PID 3532 wrote to memory of 1948	3532	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe	113
PID 1948 wrote to memory of 4820	1948	cmd.exe	115
PID 1948 wrote to memory of 4820	1948	cmd.exe	115
PID 1948 wrote to memory of 4820	1948	cmd.exe	115
PID 3532 wrote to memory of 3984	3532	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe	116
PID 3532 wrote to memory of 3984	3532	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe	116
PID 3532 wrote to memory of 3984	3532	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe	116
PID 3532 wrote to memory of 2604	3532	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe	117
PID 3532 wrote to memory of 2604	3532	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe	117
PID 3532 wrote to memory of 2604	3532	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe	117
PID 3532 wrote to memory of 4352	3532	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe	118
PID 3532 wrote to memory of 4352	3532	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe	118
PID 3532 wrote to memory of 4352	3532	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe	118
PID 3532 wrote to memory of 3136	3532	2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe	119

C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3908
- C:\Users\Admin\pyMwUIAQ\iqYYUIQk.exe
  "C:\Users\Admin\pyMwUIAQ\iqYYUIQk.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:1796
- C:\ProgramData\YWwQosMk\uWQYUwAg.exe
  "C:\ProgramData\YWwQosMk\uWQYUwAg.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1412
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4112
- - C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2264
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3484
    - - C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3532
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        8⤵
        
        PID:3116
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        10⤵
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        12⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        14⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        16⤵
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        18⤵
        
        PID:976
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        20⤵
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        22⤵
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        24⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        26⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        28⤵
        
        PID:4744
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        30⤵
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        32⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        33⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        34⤵
        
        PID:404
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        35⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        36⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        37⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        38⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        39⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        40⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        41⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        42⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        43⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        44⤵
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        45⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        46⤵
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        47⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        48⤵
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        49⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        50⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        51⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        52⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        53⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        54⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        55⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        56⤵
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        57⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        58⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        59⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        60⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        61⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        62⤵
        
        PID:3532
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        63⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        64⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        65⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        66⤵
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        67⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        68⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        69⤵
        
        PID:404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        70⤵
        
        PID:3736
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        71⤵
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        72⤵
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        73⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        74⤵
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        75⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        76⤵
        
        PID:932
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        77⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        78⤵
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        79⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        80⤵
        
        PID:3212
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        81⤵
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        82⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        83⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        84⤵
        
        PID:3344
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        85⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        86⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        87⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        88⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        89⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        90⤵
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        91⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        92⤵
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        93⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        94⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        95⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        96⤵
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        97⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        98⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        99⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        100⤵
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        101⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        102⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        103⤵
        
        PID:692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        104⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        105⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        106⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        107⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        108⤵
        
        PID:3156
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        109⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        110⤵
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        111⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        112⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        113⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        114⤵
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        115⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        116⤵
        
        PID:3116
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        117⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        118⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        119⤵
        
        PID:64
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        120⤵
        
        PID:4468
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        121⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        122⤵
        
        PID:408
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        123⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        124⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        125⤵
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        126⤵
        
        PID:3332
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        127⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        128⤵
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        129⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        130⤵
        
        PID:3904
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        131⤵
        
        PID:692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        132⤵
        
        PID:564
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        133⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        134⤵
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        135⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        136⤵
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        137⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        138⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        139⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        140⤵
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        141⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        142⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        143⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        144⤵
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        145⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        146⤵
        
        PID:3300
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        147⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        148⤵
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        149⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        150⤵
        
        PID:3244
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        151⤵
        
        PID:976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        152⤵
        
        PID:1172
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        153⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        154⤵
        
        PID:3136
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        155⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        156⤵
        
        PID:2040
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        157⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        158⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        159⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        160⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        161⤵
        
        PID:404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        162⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        163⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        164⤵
        
        PID:3776
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        165⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        166⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        167⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        168⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        169⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        170⤵
        
        PID:1048
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        171⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        172⤵
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        173⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        174⤵
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        175⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        176⤵
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        177⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        178⤵
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        179⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        180⤵
        
        PID:3344
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        181⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        182⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        183⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        184⤵
        
        PID:1596
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        185⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        186⤵
        
        PID:4112
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        187⤵
        
        PID:976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        188⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        189⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        190⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        191⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        192⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        193⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        194⤵
        
        PID:2468
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        195⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        196⤵
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        197⤵
        
        PID:468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        198⤵
        
        PID:3300
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        199⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        200⤵
        
        PID:2720
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        201⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        202⤵
        
        PID:1104
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        203⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        204⤵
        
        PID:64
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        205⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock"
        206⤵
        
        PID:3820
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock
        207⤵
        
        PID:516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        
        PID:3112
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        Modifies registry key
        
        PID:840
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        UAC bypass
        
        PID:4908
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YqoogAEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        206⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:1304
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        UAC bypass
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mGQgAsAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        204⤵
        
        PID:2916
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:372
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1716
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        Modifies registry key
        
        PID:3712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        UAC bypass
        Modifies registry key
        
        PID:5080
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QGUcAcYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        202⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        UAC bypass
        
        PID:868
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rKEYwgEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        200⤵
        
        PID:1448
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        Modifies registry key
        
        PID:4048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rgggIQUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        198⤵
        
        PID:3952
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        
        PID:3492
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        Modifies registry key
        
        PID:1364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        Modifies registry key
        
        PID:4928
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\twsUoMwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        196⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        
        PID:4252
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:976
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        UAC bypass
        
        PID:3144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fsAMkIgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        194⤵
        
        PID:4860
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        UAC bypass
        
        PID:372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eeIUMUwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        192⤵
        
        PID:1944
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:4744
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CsoMIkkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        190⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3992
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        Modifies registry key
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cqQoUYIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        188⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        UAC bypass
        
        PID:3656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cSIcQkYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        186⤵
        
        PID:932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        UAC bypass
        Modifies registry key
        
        PID:2024
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ficMcAMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        184⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        Modifies registry key
        
        PID:3144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        UAC bypass
        
        PID:4908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pmQMMAgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        182⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        UAC bypass
        
        PID:3760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DWYkUAkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        180⤵
        
        PID:708
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3332
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        UAC bypass
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nGoIcUsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        178⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        Modifies registry key
        
        PID:1104
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        UAC bypass
        Modifies registry key
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oCwcMEcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        176⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ioMAsgkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        174⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:3548
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        UAC bypass
        
        PID:2848
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cogcgcQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        172⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3640
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:3160
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        UAC bypass
        Modifies registry key
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cwAQccIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        170⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        Modifies visibility of file extensions in Explorer
        
        PID:744
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        Modifies registry key
        
        PID:1972
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        UAC bypass
        Modifies registry key
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TWcMYUIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        168⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:3452
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        UAC bypass
        
        PID:3112
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BmYMwUkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        166⤵
        
        PID:3136
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        Modifies registry key
        
        PID:880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        UAC bypass
        
        PID:4424
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\puQcwQcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        164⤵
        
        PID:1588
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        Modifies visibility of file extensions in Explorer
        
        PID:840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        Modifies registry key
        
        PID:4756
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        UAC bypass
        
        PID:1364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IEIokIow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        162⤵
        
        PID:5084
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        UAC bypass
        
        PID:1248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iQoksYkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        160⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        UAC bypass
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mocsoksk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        158⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        UAC bypass
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AgkEIUYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        156⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        UAC bypass
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vIkwokgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        154⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        
        PID:64
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\baUsMgsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        152⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        Modifies registry key
        
        PID:4680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        UAC bypass
        
        PID:1200
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VykAcwss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        150⤵
        
        PID:4064
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OSYEQocY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        148⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ewEAEkwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        146⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        UAC bypass
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\esEwccIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        144⤵
        
        PID:2524
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        
        PID:1408
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rukccccA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        142⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        UAC bypass
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DUUcIYwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        140⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        Modifies registry key
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tqMoAMUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        138⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1148
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        Modifies registry key
        
        PID:3168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        UAC bypass
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lCkMccQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        136⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2124
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        UAC bypass
        
        PID:3944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GEkAIAEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        134⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies registry key
        
        PID:3108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        UAC bypass
        
        PID:1848
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uSUEcYkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        132⤵
        
        PID:3992
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        Modifies registry key
        
        PID:3148
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        Modifies registry key
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\msEIoIss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        130⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        Modifies registry key
        
        PID:2108
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yGoIkAoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        128⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        Modifies registry key
        
        PID:1880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        Modifies registry key
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PUUsQUgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        126⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:868
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        
        PID:2676
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BuUgsowA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        124⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies registry key
        
        PID:2244
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PMsoUwAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        122⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        
        PID:5116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rasQMcog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        120⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\geoYAIgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        118⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        
        PID:1164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iiQwgokA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        116⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies registry key
        
        PID:2764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        Modifies registry key
        
        PID:4336
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YgkUIEsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        114⤵
        
        PID:932
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RYgwEwsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        112⤵
        
        PID:404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        Modifies registry key
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nAMsIAoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        110⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DQEIEEYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        108⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NcsEYUQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        106⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        
        PID:408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        Modifies registry key
        
        PID:2784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sSoIQoQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        104⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YGUsoAIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        102⤵
        
        PID:468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        Modifies registry key
        
        PID:4972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SkUQUsAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        100⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies registry key
        
        PID:1000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XssYccMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        98⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        Modifies registry key
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FuEgsAAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        96⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        Modifies registry key
        
        PID:1040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        
        PID:4924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lCUIkAIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        94⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:3164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoMMAMws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        92⤵
        
        PID:8
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gKUkwcQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        90⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        Modifies registry key
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\imsMksMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        88⤵
        
        PID:408
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:3148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IGYwgcIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        86⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iaUIsMQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        84⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NewcMgcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        82⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies registry key
        
        PID:3736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZUYsEQAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        80⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        Modifies registry key
        
        PID:1040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\teAcAQkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        78⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        
        PID:3332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gIYggEkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        76⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CoUcQUsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        74⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cYoQgcoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        72⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        Modifies registry key
        
        PID:3452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gsgcsMMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        70⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NoYYIcEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        68⤵
        
        PID:468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        
        PID:732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nKEggkQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        66⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        Modifies registry key
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rOQQAkko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        64⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        Modifies registry key
        
        PID:4588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        Modifies registry key
        
        PID:3504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sSscgEog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        62⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gyQcgscI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        60⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        Modifies registry key
        
        PID:3204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aqAIQQco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        58⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OwkIAsEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        56⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\roswIAgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        54⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        Modifies registry key
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JmEkEMwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        52⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DiskYQgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        50⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GIkEsYMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        48⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:1296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GsIwkcEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        46⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\auooIUck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        44⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        Modifies registry key
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JOoUoEcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        42⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VmUQsAQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        40⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BIQIkMkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        38⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LgMgQgYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        36⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YIkosIww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        34⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GgQAUYkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        32⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        Modifies registry key
        
        PID:2172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YcAkYwUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        30⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies registry key
        
        PID:4680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nqMUAQII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        28⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        Modifies registry key
        
        PID:2952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\teUIYMoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        26⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DswccQsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        24⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:3944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZaksgcwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        22⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YucEEIQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        20⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ogQoQEAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        18⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CecEYQwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        16⤵
        
        PID:692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        Modifies registry key
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GisYQUkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        14⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RsUwckog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        12⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        Modifies registry key
        
        PID:1180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\biEQIwck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        10⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zaoIUsws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        8⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:1764
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3984
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:2604
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:4352
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jiksQwAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
        6⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:4676
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:2244
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:5060
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:1304
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RKsUIgQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1588
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:4692
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1196
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2924
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:540
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EWooIwsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1008
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4344

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe ee834f570060a87eebb38b34ca8fd34c 5ZAvz3sRTEqEDKTC9YFVYg.0.1.0.0.0
1⤵
PID:4592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:3248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

Filesize
745KB

MD5
0ec8cfa21faae87778429e043aa61c3c

SHA1
575e527cbeae06a0af8ba169ee50f0b30d237f15

SHA256
48dfee9344996a96edaf91a8fc54d53b73794aef87dd7aefc75195c2c9091e38

SHA512
c0491efacecca5b432dc73d4e0c8d4a3418f486faaddee1384d6a961c8287a3beb46aa06d21afbabf0ee1a747cf4fd9d5db02d58c93f9a1ae4651e73e9d3d0c8

Download Submit
C:\ProgramData\YWwQosMk\uWQYUwAg.exe

Filesize
109KB

MD5
51b661384489284225f7a6985e89c701

SHA1
d267dd55761fc9f8e7bebea9620eb905b27a5bed

SHA256
f25f66beb28ae127aba4c5ff35c0707680235d7a94ae020d4bc3f17bd8c19779

SHA512
39605818101e46a388717057b032d0e437c4bd49a64b431673f2835cffebe4636dafeb63f1a1c1c7f1acb36a1167d904abab75891d0b064465bf14bd64c8aaab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorBlue.png.exe

Filesize
117KB

MD5
9f1c20a3e6b6d9e0edb355b8f9a76752

SHA1
8234c99e18efbccf3949c3e904b8fb7e0c12384b

SHA256
32ec8ad47de66227f26e2173a92c507a88e75b0b73912389e6b8c9b44d82f575

SHA512
83e78da25d9d046ecdc2b6ea29b2dfb41686740b59db3561ab5bf6497ad4493c0007e1e8c77c13e8675c04128de937cf107b967d360e75bf04f9e4db478bae4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaError.png.exe

Filesize
119KB

MD5
ad2eca95640c1ba9c1cc11d769fdfafb

SHA1
a3d27f8cc335c95db1aad442060ef5315e5d67f1

SHA256
d9688f85358409e42ccadaa5caeea4781cc364ed9d44f53a364773d9b14529a4

SHA512
74b8829bc2d74027e111ab04abea1f0512d7c3a239a38b110559d12871ebc10017b1b9abf66b470a0066c53e51912ee7b7d2316b6126ddd066c868fc7198c014

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-150.png.exe

Filesize
110KB

MD5
e57507ad0ca9d980689d3c3fd9b9abd4

SHA1
e23c22d92dc9841cb9814eb64e2ec428bfbc92ea

SHA256
4285436615a7d94b0ef058397afcbcea059c469d8fc86dac8ec24afbdc163d37

SHA512
48fbb20e9fc4be8540aba8cae2aa7494d50c9b731cc75ec45ae1a48b4597a761e0a3a916d2fb3c5de938b6dfddb50087a6144f7386823c8b7826bf1b509e96bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-04-21_cf79f1139e7ea8dc69a0d4201056367e_virlock

Filesize
85B

MD5
5a07aca97e595cda407bdb8a2eb380f5

SHA1
db0b01d62178cb54bd97e8b76e0be4ceb8c6f9c1

SHA256
a932fd307c4bdc223ae39165f413b2a530b2dbf6323e8a272865da6627535ea3

SHA512
8850076cb720a82b3dc4d4e376cf4d90a02bca67e60eeb3b588d8925f9ec95843df432964f523abf912c7bdff25f27574466505caef28d2375c7cf63cd3f1d07

Download Submit
C:\Users\Admin\AppData\Local\Temp\Acki.exe

Filesize
112KB

MD5
e0225eda43ac96f3f8aec4b5b06bf4fd

SHA1
36cf4f6d37c857a7f0292ee19ec636cdb9a34927

SHA256
66d6af80d17c4054017f4120123ce1ffb8f4ca5e92794b1f1754d96664ebfe89

SHA512
aeac089ad3ad40cb00a13f7d67290cccf07d9be7be19fdb0aa7c4a46ed75b71ac426a9559407e686528d85b46a72056c6047a8daff82a21afe3d2fe95d1d0c7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AkoS.exe

Filesize
120KB

MD5
15dcc430225b1883f4cf2d8d48c6a784

SHA1
823d4ac27b3fb5b6667d9170530a8004662b67d3

SHA256
08ec4e46882bd6a8342828fc64a928700b960e2f0959c7975823af78c4fca4ad

SHA512
f9a124c05498c8e7ea0a6d2a09e9bdd5d11b91d31ad929b17753017ce6881207724428bb25975386a9dd7414478b0e6d5975e6fb8ba7161a4a33480c65048fea

Download Submit
C:\Users\Admin\AppData\Local\Temp\AsAg.exe

Filesize
117KB

MD5
9ec4d0d0e3653d5eefdf2968be288d89

SHA1
b20d061564b440ce10a7f5436d1f1510b5b161bb

SHA256
e41b34666811fe5609af06a728b82c6987251604af687e1b0a7fb400ae7302eb

SHA512
d2411eaa38de7e64da308006051185c85fa801bfeba5ce93a88660e7b23f8fe33cdfd1873e836ee40a631c9652abb623e0ea2b12fc8b89ad55898e9e0cee00db

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUgO.exe

Filesize
112KB

MD5
61bced912353cfe6d6e586387082315e

SHA1
342b89acb864f31cff8d20c8b4cff15fd4597443

SHA256
5c9d030fe477f5fb420b252106ce9f62c861fe55fb2de6aa98451a1841a38ac4

SHA512
78cc5757776ca03bd748ff31f968dd9923febc6371e06ec9091bbf3e50faf93cba2a25e268c7815e44071250d35f6439b910de49e366c70fe6c5248b0c2cec9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CgUq.exe

Filesize
138KB

MD5
38f37540a94300b0ad3166a85b37eeae

SHA1
66c99a84ba14bcee79f0e76e932b6dd73cfe34ff

SHA256
d1b97f631d1a1a89bab32294fd34fe8d975a656cc536f29375dd54ec05eba65d

SHA512
f80c26096e9b45a53280307e82e3bce64fffb38a652a23ea7d106b4c246a2bf7fc1bb45e8b305ebdf4c91d41fffbffa8e9c50967197fa44054969d08a84102f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\EWooIwsg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\EgUY.exe

Filesize
917KB

MD5
b49c6ec240dac5266ce24aa7191c4154

SHA1
83265f97928e3dfd6c90997f467f480f1511c891

SHA256
a1c2ef351fb6735b4794523e1e3eed0fbc3d347b0e29e1fd3bde643d37a40d60

SHA512
e2b2117c90e2b7a06a07d7b074103246d280abad5b0a967c8bb9c2c97c0ca5d4617fe1dd612408289b156f536a3067926f58c293a0b3d0f91110cb19d78faa76

Download Submit
C:\Users\Admin\AppData\Local\Temp\EoAg.exe

Filesize
118KB

MD5
f8a40b9425f50fa33a0eb5ab14f3d844

SHA1
551455422b89cd3648ec545200c57f0e4ca10ae1

SHA256
6bd332d1af412f228482eeba11836c3e892ec4db7e2749e93800a55c8657c263

SHA512
cbceb502fd71074a8962cbd05d639e51627cbe5a32349d20f81af9c55ba024adda1543472ddf202f8e561fded07e3bb9c6692b5a254431fea23259432f0e614a

Download Submit
C:\Users\Admin\AppData\Local\Temp\GIIw.exe

Filesize
111KB

MD5
e1ad8c35b3ab99d8f03b01e7d175d591

SHA1
cafb2fd1a5340b14ae722cc7490e643b2a8b1524

SHA256
ea4fa6ba1b44500f21256d327bb5ce6e8fa5ddd8222fb92fbe8177af82badfbd

SHA512
6004d570a6ba25f1dfc571314f9fb4aadd5b48f44dc7ffbec0b19360214d665ef9675de23ac01513e120ca7c5ebdacec4cbb00ab6e37cc847b9f5b8ba6defc75

Download Submit
C:\Users\Admin\AppData\Local\Temp\GIMy.exe

Filesize
724KB

MD5
d3f373ee3920abe78e9483c90e2f9794

SHA1
9469a87d6662c3c23079b079fd5776cebd721c27

SHA256
7ead8458ffd6cb1eb96087a9e1d0e51936c53e33c95a3af569ed0108503c788e

SHA512
23ecbd2adf482839748d1a315a6ec7772941e6d90a506a7dab8c7b8355b0d490163189b683a4dfbddfd38ddbf71a19d97ae57e6571f0158647eccc4b61acbe4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GIcK.exe

Filesize
113KB

MD5
a5c71e98e43c1fe5195c6f4e1b8ddb9c

SHA1
0fae8ea0d8811d203472fe2c7186a5f3685b854c

SHA256
5e92cad399fcf6a266ee1cafaad106032a38eb51aadcecf74bc3a29d8a33e5fd

SHA512
9bb7212c531c3b8e812d9e27edc284fff5d14e9dc728f2562d93e1faad16bcb08def5ef98b6a445f973f38af7ad8cd0d4c7d0a95559e065dd715624cda33abe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\GQAa.exe

Filesize
316KB

MD5
e119308eb8d09a734bb03af9609b8937

SHA1
88bd81a7e999b61a0775efcd7878200971e15453

SHA256
7a7de7d82594c5ce8a2caeae4ea7df276f8d9ac44a7e70a8be04bb555d4c10f0

SHA512
9f3817463fffa226ada0309329d7a130527ec50f1650995b1a66df2dcdd42e78d7e829015dca341402c5daef65006bbd19c2f8e3f20b1010f92cee0d81f1a26c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ggsg.exe

Filesize
111KB

MD5
f8d4187d58153f82fc246e8347525f1e

SHA1
d0d62a5c807c9d620593022ea6c7c5c0478e5edf

SHA256
cd170d7262563196853247c646f1a53f854f0cf4d1ec444441c30d5e64a96329

SHA512
f168295d91f32ef7db953d4f5ec22ab1bb43090787b4eeafdf212e3d4e6e9c9ef1697df22fe4045cedbd0533be6376c518a049359585acf106b1855b2f4254eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gkww.exe

Filesize
120KB

MD5
76803f2240358205a88fc23d03d75362

SHA1
d559ff5ea214c571f6494066270acbdd653c2f23

SHA256
2e7ab20eeb8325d7beb9a66ceb9a0736733eee21b2301e6829e479bc847f2c13

SHA512
c533a8fbc709345f5e9a91de5e2300a68f0019315972f3042befc82bd9dfbb30f3474628c44db294c7251c0735555c26e52d1f165888dd0d787912332ba8505d

Download Submit
C:\Users\Admin\AppData\Local\Temp\GscI.exe

Filesize
110KB

MD5
2f2cf30c0f69993f575f3f11fab7d23b

SHA1
6e83871c23454d2d95215fb3570d5779a6f513e5

SHA256
acffb3046495fbc01b62247d574ee91ef20cc67b0cc67193b4b48991a486de28

SHA512
adf94ae1c6adaee742bdb378bc3e69381a1374ba9a4e4fbf16d8c176bbd396f2d868c8b2e3333cde8473b6f10ee624412a8641c283b203933f3a98fe74e93242

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIAo.exe

Filesize
114KB

MD5
b5206bb526ef0bcfebfab427a3456619

SHA1
f16296fddef06c7f634b63251a086ee67c2f90a0

SHA256
9824581b05b43451963ca7ad104d293e6a932f0a1e364f3e34fb228414e11f4f

SHA512
3b449d6edfb375d4ac156a110d7cbc54f1852f46b55a679bdc44bb1f83bac1cc03084053f3ee3ec3e310e9ad2d8220f00e7cccc4f688bd1c19850fbd022f26e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IQgK.exe

Filesize
110KB

MD5
ab61176e66ea267af8d18dc1599145e1

SHA1
40a6bf313ff1eaee9a8531653c0c38303c18af4c

SHA256
56d07062edb8c4cd1bb89e8e7e9836413d81ad073d78fa4c2d1f4c5a1083b2a7

SHA512
d3626d2ec35112a648b807f03cfd56673507b7dea25e42f870e7ba36d96fbc9e436d1519bd4cf1b6f070dac53b2a0f9bdbbae4b4456206331e7faa6dcd28889a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IUIq.exe

Filesize
485KB

MD5
e408335dff40cf1ec09e438dfd7ec03c

SHA1
45cbd30aad83df65f1b3e635484b7adf5d37b2d4

SHA256
14074435a9c1448f9148041dea4e81dd6574fbb486f08dffd7644a70402b1874

SHA512
1ee4ae8228a86cc8571575c601977c5feebf75b97be50aec764e75e724542327e00e0913e2ef911e8243d8d606f615edb2c30c250992da2c6f51be3f76f5b1fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYAc.exe

Filesize
113KB

MD5
cf132a652c8021a08cb8bc08b4d5f1ab

SHA1
3b10b612b55fea9e86b0ee539f236c1a50eeb661

SHA256
f086a09210871649c09b2e073e20b60c2762c3ce412a9395f1f5faef6e3ace44

SHA512
d049c9560247e436ad6b5a19780bf758e09aed337bf3f35f48948b44867808abdaf914e172a2cdcca229e78f22c71fdb1339281d8ce6677f79b834a5f413d8fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IoQg.exe

Filesize
698KB

MD5
2e7593376af971ae5512fcf22eebdad0

SHA1
201b76e6ad1bd021b326604f7fbf02a4f9458f3e

SHA256
17b32b05742ac14db0dde3aa86d80e8a285aa498d5e053f754bf1b178ae7c996

SHA512
de82368b99109a2dff58b2e6a133657612ad789efece641faff41834cb80fa9225eaddcc60dbd563045451fc4b08954bb9311306aa9bd9b10e9064ac3f8ad55b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IokU.exe

Filesize
115KB

MD5
5b03e6e4802dedfd07b7b7fde3e4ea1d

SHA1
90a9e1967fe25de6e45a0568102b0cbd08a35a58

SHA256
ce3b4b803ec2f82cbb1895a59d1831e679d40882d620b1cbb69861b111871340

SHA512
a45f01b043c1800882f23e9c170671063ba97340de21e14bd41de79de642ede03bae0bad580d2092a24ca8b5fea7634c822904767306cdf2d980b61ed5ccf76a

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEoM.exe

Filesize
113KB

MD5
5116736a017fa36ddc5aa04d153c0fc3

SHA1
72e3eb3ff42938108ac2998067143b05abb3aa86

SHA256
58219368a5d21f982ea92763104ba038c2935600929e5f084c55ad951c224ef5

SHA512
cd502057596489bfa2507cd1bf57756dc8dcd2fa05a89fa0e3f3f1351514a837dce80d9ecd4ac4b467663cac1c0af70a8360029f7d7c07540d8ed2396e9cd382

Download Submit
C:\Users\Admin\AppData\Local\Temp\KIgY.exe

Filesize
110KB

MD5
c0abf4bbc95cf80ddc4a9bcbc622814c

SHA1
34eeb80a5195da166a2eafc374060483de823446

SHA256
4c6399c2ce3b96c89885946a614176b188a17eff51e8a27502a2c52c187c41aa

SHA512
6b6700fc42f943e6b24e5bb08c706f1df3087906a62997b89590632e27cf6030636849f606b0f454fd4b3ab3fd5c51b22e55e58eb933fbdf5cb71f814b2a603e

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUAQ.exe

Filesize
112KB

MD5
738b75486336a791be6ee3132669e7a9

SHA1
e1d4ca87aa786de86fe2791886802720a91aa180

SHA256
c380fd94de31cf204eaa205552f4dcfc0cfd3d4407a5f23cd836ffbef5328d1f

SHA512
b4d7b5d49ab976d5e77152d4db7b83182e0eb5f0c12389d75ec600529e02c9925f14b1eca029b034ed4de00a896a1e7a60642ce079f3a0a664d7525f38bebb3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\KcUU.exe

Filesize
241KB

MD5
32893523c1a18da5f22e80863d5a7bbd

SHA1
21c2365b268763c2eb3522f430dd841516f1fec3

SHA256
6f139dc26cea463b417676ba9a0e63702b2231b4c31e60fd7b63aeb4f06759bb

SHA512
4bd8a8d95682e56122bef82ba90db93ed1ca3f941273a2ce22f58b5c1b4be1eac2c41dc88cc4af05e4c55b46ac625cd054fafaaf28462f138b5d6f21f2735275

Download Submit
C:\Users\Admin\AppData\Local\Temp\KgAA.exe

Filesize
149KB

MD5
7fa64e0941a39b200dda265fe0d9b93e

SHA1
21dff983830430bb5e2c6833ee88f69014a36001

SHA256
be1d3d560c4de4031a2e24bad381dc6e35e93ce30be9bb93bf8e31a6451e81f8

SHA512
f88be9f889d35f65bc7041a9c6401b62ebf23b313874ae968bdc0c5ab44d43a00e3dd8b244c4cd5a90dcf50206c4aa9d81961e34e85da80ffeee97c0598fea18

Download Submit
C:\Users\Admin\AppData\Local\Temp\KoQS.exe

Filesize
431KB

MD5
265e0fd4bd0a9344659b06f0076e550a

SHA1
9870121ed14631a7e3fb89956047d509695ac3de

SHA256
13f4df40af1b033f75feb76b8f78cd8d4628951f11ced66742ea892d0f5bdb52

SHA512
0c122be91f44ac40e5ef6725f15ae78e63ba9bfe105b2aca5d4f4ec9519427f01f55f8347f2aa1f1d86d0def53248d40469fadac58a677473d18e43d029b09b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MQkw.exe

Filesize
699KB

MD5
802ca3eddc2e581a5edc8926380db091

SHA1
41a21d830290e0447fa8978c19c97512c4449ad2

SHA256
190a85b9e7fa1136a6caa1bb7625351093deef14ae8383d1484acc5d011925c8

SHA512
62f2f2d16d4ecdbe4601f29e3c4c145d517442c8f3bd5502de6f61b95e2f2debc41ad06464f15e776f219cf2e4fa75327264bcd5ec8139777a72a1129322cb86

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUgS.exe

Filesize
421KB

MD5
fb225983aea7356897b93f7d31f837d3

SHA1
2084dc7e6e659c9dacfb9ccef66da30530918971

SHA256
2da329784e7df5554314cd7fec1b9365030ee2014e6a4800468f359b164088b5

SHA512
2a2b8a974055fe9312c9976c1e55c82ca14b95bf2a7de9e1464b08d46df9c4e69c0120c7adea2203634898b8b0a7cd8d6ffad31f59224d3d98b0729b5207c37b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUkY.exe

Filesize
110KB

MD5
e5cb4195cdb37187cec4c5c2aaeed69f

SHA1
0d803e8fab844819e7164815c8b19cbb49e242ea

SHA256
c00079f1af589fe386a5dbb083eb5ef917a593b6276bb1d21a2bd5c0bb1bf033

SHA512
6a1521c63b012ef907df9081017582c7571e7a75586c0f8655fb9d22b87cf2757363f9da54602aff48f1c5d377b5828ffcb964172fbe281c10e30b974af4e901

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYAI.exe

Filesize
112KB

MD5
b42ab0869dbcaa3c34488aeb2ef60909

SHA1
2c6a7a3832986ebf22cf3a2ea63a9f0eff92e1ac

SHA256
23cc58b58a19b008bfd087e748481a18116863f9e2415fb2bcccfcf89779c58c

SHA512
24672c03f04a083d2895b5a55795c781717d4a8aa9a90c1702e319faf3bdf0d45e9141e2f3435fbf825b9482ad5db0c07ae0555ab48adf39b00a9e59dab0bc31

Download Submit
C:\Users\Admin\AppData\Local\Temp\MkgM.exe

Filesize
236KB

MD5
041852eb5315e57d093bd8bf7512137e

SHA1
da60d0bc9f6854c0b0052b4081c9662072ccdef3

SHA256
fc9e5ac03f1cb1bc635555a686f20317ee059454af6c8db62ef0afab7e45c807

SHA512
8ffdbaee7f470dc85cbc8f1b130f19f7646e382ecd7af227dc36297a719cc2796b2905ae0c6ec4eb6975a8d0655b445677e7f36d51a3d07ce6a35f1827d10f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\MwIO.exe

Filesize
113KB

MD5
feba57555b8a5d5be341e24771ae9b81

SHA1
39adfd4e7988327e45192701068e74a3da9d609d

SHA256
259543eb474597466a7630c998406a657520c3a8287f06673eeab2aecf109bb1

SHA512
24c42ea528939a73b9aa726febd9fbb000f178ea5f21dd4656cbc160198e29cd613eae4da6d29a6288e44c497d35ebf2d7d8a8fb05d6112eeca5eb0f35008efb

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQAW.exe

Filesize
138KB

MD5
961620c4d6f4195612a5aee167800270

SHA1
c30b48507e3e4327c5fc87933e12bc0c4d8fd8c3

SHA256
852f78aea781268efba456f1f5653076ae2876fa5015ff3a9bc1fd2ec7ee0a21

SHA512
e05dab9702d5c1019a6df5472d53dba09aa086302f98b23f468ff16bc3fdf72c26082c98f0b8a12dfacd6fcfc5fd76f15d529bd2507d9dc64f6d4c8ee4b09229

Download Submit
C:\Users\Admin\AppData\Local\Temp\OYYg.exe

Filesize
5.8MB

MD5
5681677b499dd6f4e2840cadafa9a7ec

SHA1
97613fafced6c748928135f475ad59b65d7a5a3e

SHA256
94a0cb816ba4eef2241585822cac1f9ca348a8a12bccfa1e1eaa58657b540ce8

SHA512
bb85f533f268f2afe970ae0e6b43f776d76023f0ac70b62c1f8220b674d48ac5915b6c9085a5f703895b2ca5cc045823ad73d75e036685e64cddd7ba576b2b77

Download Submit
C:\Users\Admin\AppData\Local\Temp\OcIi.exe

Filesize
114KB

MD5
d911ad065149357c8b552499b4bb72cc

SHA1
2469c8cb81d7a8df6a3892c7e1eb72b7ffc19eb2

SHA256
cafcd775a35a448574d1b0a2b2e170d955f8fc3785920678eb369c588710bfa6

SHA512
9658523bc6640e3d70dcca7baa8906e21ca9daaba796e8bf57103f5e17a5ffd335ee81f9db9c310324ff5c49ad0e66086385ce607781dec3b3dfab6f48721d8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OcYS.exe

Filesize
110KB

MD5
c2c6b9911e1b49840d3982eb2c4888aa

SHA1
93687d6db6982e381fe03db489dd825159b67203

SHA256
5c8b2961af97be6c7dee7f4fe8746f67fcceb7e556c996ffdfcef2e11cc7ad46

SHA512
4d9dd2ad1abdc6d02fc16725856e1a759ecbab0498504843178a730696facaf60035ae66d58fd6ed09c8cade8e66054bb70723ae71d415225c8aa43b30dc6617

Download Submit
C:\Users\Admin\AppData\Local\Temp\OkgQ.exe

Filesize
113KB

MD5
75613eceaa40b078746ce2f6479fa6dc

SHA1
c041d5914c788cfdac6cf305866d5bb27040db94

SHA256
9da2ecd2dca38f5d54bc8ffbad30cf1d9cb7194d9842f98e7838451d8da4d187

SHA512
84ad8064ec42521c5e3074c0189c68c4c053fa5c043340357e818149d064c02bd372cf3fa3bde392c0e5243bc9d4f4f0adafa34a67e0d702f6f6951dfbbe4cdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\QAYm.exe

Filesize
115KB

MD5
6e116cb8d4ad12f90888e88e2449870e

SHA1
bd583340c458ab61c3320f56cd60785ee48f0c4f

SHA256
97e08c14c0d05c4bc728043a8b95439bd1f4ce07bcd18f8ca3d7ab352f9e6fec

SHA512
dcf261f734262ca26ecc52f38a261f739c02d645d521bf4bd5bbec81450f3677e3b00121140db3267ee08e7aa5d08e436a2c8dbae762b570a6297adc8ccd4e74

Download Submit
C:\Users\Admin\AppData\Local\Temp\QEAm.exe

Filesize
114KB

MD5
fd1b42d976057f1be5b15bbcbd2e7802

SHA1
91f16df75fc09cc580bb35185cec174c34edf5a2

SHA256
bbd74b3d8f521677aba6432ee7a2c310a51402ac7001d15b2f63f356909b25d4

SHA512
84b900c57e10e0bff2c90a85377c632fa9e7875559822a577c6af75f9f258f6d212dea88e578e7cb12d14775ba1201a5dfa7799de029b8bc9ae63d96e0b4721d

Download Submit
C:\Users\Admin\AppData\Local\Temp\QkkW.exe

Filesize
117KB

MD5
a8931d3e47aa3ee00a82c8d79a5a262e

SHA1
528b79e5326a394371baf8bdaf4bfd7b8e5c6b00

SHA256
da80af9e638611484fc2eff90011852470ec5450026dc33b6a258c5442713de0

SHA512
a5478ceb2b62677a4e1d2d0e8424841cd1801954cb25964499d19bb1833c85dd20a7179652460efda63255cbb0635a759155a676e0bf3e8b88b93e35158b7a96

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qwkg.exe

Filesize
116KB

MD5
0f25ee14c68cb950540c7a62f6689754

SHA1
4a7901a07840726a448f33d877bdf5d2d894723f

SHA256
2381df78b6fea2118cf2f65ab2392072f0f71fb6534fa7d95553652b37c5588d

SHA512
38ab15938aa4bb69873e61978bbc32a9cf31f5e3087723f3208c9c0e4f705bfda5013d3d320901ab12ff120b7d2b28204c9fc582c8b0849edb0cf821b7b48b05

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qwko.exe

Filesize
115KB

MD5
42a29de8cde0e8db7f21cec03a0d0900

SHA1
e7ca14f170f270bd55e3b924c5a5001977e4318b

SHA256
9cbf64d371b94179548e4ac67a27f2e03873b0d109289513df5e3a216c97f327

SHA512
ee1b82e4887a24b1f3883b5cf7694d7b5705a1614c5cd4c5ca39b07650215359b4448ccba0945ec8734f4c152ea0726ec4db697fb85c77ff327f87eece45cf8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMYO.exe

Filesize
112KB

MD5
d0e8660caa08348c27e80b8c91748962

SHA1
6f684d9b8315fec3b4a35cc520d6a2cc58382b3a

SHA256
73529cdb93cafe39008b2fb9843c61f26a978181468a6d4351875dd9645e9874

SHA512
ead1f7f1bb4d7fb08891aab77d7e7805e3865596c8325e1caea43ef2d502ef61578a1a02cb704be6ff1fd11c4a74ff06b8c7a8203b669fee53799568d18ed741

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYMC.exe

Filesize
112KB

MD5
65f9de02ebf5e131eaa7743ca2f12106

SHA1
2834dfce777c225338392e2fa6b11e084ffba557

SHA256
245262c84e70b12c25abd69ff895f5c0805cc55d5a943bb10067aff6cdf80709

SHA512
167e4c0d25c64000bbf9799d98968d8bdc82d1343641b3f596cf763f0fa7956b912873e5b025362ff81037b3bc9cb89d40dbe95335ab6db517250158bcd23a9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\UUIo.exe

Filesize
111KB

MD5
71caa5eb88fdb0b7ec4c9968603ebe0e

SHA1
36ff4c4b6b63924126f350d114c0a95bcd95f9e7

SHA256
f496bbb314dd7112517656b263b9216f0634312027436a1121ccfb125bd10969

SHA512
019718fc05018f9524c79a7da17c6eb28212672358dce211a0926d4e409e3f7a0781c17886f508188a00a2e476523401f3dc2a245e7eff8a0d77dd76a7dce0a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\UoMk.exe

Filesize
110KB

MD5
f9736aa5db43cb9233bf7a166c46bd5d

SHA1
0c88c73d4a97e020e6e21178128ffdbd4d5d4ba6

SHA256
d74709310c1f614753d5aaa6663481a477198be716925bb4570fdcc6dea86c3f

SHA512
ac990f3ec6b9af829d072ebe016c37f8cb6d125bec3ce6b6deed90ef6175d1f678d7ca3234e6aa2be670ab3887807a5272a4eab63b4160fb9f0e39b068072cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\WIcy.exe

Filesize
111KB

MD5
5440b985de1f5d621c53fb506ade4e93

SHA1
828d5126f6eb63e27c48467d9b0e4fd834505833

SHA256
29869a625c1dca8d1cb044442a447af5c07aba3aaabc40320c2f1e569a2d325e

SHA512
07450b011eba4913fc209c668cb93f5ab5b0989d3caf9e76398d53c2a65147768edbfca006568e235d846f7f406580d19d188904a5d58601717bcd5a1de24298

Download Submit
C:\Users\Admin\AppData\Local\Temp\WMAO.exe

Filesize
462KB

MD5
8aba85f74fdbdf5132e1bdf070069f68

SHA1
d4a98dbff8b85c912626bd8b08c6d04dd408510b

SHA256
2e3373957b1a62f594d36bd7f24a3b3fc1bdb2ef002c1f9543a0d1e6229ba098

SHA512
296f6e73032b97e71ef814576438ccf057d36168beae0334730f7363f21c71245e4b5a35513da8c4dbc69d43bb2d040e89dfbc288824dc53da0b3dcd162676ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\WMwe.exe

Filesize
556KB

MD5
96b30e8dc128f3169776add307b1f1e3

SHA1
2298a6282af1830dbcafdf2b003969552126b0c4

SHA256
0d3b223455a9297a0a7c265f77d9f5894e157eefafb67e9e222b16d50fb39859

SHA512
b32e8c4f990b1ddb42e77249d0ab7f1c58c6f566db54a7576dc884fbf5c5c09b76621ecb619a92f3e381d704fe356ac475313a2164af2895f4333fc2543c2b21

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wscs.exe

Filesize
565KB

MD5
9cc2ccd12d3128a75f5cd8d3673a26a8

SHA1
a8f2e01360c22506771905dc7e4f80b0eb2a1555

SHA256
e8ac8bbff6980680b16e6afb305a49eef644b5e8505beaa7100a9f80745bc9d1

SHA512
2f089b79fef423bcc3f2bbee5952c31ed242439f494dcc7707c067fbec1b2e871e5687a418bf661ae3138b5055fddaa2b8dcfb1136f9501cd4ccff3692dfd425

Download Submit
C:\Users\Admin\AppData\Local\Temp\WwQk.ico

Filesize
4KB

MD5
d07076334c046eb9c4fdf5ec067b2f99

SHA1
5d411403fed6aec47f892c4eaa1bafcde56c4ea9

SHA256
a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86

SHA512
2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\YIUK.exe

Filesize
467KB

MD5
3a7b8fff71bb795034b6db1295e3027a

SHA1
0db4875ebc1cd3032e0e5144e2d97bcf6dcd7c73

SHA256
26feee1b4f82362176f11e168223415a41ed62eff8f3abaa09cd4ecade2f5ed7

SHA512
a6b22ccf964fb97b76f3ab45810a02bd2d764357825401f6d11458366de41e2b5a7310caa3be404fb855f689e8ab4d48376c5af7731302b4a5a15f3d7802c0bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\YMQy.exe

Filesize
112KB

MD5
e22ff45b674a40d20fd014d28b8d67f9

SHA1
75505f2c530b567995293e942998239b2a978240

SHA256
4f07a53b998a27d309350bc4d73186cd50cd51c2a8900f68335fdcbcb7654f87

SHA512
9d3c71eccfcde2f403b187b56038cd9e7b2e437993143995c5b6187386db01497c85dded958a8d1f05d4a4a1c2e44746bd14204caa6fc123d93f9c586d2e8de2

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUQa.exe

Filesize
155KB

MD5
d5310d2b59a2943f562c95992e4adc42

SHA1
fb8f98b7c3bfb0b4dbd2ed5a2b814a784940f301

SHA256
5ddb2a2a41067aace7a9d89e9f629b2d2723c2ac481176eb90cab9afed47b2b6

SHA512
f60408b6bdbc82efc8702161f24db585b45353e41b6bb0d1df862c947d8c05d10fe2820e828521947cb25d1ec7087c6f502ab91cd56e7edd5cb4eef8704d0bb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\acgc.exe

Filesize
112KB

MD5
75199961e0628fb6fef2ac63c65791a2

SHA1
e24e35d3b3a8e29a6259b0aeefd5c47c5afcc876

SHA256
40c3300dec3ddedadfeccdb801ab8e4bdde6090dbe61d05be14c85f670b1d1ca

SHA512
bbb93ee424b979cd68d6e7c75c127aedec00e6112acdf788d9d51e3636247bebeafd8414a9adc4a03861cb47949f619b217e428ada36b5e9588cccb811abcc3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\akoa.exe

Filesize
120KB

MD5
936acb0b08ea7d6725cba4c0a422191f

SHA1
a48378eb1fd7dbdf0f954dc913ce4fd6f917742b

SHA256
59d5da29e5b24a248531b34f6c9a01577884925365790b84c4be545b7a02bd6d

SHA512
658940285fa7d6619868b31b2d342d29be66c5a991b0f4ca03e9f2d0dfb9ba1d03ea00ec942ea3073754f95120de5217c1ad3a9dd89deb7d32e588c64af37aad

Download Submit
C:\Users\Admin\AppData\Local\Temp\cUgs.exe

Filesize
112KB

MD5
0a0335b3b5490a8ef8d014c4536295c8

SHA1
36ec028f7ba420a72f41a5642b8ca890a4ad5f4f

SHA256
dd58460aa171c421f9aee17ec657a12328918ff23c53a7f0b03e653455cdc9ae

SHA512
dfc07e22950567097373828a0e281581dfa9a5adfd260beb66f316e3ac6b17ffb2890d79986beb58c816b923cb5ba9713c9471563e54bf91e54b7adbec0e7c56

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgYO.exe

Filesize
237KB

MD5
0c66d51d3caf52d3c257d20a30a42fc7

SHA1
2c9b0cc2ddd69ec44e0348086bed9ce54a6752bf

SHA256
4a641c077736d4e74fd0deb15f5e7949525db2a94fe366f6d3ee983dcbfe7aec

SHA512
0dd105e1105b64716e365e08a3e262cd23fadbbb1707e25807112d363512524dea10596190005e73d80853b046ae1aa0ba942af39d130ae9c759978b3d51b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgoM.exe

Filesize
124KB

MD5
e89dffd11c5734b30ab5f4eef7379c97

SHA1
560f1331ae1a22604a5921786eb03e7e0afc7532

SHA256
ce638cc9cb12b74a142c6f3223b8bce416f3ff9bd1b647b76309134c0f6b7bb7

SHA512
e8605bc2d991efa37a044c4f9345dcd8912946a72cfb7acdf890bbaf9731a17aa47a93283a105496f1351afc644c4b2792c47aa9ef66d29a6afd6efc88fb5972

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgog.exe

Filesize
138KB

MD5
475076ded4161779fb3de51689dca7ed

SHA1
b4109c45390cd97cead4ebd431beeb6ae37c8cb8

SHA256
bb67d90e080ae53916b6181cb85c57b6e00ae21a8620f5e3642eb7a8ed8a94b9

SHA512
6497ea2858d46d1de2eefb584bae4f5910d10485fb45c1065fda72a1a0bebc0d298168a57a98d702fe468c890b5ce7f43e9f297a68d1a82792a01c336832e5e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckUa.exe

Filesize
114KB

MD5
54dad43995bb619149a830b5ecafe41b

SHA1
af8f52ccb144eb42c6dd98809c3234605e983df8

SHA256
cd2d0bf6fa72ece7803b07b120cce2943a5a0cba358ffb499698d4e86649963d

SHA512
eaaac190a38ba6e8c243db9be7ecfb2e34ebcaa71d360d27b43a60da46e7a1cf2ba0c415789c947a638c8592accdc93906bd04fa6c518da0a03487f09ef2bd79

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwAc.exe

Filesize
113KB

MD5
d5aa058d7e127fac1bd591e28584e17e

SHA1
63539a23983a890966a0dd71f08f69dffd1492e0

SHA256
9aae5338c5ec3f8eb725fb2cb6ee345577064c9c208512b449ed130ab9dd5a7d

SHA512
e2947858431189f471ca58a49c898728f7335147e68abba015a8945db170850cbef05134e5116c9adc6c3c7f8b609294c1334d80f39891d845da79b9a30284c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIoa.exe

Filesize
428KB

MD5
2e0f7bf2365c7e9c261ed27980bd4475

SHA1
ae427e5d852ef219e390a5db434dd99c2bce8344

SHA256
32933aa4ccfb4eee2e18d27ecc53e7eed523c754dda28df87cb3e5690813d39c

SHA512
2d6097da6d8a488dc87db4aa0579e3d8d47bcdf8b724ca3a650a685a48de937c51b5f923d3ae3cc891d8ec7c72fc882ac6cb014a7787415a8d4342f2d8c5a662

Download Submit
C:\Users\Admin\AppData\Local\Temp\eYEk.exe

Filesize
745KB

MD5
9c7dd989b9561a045cc34b3c4b96f7db

SHA1
8fe1179bf09719a36a0ca7a3f0b7fee1dd4b9d3c

SHA256
7c72e3984905abfa68e93fbe23f29690644f8fcbbadd4d26c9b188900445ccfd

SHA512
eeed42d7aeae8e759aaf683796c0430d8f44146882097d842e09c52bb3fa4db27c459a350573d43ab88d3cea51df7db755d6504036ed03020a8d2e14cb90199a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecok.exe

Filesize
115KB

MD5
fbc92b3dee81d9f8283930dca287f322

SHA1
08e955656395e1c9076a5b397b3362ed77afbd72

SHA256
93cf0096c684f880de00f7591d360f28e20088248849d476420527b698d48bcb

SHA512
0192f38e868bd8becc486c6fc2dc2e0d127334a70bf5b8e2530e2338a8f96fc1923ae3458d1895c91232b1f54d457ef651238924deb0251bee3c8d981a317c47

Download Submit
C:\Users\Admin\AppData\Local\Temp\egAy.exe

Filesize
111KB

MD5
6569e9fae8cef46044a47f0b2150fb60

SHA1
82210132724d90a735ad3bb4fce7cb7459d5bb8b

SHA256
1299a906e4e8a69542ce195e83584dd24bb2aa86b5758f22534477e106d7e175

SHA512
4e112ceb58f96e83007fe382c344163973b7b55c33a2254b8f7c5c1dc8357787f79b53407c8e4ed7353e0d156c583efc7d2ff7a511d60d1b6a4c0765324db79e

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQkg.exe

Filesize
111KB

MD5
640f58c21e7e381953d7cf5905e7d4a9

SHA1
25e6286ecdca7103af44e4f84e5e3efe1c100b0b

SHA256
d70ec1798ac59dd1275ffbb5310f3e2b027b982abdd2603c39ed876ed156339e

SHA512
199ccc2c5fa637538a9de766c1bba98ce2e7d8be802d182299578d4970db685941e9fc3ca404bf4233378768aa8547cfb5bd2b834d73015df15822e2c2ab556f

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcEm.exe

Filesize
134KB

MD5
943a739b52bb2a052af8da9a26e4c3a0

SHA1
e45c13622b76fb774e65e1b51feed59a37bd136e

SHA256
fce6e55a90a5dafaf528d908e27819336c97713ce47888823b3004c55b73486a

SHA512
8fab7a0b6890aa28f50ec44514ffe7ec17351fa74875791fc39a6162566d9e69fc6dfcdcb329b5d45929ce72b970765272a157bfefbbe28a06fa414f687e3424

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcgc.exe

Filesize
116KB

MD5
784cc3da15a31ed264b8f1c032a74570

SHA1
9fa8fed4e59a939fb51bdf0c3e818145e0c7c4df

SHA256
7a3094de661b2217cebd7e6eee47089b3649e2fe75a6b935525d36fef88a714f

SHA512
e917208363619d58792318310bc6bd18c48bfa0deac997af7f116fc696452f77fb09716d0cd683b7791cd8c742b81fb347dd56ce251ee30dc6344611614e8314

Download Submit
C:\Users\Admin\AppData\Local\Temp\ggwM.exe

Filesize
118KB

MD5
570306c00a7181a80ca7bc654e3f7be6

SHA1
8d5d3894f16e4f1132c59a816c39028f01ea2c38

SHA256
96ff39eb0a656cdb6ca1b2309837efdd11a737ea4cb475ade62f81b176b0ac80

SHA512
9c8e7c8ec0d50b329e4e5bd01a39800fb90bd8c81e6ed286463b92d80f852573d5eac1d9039fe38e84bd1b0ab98edf2d06e0634f425f310f602dc4995dbb8c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAAI.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAUW.exe

Filesize
109KB

MD5
9acb6abc066de393fab00b24a75eb6e9

SHA1
fd7d4cf1934a241921401a27bede177f19eb1cf0

SHA256
1566f987acc23524404a39b41f3166d2153f4568363bcf15e20f236cc763b197

SHA512
2861433343bd2a4ebafa878b78d073331fb7e6309fabd7e1d170556a8666447e4c0f3de4aede7946dcf5d52d231035be88099973d8c086ecef41b6094ab7de67

Download Submit
C:\Users\Admin\AppData\Local\Temp\iEgk.exe

Filesize
1.7MB

MD5
c700f123495795b1ddef3b8cb4ac367e

SHA1
058b879e58b155b753a879a82d86d6d8ed8d530a

SHA256
0612bd2cc7e92c4020fa1857960e0ff0e9a1ba2c544e30122c7d5e39d2614ae8

SHA512
c57cd7f47ca91a52fc3cd9a92ceb7b5b943844445df15046679c2b9b47cbca02b852ea309c2d23cde4a948301485c668199440ecbe6b8c960ce93b79bddb12bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIUe.exe

Filesize
5.8MB

MD5
9a780268ee3bf0179ffe1af08a65251a

SHA1
db9d10a2a64ad2b45afb96ae0da465ec31efde61

SHA256
8ba2a19a395602a73559dc7182b2fe6e2cd581364d4e907d7e5b2cc0ad1b7cee

SHA512
447b1a97db861c7fadfe11f7e1f399e260ccc3dbc33133ad106819e670e51b5f54e42c88ffae33d3fa2ff054ade3c74824ec869b881454dc084da481df16f9cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQgG.exe

Filesize
112KB

MD5
153202aa84183cb34eab1b6e204d55f6

SHA1
87af9b1a0184bac157a939aff2b60ced02f7ec67

SHA256
20f6c846231c44782de0231cee41631da07fea175ae739a233ddff9bb463cabd

SHA512
f64aeac008cd445fda336c8e4654cb9a89c45ca800cef0d3a64745c46e9d50744bb534835931216670a3d8bb04dcff18bb5a1903397ad2f340e1b261ad8372c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYMw.exe

Filesize
112KB

MD5
927d77b191d6cd9e7ee573b585c179ff

SHA1
1a733540a2f98c08ce21effeece33115a06dc77a

SHA256
5aa6558005f6893529a82595f594e7d2c51ac9b94411e8c770ebd346fc0192b2

SHA512
834c43c12b09e962c96245a76b6f3037d73364b0a33c16fde4362345765bd181e1bc6da654ee5c8ad70f57e66ae5d38462e40e293634c7a83df6943a8bd15d05

Download Submit
C:\Users\Admin\AppData\Local\Temp\igYM.exe

Filesize
111KB

MD5
7316f5b92049ddc73503ec173831d3f4

SHA1
53fa333b42109c783eeea7f2668a9909fda1baac

SHA256
7bc6af538242760509de7c6757bdddd1919da14a3fb35f381f563b4d96dbbb53

SHA512
babcc738dcff6703f3d40b2da77a7e9e3efe455112f2a2aa0e9bfd374fbb8a090c74ffeabb3a7181f0215d2b1909d8986dff65e7ca1556591450b5894075e937

Download Submit
C:\Users\Admin\AppData\Local\Temp\iwki.ico

Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEcw.exe

Filesize
113KB

MD5
bd5d15ebcaa975bf070139a6d94e5644

SHA1
192167b0c501131bcd3d664bc01b057fcfbd9464

SHA256
5382ae632aae9465e14b3e0ea4eaafd1a24961d2ce571b7af5039177c328e684

SHA512
64e0438c19a0e59a14933c1983d784bd696e5bef74bf1a06e2d7770cc28abab3a909f8eb2d362fb2a24cd1963a3f90cb71df430e3226bcda54f0600259aafec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcIG.exe

Filesize
112KB

MD5
98c8a8258c22860380459b072f10ab91

SHA1
1d298d9f9db63c46a04c3751f96ad18abc0407f4

SHA256
76ec10acd7fef61fc5727b702803f073937485fbd31bf516417fef36d476a838

SHA512
3787682a2c9ee95bf07198deaff522d60088aa21835623d74d14f877fee0f9cb0f84ade3e11c40d64929b3146e6db1ebbfc59b2dd02964e8c924f066db1794e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\kgoC.exe

Filesize
565KB

MD5
69c7da4305d696ef75ac954a97b12fed

SHA1
bfbeab54cd51ba73c3bcfcca72c04b47fe2826a5

SHA256
650fe8c54986bb8d1cad376db3a6133e9abec0dac12d3c6611b001b8cf513f3c

SHA512
4cb76ef80d9ec2546692fd39d66d84a4aa8e3d5ed206e91b22f528c7550f37459b89a3cf1560ee8dbea28a8dfa3f7456c08f8c7632d0e9a560a5077edf11126a

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkMS.exe

Filesize
115KB

MD5
15f6b436cdaaa667cef002b1fa042165

SHA1
bc5129773dfa1adb66d8030f692a5995346b5f07

SHA256
9854becb75e493abf0070b404dcc9c41f97a9cd0e87790c5265eaa5e2586f820

SHA512
49169a05c9e3080c33410a869327171e2bb4e6e90bacbbdf4b4922a26b03ba65df6d16ae5bd7ed5dc8e20d88dc1d19adc708c048e014bc82be55b60dd121d2f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwIs.exe

Filesize
253KB

MD5
6b99e7a521bc353076aaed41b648db4f

SHA1
e2080a8604caadfb9c08e5828b9915040df87f04

SHA256
5c7ea531fd303ac402f9e7325829cf91034bd4306b5e7ad29c14694a1990d9f7

SHA512
2174401ecbb89e7a00873fd5f44473a1ef6a0cf7826d1f892b286e01b1f2fcc2f967420e9acd21acf2efd518032380d0c806720f63cebf87fd564a60f68eef59

Download Submit
C:\Users\Admin\AppData\Local\Temp\mcII.exe

Filesize
116KB

MD5
e75b86c569188d8a560004d9ab13eb12

SHA1
8a4eb65f2acaf57390ef964a122828c91becf270

SHA256
8b187f8ce82235782150cd7a57e2aa44a6a4c081c3a937fbc4a109489a1fc527

SHA512
06524521e2ecd6bc052872db44e0304af418ab8638965f76bfc090a4525a22df162c80a53740a1b97146d50898245798131ae8893b0dec6513c822933ee7031c

Download Submit
C:\Users\Admin\AppData\Local\Temp\oAsY.exe

Filesize
114KB

MD5
3da230618d055feff0aaf0ab7ed026e2

SHA1
ee968c36dd9943c8516afe8b9f7921471ce9c237

SHA256
ff757695c05b24ec9774296ffbf3c6c20f053e0ef9a511088c1ef82c8f4d9b09

SHA512
fdb139295edeac64d67d8029baa0f273fdb91044d91ab0435b8d277014105ef6137ef99b2d649d75962433113a7b72ef3e5dc3afee9f6c276a60b4028dcd7fd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\oIIO.exe

Filesize
722KB

MD5
dec242ca6bad7850883d6aaa43d2810f

SHA1
b47f8bd945986f02d8c46938fd35501fbbf27c81

SHA256
6082a8de1d60b19476271e2165f4cd35c1a47c7760df306e57428f545c393987

SHA512
65b546a2593a7c643200fe557c4310d9439fb92d5a934c02d4e8b7a431ebe7daafc29eedc8c1c6caefe77627c156b0eb380d6b73e554bd96b68edca2c6addd82

Download Submit
C:\Users\Admin\AppData\Local\Temp\oQkI.exe

Filesize
120KB

MD5
28d2df1258bf1760a80a2f459e290b4c

SHA1
1601b4017afc347abe096b930c31e8b7adaa632c

SHA256
0320f714748fe1a4e39c424e39be7f8db71dfe8fc442f2dd893f9dd300fc66ed

SHA512
b0a998f6b5f283bb5165edeb1e28d68d7f9c691b9e99bfc8d22de64a0636710c954f8c3ba2d9036225fdeef8b61229579bd9969b0cfb6be834d8c1bcc0562d40

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYMm.exe

Filesize
552KB

MD5
5d89790ce9b6ed252fe471ab33f40445

SHA1
92d838f2a98283f8925286f03217bf78cf1d6823

SHA256
4984211c665c9b68b65a88d611f947ca20539de3a41009a76787bb936f536df0

SHA512
9187577261e90b3b036263f8deee22400c769c0073377325ab3eeda681dbe3fa3954a5d4d00048d33e4feade0968f6ae6f8c3790e6d3385428c4fa17ada6ece5

Download Submit
C:\Users\Admin\AppData\Local\Temp\oowe.exe

Filesize
5.8MB

MD5
8f57b30890881388874e38750a377fe9

SHA1
8da826fafdc374185462df7e8c708268c7a84deb

SHA256
1d7888939563d954d8b1783a3c812ac820d5e098a74a89f1736e919ebf68126c

SHA512
e25eef704bf48bba83ab7a1dbb2342d931267dfe45deaa5ce0ee914587c9187b98fbe065bdabdb38ccb710efde7d6abc8e9ca563977d409087a34e82e36bc02f

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUIy.exe

Filesize
1.4MB

MD5
c1dc6409a94e0bc73f462fd3161cf7e9

SHA1
dbe8c129e351e8fa78866d38bc0cd12b329ea1f8

SHA256
a6e76991b2327959cefbf2a2a3618eef0c5e91857b4444d636818be977c3a7f5

SHA512
8575ddb154b962d46c48f7919c6e6ae38bb50fde88b72edb26b17e9d1a4ecd6e51832d7b87dbb5ec3de328f1e5e8a6ba1091782b7237aea1c0182b288a80091e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgEe.exe

Filesize
117KB

MD5
3009619e1814c4b682c6a1970e5ca6a2

SHA1
a9530be9475b2e3955fedf245e8d6616ed7fa9a7

SHA256
d865db9e62f819a3f4f46147096b08c5f31d46ebcfd37562fb91b36206a00cd6

SHA512
3baf432f8c103be3acd11e7386a481417161403f81ff5c97855bee0d7baa11aff3df72d18b4af6aca9f3b5945ee7303470e9617c797cbcdb5929bdfa77454d56

Download Submit
C:\Users\Admin\AppData\Local\Temp\sEwE.exe

Filesize
153KB

MD5
404be80b3d53ef26a097b1a1ad172648

SHA1
4e903b286357c51131c50405b1f75aeb04c5e424

SHA256
fb0d841993b080ad55845a3ab2d84f93ab83851239e3a4f005e1916046454010

SHA512
2fdf118c37fdf8f5472bc459a93c56eca0fdf2e8fee3dddac225fc457f9b16576d8d72c6cde8c7e69fd30cf34c29bae2fc0e59f563d4c6eeeb68d343dbec9d40

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQEc.exe

Filesize
332KB

MD5
030065b039ec9b88e6458e1c06d7a4a7

SHA1
60994d73f809d23bde0b249d263220088c59dc8d

SHA256
4a01ba20dc936767aece2dd7a6a5cc23ecf9058d05c289f97156bf5bdb715547

SHA512
0ee9dfccd18cf20cdb0f1fbb92a45ebcd15e3cc21a5c1729443eec5252222b7f7b96149c7209622b2e29c5c61e37539d3e5d339cae0bb210b86ca15ead6bec05

Download Submit
C:\Users\Admin\AppData\Local\Temp\skQg.exe

Filesize
125KB

MD5
8ba88477031100b0e775832a9743ad2e

SHA1
4673b63068deb94cb0aebe3b95743031897a2d73

SHA256
d8544ca07e91bae2d5b42bdb2c10da910528b70a89a56e462d95d198a2b8febf

SHA512
d8451f5256a3074fb923923849818183de02cdfa9f981bc7e47268e5cdbe813875a0e056eec27702f6d5f359ab3c5e345106aeb7fa367fcfd54c26b24f46d633

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssUm.exe

Filesize
623KB

MD5
be94ff236635b3182c74d6b267383944

SHA1
32d622e0734bee97ab3c25965417f1b3a5d470fe

SHA256
1ce158c4eaff624d1a204edffe5c260f3d61dd16cbb5eb5e2d956442eb3df106

SHA512
1b38a19988896d6bd82fcd950b5f0e005b520228be5797374454b0551b7baa4174917b04b305dcf00f8d5c45272d77fa17cbb617c865efbc033ab8ccb03cc547

Download Submit
C:\Users\Admin\AppData\Local\Temp\uYsm.exe

Filesize
565KB

MD5
82068279629e3594a74b6dbf57e4d10b

SHA1
c79d0d6831d48d368e6ff51b3312a530941592a4

SHA256
9219c437bbe1e9f7df99b15916c6c87634939faabcbe55c84957c7fa06139b9c

SHA512
acfde1eb9ca948bb4326fa69e0166f6db9598efa7b82bbeb96d1517d91951863d0fd52a4c2b433ac833d28182cb08c8592225fcf25f3f61ae81fcfb7b25877d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucMm.exe

Filesize
139KB

MD5
901ec123f454b829755544fd27b206d6

SHA1
c128285b1544aa0e87c9e9691d11b8279d82c175

SHA256
f687d98eb79a6a7e8150df362638ef937c0ebad19bfe5e26a4d25b9805e0066f

SHA512
d0d03ca21268fe1430ffda9f6451f4ad3fc01ce69cc340f85edf7fd2ac06c6198eda00163ad67f38a8c35aa38639f45170c782db8d860d3747627c0297da6e11

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukMO.exe

Filesize
348KB

MD5
bd7ba5babcb972766e06e0e5718c93ac

SHA1
1c0036292eb91e8b1d733594ef72fa3c433fde66

SHA256
47e1e63ec7243d994ae281538358d752bc2603c27d36c6cab9994220e057ecee

SHA512
a3741a822f7faca293ad0f815b07a0ee998f5ba87612a9c96ede38beb257cbe76ed21fc0c911f52b46a2ee2f541d78c87a57e1c06e476d9302d973a5249bbbc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\uowW.exe

Filesize
719KB

MD5
395c5f338ddea5aefd343d266985ac04

SHA1
f45bf39361bffbb60d2320c11a226670dc2466d4

SHA256
8822fd2bea4845cfc8068da2295346207bf493a8e709e2b72f9dbaef98a3283e

SHA512
44a043c917cd5f57c088ec55f625146a598e1c3c86e096475665543fa64fe5f8dbb26b86d8f94ad5a2d87db5f7d8bd0c83fba0cc120abe07ed8bd4fea34ecbb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\wIwU.exe

Filesize
236KB

MD5
45244bb75974fd166868ea15a40c4784

SHA1
c44935dc78d8d29496db98904b0b66a754e6d25f

SHA256
62d436da278aeb125ecabb8c2308d2779eadb5f6c83b0fb89c973de3e330de3e

SHA512
cc4fa7516cdabf41388a13dfc884abbdb0a7e62a3e676a7e663ae08ea69bb987e583855debe1a27d173b6543517f6c5e134d8f0b52312170f892889ea33eb9db

Download Submit
C:\Users\Admin\AppData\Local\Temp\wMQw.exe

Filesize
554KB

MD5
ac06a2e9b83283e5e40575acdfd89a00

SHA1
80b45e46168e865d64715f40ab68405554dc6f5e

SHA256
e85b759865706882f0f9b72d9acec5fafe44bb000925dcc86b7470f447942c70

SHA512
d6f3055c6aee9cba5a3b62c32cfa83e7e418690c2bbb538e17a4b49f72e642313075b1c6da0bd79d55c21cc91935c7181efe830c01b2213c038be9feccf1c1b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\wQMm.exe

Filesize
338KB

MD5
cfb2d48d90aa504dcf348e3bdc36e772

SHA1
69ce9c0394a5ea8f12ce7a49e42706b79f19680c

SHA256
61ffe6ad3ecba616182b7bad0a640b9e124d05307c8406e65f63ddd9cb84ece1

SHA512
47e4889fa4c6afc9b40272f7575ab5e5a7fc638c65f2dfeafa772d43fc941beb15013ec5105b34d5b0a60c3fcb3c27367e5d89ea43979f54502f1d4f657728ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\wQUG.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYAk.exe

Filesize
113KB

MD5
8f56c8cbaff91ba35b29fe472fb37e81

SHA1
47eac26c1a641d994632e14ff9c8fa0ab7d0620f

SHA256
3effd9710f9af4baf364ee6107f2cd456b0804d16ff8f0d1b2147e881bb0483e

SHA512
887dfa8453a5ebaaae5b7a8d80ffe76908c0bde50e17e5d4d51d60de6edada2d329880e35fd2c558098174b8f4c3b2649b63eb3da16af637498bfab6e1b08dad

Download Submit
C:\Users\Admin\AppData\Local\Temp\wkMM.exe

Filesize
110KB

MD5
c397b80af8c7631740131e2564c2b558

SHA1
782751a44910bf5d91f6dc3ccf1f806bf39c7218

SHA256
6167af8ba09d55b35b36cfe8c2e4e790a9e7f8c9692285b9556eac499191b6ec

SHA512
6311de32c8d9a1f9e0ebadc9cc3f02eba4b704c9d16165a414d71ab070641b48fa833e10d5a0e6e0100fd6236a75407cde77d0b8ff5a4208abbdc58dfab81c73

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsEk.exe

Filesize
110KB

MD5
d50dd13f460bcf62d94a96e174fe4063

SHA1
47bca03f0e7d4bc4f83df63a5942bc7ff4f9b377

SHA256
7de13fcaf348091d087d67c4604a633aa42f070dc594b4fa72c91512700c4e91

SHA512
c67e646cc5ab18f34f9a73e805b0840cc6350df75dd3b82ac8b907aa02ff79ffa7ccc4b298afa8823c8caeddff7c8582af734940915138e9f151cfe345765b6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\yMsA.ico

Filesize
4KB

MD5
57a6e18c725a35d98e4339eff8be7fba

SHA1
120ba558d214e1928e20d66775fc1d2b67bb761f

SHA256
9c9fd45790fe956176aeab743484780b62f28a6dcde6e85cb6c6279ff3323b16

SHA512
16d70a53aad93fb6b70368f981f9d58fb1bb45590513652ede3d1c8933f1d13d36b153fb2e9dea5fc1f6c8ada45a2142b8a8f20598e705d78376d3e28e9aa5fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykAI.exe

Filesize
148KB

MD5
9cb6845bad10124960731f84e8597fb2

SHA1
596c1579143692a8b803627e679bbe7ddf6436c9

SHA256
54c4d53ca656d374e32fb2957ba4b0c5c812071a47b71d55b65929af6e06a9bb

SHA512
e29175c7ad393d9978d92fee1d09f0b645ffcc8752ee24917291dd2b77a0bf9d86378441fccec72feb0822d8428c64110956ea5954408f35130c4c18428bb0ca

Download Submit
C:\Users\Admin\pyMwUIAQ\iqYYUIQk.exe

Filesize
109KB

MD5
a1b202e0ee1ca45f26f7586a569cd51d

SHA1
27d24ec2afd09cdcea8acc5daa5e6443979fb6cd

SHA256
7bc73426dfc15ec87027573bd95e103d96266ea675b07aa10eaa9227d0dcdde1

SHA512
d6593aed3d9c5dcce5231d3cd2fae8acccbd09c67713480d83bd0b289ff22056b68ce7a5a328026c14887eff511774c9b0f6bd6b47f08dc6c9ef167ee7550ab2

Download Submit
memory/404-369-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/740-115-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/740-99-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1008-360-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1008-352-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1056-221-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1056-233-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1412-14-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1416-334-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1416-325-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1484-370-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1484-361-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1696-291-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1796-12-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1908-51-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1908-67-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1972-274-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1972-267-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2092-316-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2180-256-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2180-265-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2200-299-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2264-31-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2264-17-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2312-220-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2312-211-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2520-111-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2520-127-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2948-197-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2964-147-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2964-163-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3244-87-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3244-103-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3300-307-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3532-43-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3656-333-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3656-342-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3676-208-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3776-63-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3776-79-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3908-20-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3908-0-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4176-151-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4176-135-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4252-257-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4252-241-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4548-123-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4548-139-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4568-351-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4568-343-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4568-159-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4568-175-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4584-245-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4584-232-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4584-171-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4584-186-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4812-283-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4812-275-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4820-42-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4820-55-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4912-315-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4912-324-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5080-75-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5080-91-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download