b0060eb3e956e601273b46efb59ae907457df14bece47eb63399ce361ce80966

Analysis

max time kernel
150s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
22/04/2024, 01:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
Size

235KB
MD5

09bf3f42a75392e9189c3c525d2d73b4
SHA1

a7b823440b5ac4a29f4e7a879d206a5afe122392
SHA256

b0060eb3e956e601273b46efb59ae907457df14bece47eb63399ce361ce80966
SHA512

60e0e8e4598f32b70f21633ba6bc9eaeaa11c59b9f5bd024cea4f306c4270d003d0890a0d62e36edf41db99fac7ecb0d0ce21508da7d89f8145d96689180aa13
SSDEEP

3072:ZaNQ+911lN+qSVi1gzyD5H+XVgWrjFyNPJLZCeA1q/Oo2Yisga0/Gwj93J0yiUAn:klGqHqe4SAZedMN82Y+a05j932h3VEvE

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (81) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Blocklisted process makes network request 5 IoCs

flow	pid	Process
54	3904	sihclient.exe
58	3904	sihclient.exe
60	3904	sihclient.exe
62	3904	sihclient.exe
64	3904	sihclient.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	okMMAQsY.exe

Executes dropped EXE 2 IoCs

pid	Process
4592	kIQooYMc.exe
1812	okMMAQsY.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\IuYkAAMs.exe = "C:\\ProgramData\\QoAcQAYk\\IuYkAAMs.exe"	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kIQooYMc.exe = "C:\\Users\\Admin\\USgcsckc\\kIQooYMc.exe"	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\okMMAQsY.exe = "C:\\ProgramData\\cWcYAgkU\\okMMAQsY.exe"	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\okMMAQsY.exe = "C:\\ProgramData\\cWcYAgkU\\okMMAQsY.exe"	okMMAQsY.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kIQooYMc.exe = "C:\\Users\\Admin\\USgcsckc\\kIQooYMc.exe"	kIQooYMc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tqAEEAQs.exe = "C:\\Users\\Admin\\miEIIAgk\\tqAEEAQs.exe"	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell32.dll.exe	okMMAQsY.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	okMMAQsY.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
5008	1352	WerFault.exe	1024
2568	3968	WerFault.exe	1025

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
396	reg.exe
8	reg.exe
1600	reg.exe
872	reg.exe
3412	Process not Found
2208	reg.exe
4016	reg.exe
2040	reg.exe
1896	reg.exe
3864	reg.exe
3668	reg.exe
4908	reg.exe
2624	reg.exe
4976	reg.exe
4600	reg.exe
3844	reg.exe
2432	reg.exe
4208	reg.exe
2132	reg.exe
3120	reg.exe
3364	reg.exe
1772	reg.exe
3364	Process not Found
1948	Process not Found
4692	reg.exe
5008	reg.exe
2892	reg.exe
1612	reg.exe
5016	Process not Found
4904	reg.exe
4700	reg.exe
4740	reg.exe
4588	reg.exe
1892	reg.exe
1584	reg.exe
1612	reg.exe
2336	Process not Found
1480	reg.exe
8	reg.exe
3952	reg.exe
3316	reg.exe
4864	reg.exe
5108	Process not Found
5104	reg.exe
4900	reg.exe
4620	reg.exe
2480	reg.exe
1568	reg.exe
1256	reg.exe
4744	reg.exe
2988	reg.exe
1036	reg.exe
1892	reg.exe
2680	reg.exe
1384	reg.exe
2248	reg.exe
3696	reg.exe
4564	reg.exe
4616	reg.exe
4900	Process not Found
3384	reg.exe
1600	reg.exe
644	reg.exe
1524	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1176	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
1176	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
1176	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
1176	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
2776	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
2776	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
2776	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
2776	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
4684	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
4684	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
4684	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
4684	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
4412	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
4412	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
4412	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
4412	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
1832	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
1832	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
1832	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
1832	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
1528	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
1528	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
1528	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
1528	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
3948	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
3948	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
3948	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
3948	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
1892	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
1892	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
1892	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
1892	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
4748	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
4748	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
4748	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
4748	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
2208	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
2208	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
2208	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
2208	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
704	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
704	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
704	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
704	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
1784	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
1784	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
1784	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
1784	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
1680	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
1680	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
1680	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
1680	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
4084	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
4084	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
4084	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
4084	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
1544	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
1544	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
1544	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
1544	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
4348	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
4348	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
4348	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
4348	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1812	okMMAQsY.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1812	okMMAQsY.exe
1812	okMMAQsY.exe
1812	okMMAQsY.exe
1812	okMMAQsY.exe
1812	okMMAQsY.exe
1812	okMMAQsY.exe
1812	okMMAQsY.exe
1812	okMMAQsY.exe
1812	okMMAQsY.exe
1812	okMMAQsY.exe
1812	okMMAQsY.exe
1812	okMMAQsY.exe
1812	okMMAQsY.exe
1812	okMMAQsY.exe
1812	okMMAQsY.exe
1812	okMMAQsY.exe
1812	okMMAQsY.exe
1812	okMMAQsY.exe
1812	okMMAQsY.exe
1812	okMMAQsY.exe
1812	okMMAQsY.exe
1812	okMMAQsY.exe
1812	okMMAQsY.exe
1812	okMMAQsY.exe
1812	okMMAQsY.exe
1812	okMMAQsY.exe
1812	okMMAQsY.exe
1812	okMMAQsY.exe
1812	okMMAQsY.exe
1812	okMMAQsY.exe
1812	okMMAQsY.exe
1812	okMMAQsY.exe
1812	okMMAQsY.exe
1812	okMMAQsY.exe
1812	okMMAQsY.exe
1812	okMMAQsY.exe
1812	okMMAQsY.exe
1812	okMMAQsY.exe
1812	okMMAQsY.exe
1812	okMMAQsY.exe
1812	okMMAQsY.exe
1812	okMMAQsY.exe
1812	okMMAQsY.exe
1812	okMMAQsY.exe
1812	okMMAQsY.exe
1812	okMMAQsY.exe
1812	okMMAQsY.exe
1812	okMMAQsY.exe
1812	okMMAQsY.exe
1812	okMMAQsY.exe
1812	okMMAQsY.exe
1812	okMMAQsY.exe
1812	okMMAQsY.exe
1812	okMMAQsY.exe
1812	okMMAQsY.exe
1812	okMMAQsY.exe
1812	okMMAQsY.exe
1812	okMMAQsY.exe
1812	okMMAQsY.exe
1812	okMMAQsY.exe
1812	okMMAQsY.exe
1812	okMMAQsY.exe
1812	okMMAQsY.exe
1812	okMMAQsY.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1176 wrote to memory of 4592	1176	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe	87
PID 1176 wrote to memory of 4592	1176	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe	87
PID 1176 wrote to memory of 4592	1176	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe	87
PID 1176 wrote to memory of 1812	1176	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe	88
PID 1176 wrote to memory of 1812	1176	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe	88
PID 1176 wrote to memory of 1812	1176	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe	88
PID 1176 wrote to memory of 2484	1176	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe	89
PID 1176 wrote to memory of 2484	1176	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe	89
PID 1176 wrote to memory of 2484	1176	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe	89
PID 1176 wrote to memory of 5112	1176	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe	91
PID 1176 wrote to memory of 5112	1176	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe	91
PID 1176 wrote to memory of 5112	1176	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe	91
PID 1176 wrote to memory of 2472	1176	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe	92
PID 1176 wrote to memory of 2472	1176	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe	92
PID 1176 wrote to memory of 2472	1176	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe	92
PID 1176 wrote to memory of 1952	1176	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe	93
PID 1176 wrote to memory of 1952	1176	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe	93
PID 1176 wrote to memory of 1952	1176	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe	93
PID 1176 wrote to memory of 4368	1176	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe	94
PID 1176 wrote to memory of 4368	1176	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe	94
PID 1176 wrote to memory of 4368	1176	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe	94
PID 2484 wrote to memory of 2776	2484	cmd.exe	99
PID 2484 wrote to memory of 2776	2484	cmd.exe	99
PID 2484 wrote to memory of 2776	2484	cmd.exe	99
PID 4368 wrote to memory of 3296	4368	cmd.exe	100
PID 4368 wrote to memory of 3296	4368	cmd.exe	100
PID 4368 wrote to memory of 3296	4368	cmd.exe	100
PID 2776 wrote to memory of 704	2776	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe	101
PID 2776 wrote to memory of 704	2776	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe	101
PID 2776 wrote to memory of 704	2776	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe	101
PID 704 wrote to memory of 4684	704	cmd.exe	103
PID 704 wrote to memory of 4684	704	cmd.exe	103
PID 704 wrote to memory of 4684	704	cmd.exe	103
PID 2776 wrote to memory of 3384	2776	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe	105
PID 2776 wrote to memory of 3384	2776	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe	105
PID 2776 wrote to memory of 3384	2776	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe	105
PID 2776 wrote to memory of 4904	2776	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe	106
PID 2776 wrote to memory of 4904	2776	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe	106
PID 2776 wrote to memory of 4904	2776	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe	106
PID 2776 wrote to memory of 2584	2776	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe	107
PID 2776 wrote to memory of 2584	2776	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe	107
PID 2776 wrote to memory of 2584	2776	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe	107
PID 2776 wrote to memory of 4240	2776	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe	108
PID 2776 wrote to memory of 4240	2776	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe	108
PID 2776 wrote to memory of 4240	2776	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe	108
PID 4240 wrote to memory of 1188	4240	cmd.exe	113
PID 4240 wrote to memory of 1188	4240	cmd.exe	113
PID 4240 wrote to memory of 1188	4240	cmd.exe	113
PID 4684 wrote to memory of 1084	4684	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe	114
PID 4684 wrote to memory of 1084	4684	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe	114
PID 4684 wrote to memory of 1084	4684	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe	114
PID 1084 wrote to memory of 4412	1084	cmd.exe	116
PID 1084 wrote to memory of 4412	1084	cmd.exe	116
PID 1084 wrote to memory of 4412	1084	cmd.exe	116
PID 4684 wrote to memory of 1236	4684	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe	117
PID 4684 wrote to memory of 1236	4684	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe	117
PID 4684 wrote to memory of 1236	4684	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe	117
PID 4684 wrote to memory of 3148	4684	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe	118
PID 4684 wrote to memory of 3148	4684	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe	118
PID 4684 wrote to memory of 3148	4684	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe	118
PID 4684 wrote to memory of 3096	4684	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe	119
PID 4684 wrote to memory of 3096	4684	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe	119
PID 4684 wrote to memory of 3096	4684	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe	119
PID 4684 wrote to memory of 3020	4684	2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe	120

C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1176
- C:\Users\Admin\USgcsckc\kIQooYMc.exe
  "C:\Users\Admin\USgcsckc\kIQooYMc.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4592
- C:\ProgramData\cWcYAgkU\okMMAQsY.exe
  "C:\ProgramData\cWcYAgkU\okMMAQsY.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:1812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2484
- - C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:704
    - - C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4684
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        8⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        10⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        12⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        14⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        16⤵
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        18⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        20⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        22⤵
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        24⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        26⤵
        
        PID:4144
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        28⤵
        
        PID:616
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        30⤵
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        32⤵
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        33⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        34⤵
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        35⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        36⤵
        
        PID:616
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        37⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        38⤵
        
        PID:3164
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        39⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        40⤵
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        41⤵
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        42⤵
        
        PID:3984
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        
        PID:432
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        43⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        44⤵
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        45⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        46⤵
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        47⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        48⤵
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        49⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        50⤵
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        51⤵
        
        PID:736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        52⤵
        
        PID:3404
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        53⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        54⤵
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        55⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        56⤵
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        57⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        58⤵
        
        PID:3844
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        59⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        60⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        61⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        62⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        63⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        64⤵
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        65⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        66⤵
        
        PID:3844
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        67⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        68⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        69⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        70⤵
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        71⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        72⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        73⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        74⤵
        
        PID:644
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        75⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        76⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        77⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        78⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        79⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        80⤵
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        81⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        82⤵
        
        PID:4164
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        83⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        84⤵
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        85⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        86⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        87⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        88⤵
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        89⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        90⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        91⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        92⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        93⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        94⤵
        
        PID:4012
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        95⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        96⤵
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        97⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        98⤵
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        99⤵
        
        PID:996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        100⤵
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        101⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        102⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        103⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        104⤵
        
        PID:4744
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        105⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        106⤵
        
        PID:616
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        107⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        108⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        109⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        110⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        111⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        112⤵
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        113⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        114⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        115⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        116⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        117⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        118⤵
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        119⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        120⤵
        
        PID:4820
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        121⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        122⤵
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        123⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        124⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        125⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        126⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        127⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        128⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        129⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        130⤵
        
        PID:3096
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        131⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        132⤵
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        133⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        134⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        135⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        136⤵
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        137⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        138⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        139⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        140⤵
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        141⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        142⤵
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        143⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        144⤵
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        145⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        146⤵
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        147⤵
        
        PID:460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        148⤵
        
        PID:4152
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        149⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        150⤵
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        151⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        152⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        153⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        154⤵
        
        PID:368
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        155⤵
        Adds Run key to start application
        
        PID:4596
        
        C:\Users\Admin\miEIIAgk\tqAEEAQs.exe
        
        "C:\Users\Admin\miEIIAgk\tqAEEAQs.exe"
        156⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 224
        157⤵
        Program crash
        
        PID:5008
        
        C:\ProgramData\QoAcQAYk\IuYkAAMs.exe
        
        "C:\ProgramData\QoAcQAYk\IuYkAAMs.exe"
        156⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 224
        157⤵
        Program crash
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        156⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        157⤵
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        158⤵
        
        PID:116
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        159⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        160⤵
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        161⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        162⤵
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        163⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        164⤵
        
        PID:432
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        165⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        166⤵
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        167⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        168⤵
        
        PID:3612
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        169⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        170⤵
        
        PID:3352
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        171⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        172⤵
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        173⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        174⤵
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        175⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        176⤵
        
        PID:3096
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        177⤵
        
        PID:644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        178⤵
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        179⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        180⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        181⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        182⤵
        
        PID:212
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        183⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        184⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        185⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        186⤵
        
        PID:4476
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        187⤵
        
        PID:432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        188⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        189⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        190⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        191⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        192⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        193⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        194⤵
        
        PID:2544
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        195⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        196⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        197⤵
        
        PID:532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        198⤵
        
        PID:4824
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        199⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        200⤵
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        201⤵
        
        PID:336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        202⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        203⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        204⤵
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        205⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        206⤵
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        207⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        208⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        209⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        210⤵
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        211⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        212⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        213⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        214⤵
        
        PID:3256
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        215⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        216⤵
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        217⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        218⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        219⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        220⤵
        
        PID:3676
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        221⤵
        
        PID:980
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        221⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        222⤵
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        223⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        224⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        225⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        226⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        227⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        228⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        229⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        230⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        231⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        232⤵
        
        PID:5108
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        233⤵
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        233⤵
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        234⤵
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        235⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        236⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        237⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        238⤵
        
        PID:644
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        239⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        240⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        241⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        242⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        243⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        244⤵
        
        PID:4384
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        245⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        245⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        246⤵
        
        PID:3948
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        247⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        247⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        248⤵
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        249⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        250⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        251⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        252⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        253⤵
        
        PID:368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        254⤵
        
        PID:1384
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        255⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        256⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        257⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        258⤵
        
        PID:2264
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        259⤵
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        259⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        260⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        261⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        262⤵
        
        PID:2588
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        263⤵
        
        PID:3648
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        263⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        264⤵
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        265⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        266⤵
        
        PID:2844
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        267⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        267⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        268⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        269⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock"
        270⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock
        271⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        270⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        268⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        268⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        268⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GWcYoUQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        268⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        269⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        266⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1780
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        267⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        266⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        266⤵
        UAC bypass
        
        PID:3600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DKIUsIsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        266⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        267⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        264⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        264⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        264⤵
        UAC bypass
        
        PID:2292
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        265⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DWwkgMoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        264⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        265⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        262⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        262⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        262⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lkUQsEAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        262⤵
        
        PID:3160
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        263⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        263⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        260⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        260⤵
        
        PID:2932
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        261⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        260⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JccEkEcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        260⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        261⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        258⤵
        
        PID:4348
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        259⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        258⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        258⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RQEoIcso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        258⤵
        
        PID:3904
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        259⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        259⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        256⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        256⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        256⤵
        UAC bypass
        
        PID:4012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\migwoEMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        256⤵
        
        PID:448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        257⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        254⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2252
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        255⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        254⤵
        Modifies registry key
        
        PID:1772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        254⤵
        
        PID:1436
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        255⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AGIgUkwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        254⤵
        
        PID:792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        255⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        252⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        252⤵
        
        PID:224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        252⤵
        Modifies registry key
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aiYgYYME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        252⤵
        
        PID:2292
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        253⤵
        
        PID:116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        253⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        250⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        250⤵
        Modifies registry key
        
        PID:4600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        250⤵
        UAC bypass
        
        PID:3544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\euwowQoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        250⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        251⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        248⤵
        
        PID:3696
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        249⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        248⤵
        Modifies registry key
        
        PID:3364
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        249⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        248⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LeAoQIQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        248⤵
        
        PID:396
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        249⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        249⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        246⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        246⤵
        
        PID:432
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        247⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        246⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nYUswMsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        246⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        247⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        244⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        244⤵
        
        PID:224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        244⤵
        UAC bypass
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qaAEIUck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        244⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        245⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        UAC bypass
        Modifies registry key
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UAcQYwUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        242⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        243⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        Modifies registry key
        
        PID:3696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        UAC bypass
        
        PID:4052
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UukMYckY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        240⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        241⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OQAoEQkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        238⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        239⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        UAC bypass
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zgIMEwIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        236⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        237⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        
        PID:616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        Modifies registry key
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VGAwUsck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        234⤵
        
        PID:3112
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        235⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        
        PID:432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ESMgMMoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        232⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        
        PID:4724
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        Modifies registry key
        
        PID:3120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sMIEkYcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        230⤵
        
        PID:3256
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4888
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        229⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        UAC bypass
        
        PID:1720
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        229⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qgwcQYEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        228⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        UAC bypass
        
        PID:3648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dUkcwkUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        226⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        Modifies registry key
        
        PID:4908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        Modifies registry key
        
        PID:3316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        
        PID:1924
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        225⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FMcEooYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        224⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        
        PID:3068
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        223⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        
        PID:4400
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        223⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jyYAUgYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        222⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4736
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        221⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        
        PID:3352
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        221⤵
        
        PID:460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        Modifies registry key
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fQcYYgsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        220⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        
        PID:1508
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        UAC bypass
        
        PID:4888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kaQUkQEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        218⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        
        PID:644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        Modifies registry key
        
        PID:4744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\euwAcMks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        216⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        Modifies registry key
        
        PID:1600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sIoYQgss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        214⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        
        PID:2336
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        213⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        Modifies registry key
        
        PID:1612
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        213⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        UAC bypass
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kikcwcoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        212⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pYggQAYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        210⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        
        PID:2812
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        UAC bypass
        
        PID:4736
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fAsUkksE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        208⤵
        
        PID:116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2072
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PAEEQgsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        206⤵
        
        PID:940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        Modifies registry key
        
        PID:1384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AOsUEQkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        204⤵
        
        PID:4368
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:380
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:4632
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        UAC bypass
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MowUkUgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        202⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\umAUsIgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        200⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        UAC bypass
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SSAcsAII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        198⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        Modifies registry key
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FMQwIQUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        196⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:4976
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xEcIgkYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        194⤵
        
        PID:2988
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        UAC bypass
        
        PID:628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\psAsYAIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        192⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        
        PID:996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        UAC bypass
        Modifies registry key
        
        PID:8
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BQIgUEUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        190⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4520
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YMEEgsco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        188⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        
        PID:4128
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        Modifies registry key
        
        PID:3668
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UaYcAMgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        186⤵
        
        PID:368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4040
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        
        PID:5008
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OKQYkwQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        184⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kCsIIsAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        182⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        UAC bypass
        
        PID:380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jwMcsMMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        180⤵
        
        PID:532
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        UAC bypass
        
        PID:1368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xEwoMkwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        178⤵
        
        PID:880
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:2336
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        UAC bypass
        
        PID:4596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RIwEQYcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        176⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YOcosUYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        174⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        
        PID:3672
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gOQwQwsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        172⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:1916
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wyAoMokY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        170⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:628
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SQgcQwIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        168⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        UAC bypass
        
        PID:3452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZKwgQcgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        166⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TiYEAEcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        164⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:4940
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        Modifies registry key
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XmcsQQIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        162⤵
        
        PID:5008
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        UAC bypass
        
        PID:4052
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PSgwkAYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        160⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        UAC bypass
        
        PID:4564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ASEkcYUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        158⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        
        PID:2744
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ucgIgMcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        156⤵
        
        PID:2872
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4416
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        UAC bypass
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WKscUgMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        154⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        Modifies registry key
        
        PID:8
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        UAC bypass
        Modifies registry key
        
        PID:3952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YawcAEsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        152⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:2480
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        Modifies registry key
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LGoYEowU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        150⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        
        PID:1540
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZGEAoocE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        148⤵
        
        PID:536
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        Modifies registry key
        
        PID:1892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HigggggU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        146⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sUkYkwYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        144⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WGMwQAoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        142⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\akscYskg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        140⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies visibility of file extensions in Explorer
        
        PID:736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kyUIYsUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        138⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        UAC bypass
        
        PID:4152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ROkgwwUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        136⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        Modifies registry key
        
        PID:1896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        UAC bypass
        
        PID:4620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FuwgQcQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        134⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        Modifies registry key
        
        PID:644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        UAC bypass
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\roYwEEUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        132⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FsoMgwII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        130⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MQMMEkwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        128⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CQsYYgkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        126⤵
        
        PID:736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        Modifies registry key
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kycoccEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        124⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        
        PID:940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ryoQoIEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        122⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        
        PID:980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RCUEAEwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        120⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rUsEoEYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        118⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LYoQIkso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        116⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uagcYAoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        114⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IAscsIkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        112⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AqEAcIcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        110⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IMkQIUIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        108⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        Modifies registry key
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BIkUooAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        106⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        Modifies registry key
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DiAkcMsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        104⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        Modifies registry key
        
        PID:4208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        
        PID:1384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zkYIQoAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        102⤵
        
        PID:432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kMUYwYsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        100⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        Modifies registry key
        
        PID:4016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WgQsAIQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        98⤵
        
        PID:736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        Modifies registry key
        
        PID:4620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qqwowosg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        96⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zecgowss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        94⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZQUMUcgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        92⤵
        
        PID:980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        
        PID:460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        
        PID:368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TwUsYgsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        90⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        
        PID:1368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zAEsgMgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        88⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:4208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ISEoAgsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        86⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        Modifies registry key
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AOgYAwgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        84⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        Modifies registry key
        
        PID:4700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YgoIAYkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        82⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        Modifies registry key
        
        PID:3844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UcAsQkgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        80⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZGgAkgwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        78⤵
        
        PID:656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jcMIkEws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        76⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zeIocMIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        74⤵
        
        PID:736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        Modifies registry key
        
        PID:4616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aCMccoUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        72⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kqEsIUkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        70⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WAUkcggk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        68⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        
        PID:632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UswEEgwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        66⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZUAIQMUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        64⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xUgQUIEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        62⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        Modifies registry key
        
        PID:5104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dkcoIEwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        60⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        Modifies registry key
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wUQEgkAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        58⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies registry key
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kIMMosow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        56⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WAMYAYcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        54⤵
        
        PID:792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iKQcMEcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        52⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\recwMoUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        50⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        Modifies registry key
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NmEoMUgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        48⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ysEEEAMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        46⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UswoMYUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        44⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies registry key
        
        PID:2624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AswMUQEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        42⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:3616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UIUIAAIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        40⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:4588
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        39⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NqMgAAwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        38⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:4740
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TSIwYkAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        36⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        Modifies registry key
        
        PID:4564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        
        PID:2472
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        35⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nyYMgQok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        34⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:4692
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        33⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WSUwQsIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        32⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        Modifies registry key
        
        PID:2040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        
        PID:2872
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmgYYEIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        30⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies registry key
        
        PID:5008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qCMcskAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        28⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies registry key
        
        PID:4588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IYcEQYMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        26⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:3580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rAkkkQMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        24⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\buYUsIsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        22⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xokIskMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        20⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JgoQgUMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        18⤵
        
        PID:736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OQAQgMQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        16⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        
        PID:804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eiUcgEEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        14⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kecAYIYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        12⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BoAcIMEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        10⤵
        
        PID:368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        Modifies registry key
        
        PID:4692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TUoIIoMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        8⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:1176
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1236
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:3148
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:3096
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XkEYUMsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
        6⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:1232
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies registry key
      PID:3384
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:4904
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:2584
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jcgcIIcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4240
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1188
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:5112
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2472
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:1952
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WCwkYUwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4368
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3296

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:4144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1352 -ip 1352
1⤵
PID:3120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3968 -ip 3968
1⤵
PID:4736

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv L4xpGgAhrkGHfLM8CmUnhg.0.2
1⤵
- Blocklisted process makes network request
PID:3904

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:4368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

Filesize
231KB

MD5
942ee6861e387069b1cd02bc1c86c119

SHA1
942ce2c6c2873aa5ace80a2a8d748b260f0568b0

SHA256
a5f2753c372752da74ae00490292e8575a98a7373cb1adfc63cd9bc3a6165fba

SHA512
3ae4cb7765b2c991bcad7fb4b3a8be92bf8e03093658e28f270b087d109809e791ab5c6859836e41113980407ed78eb11920e5614eed27c4180650f0c1b5c36b

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

Filesize
323KB

MD5
fcd4b5495febcc1563537acbe95566bd

SHA1
ea6280ef4135bf28035042720012521a31821945

SHA256
a46c34eef0c792df6ced60cd9b098a2b56dd678edf5b1a25df1de1eca9a88ae2

SHA512
21eeb98ebb6f403cc1c3132058a45671014b313b04f989efa3f01ec85533099059226ef5a686429afcb700e8c239cc25d81dc2b97ae8763bfb24e34326e83f32

Download Submit
C:\ProgramData\cWcYAgkU\okMMAQsY.exe

Filesize
194KB

MD5
7182373d0810244c9a00173eb5276c04

SHA1
6b206fd50d101362d8998ac21e24943fb4222efe

SHA256
c9477a242695fc93595678729e9a12e823c1548a56196d81386587cca59792e4

SHA512
78feedc4cc517976aa70a435a3891391b323161990a90d70a7dcb4e5bf2cfd0cea6d091794ab262041d1c32497dfeed0706d28c345bdb3526cbf1c18cee96e06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\256.png.exe

Filesize
212KB

MD5
a4aa7ea91f31d1ef7ca1073cb9b19616

SHA1
4c174a2c47228ba09046ee09b7dee1c1ca20143d

SHA256
bbf74d0b01988843a0990997365ccdba2ce4485c07a32c0d241efca3b81d784b

SHA512
2b13ffd0e86b14bed6e30090c5585b0070c72bc8b0042ee533944df06a45538f71a101f48829079f7051a4becbccd816a29c23285a900968e7f930d106497497

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\squaretile.png.exe

Filesize
195KB

MD5
7c133ed99a7bb44f4f7faeba6d7ea6d0

SHA1
95898bae35e789cb6fc2d96ac7472b0165b4065e

SHA256
1fc2644a9be54003d8dce3d80d34f521fd4b7256d53b5e31b0f4ef1a2052f8a6

SHA512
6c324d3be718c0f8173ec989d2a1033a4d3ac9dc27cb9ff813adc34c99cb87d1005d34a6e110a92cc3cbf24dbcff1589ceb78658352de52a54bec18eadf65f95

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-04-22_09bf3f42a75392e9189c3c525d2d73b4_virlock

Filesize
48KB

MD5
3d404187efd7b9fb9810d112bd8cc368

SHA1
4c18184896e46369b2af6de3d84c25f44d3f051e

SHA256
410fd53c9634965c2b56efbf7a774d79014c98a2cd1d767adc51636e97428c5d

SHA512
5c1ab1a5309e0d2ea3f08e0e01d1291cf964de682c06812061d46d7bf8db454d36532c58fa511873564db9cfa9d215a63e752d57acb5038581b3b9a55dd27390

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAoQ.exe

Filesize
714KB

MD5
063414ce8330e23f614e6b04f2f9e83f

SHA1
378f84c000c463f3d61dd67ab5bb9032a6e83c4e

SHA256
a2ff1cb6ea3e4a4a3dc159a60e523d3fcf5860f4bff017e133c01ff150e60821

SHA512
42b8ccf53d051869e4dd10a7c363c9731ffa4a0b31f6cc2b98d0588ed2f21d6ca9032198f4ab5b7e973c15fd8aa0fbc7a879c3de0128b44ebfaadd448d9007b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMIA.exe

Filesize
5.9MB

MD5
74e4c165708c550c9799ff5561e92fae

SHA1
a7a800e6d593e71af37d67ef69e08af0c58bf1d4

SHA256
2cc13a2cdf54d3364d537bd50c7dbd468a1697f562edfed358e833dce77cb514

SHA512
fc3824da7722bf0d2fc0553be8b597982154f959fbb77edb479da545201d2850f59cd6df91a53695448ef996b0c5b7245aa3b44545dde1cd6ad31d48dfd2177a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMUG.exe

Filesize
199KB

MD5
d992637d26920904d18cbb4f6d6cf8ce

SHA1
ae5ea770c084b8111516c7c79b2563faf5471d50

SHA256
e26d39746b829c7e10f6512558aa460c785e9cbcc9024d92177f6563ddd62bc2

SHA512
3d5190863ad4852f52658e8f94b1a0c3de41114d031e7a91f7ce1a9eddea46590b9298c967ebf49a8487afe02dba6ee307b8dbf270e60f1e390b72a427486d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQIK.exe

Filesize
192KB

MD5
0b233782ae1842d83d30986be558c0af

SHA1
aad58815ca73865501fc891dd60f3e0ca4073bc3

SHA256
64d4f42b5fe6b329935c2e327286b51ef8570123dc4cea44ba3e113d448df06e

SHA512
75645c349585ec82454e3e519f3561aa3fa5ef304bfdaed22d246ec2cf33a5e554841467975b9c93b7b5ac9b92c74472b450cd65d626f7133f27b21ec497e8e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Akgo.exe

Filesize
218KB

MD5
f7dc78ccbe8068423bf5c88173b6e34a

SHA1
4d8a19776d9c4a0320082ede86f1bcd3a6aebec1

SHA256
fdc3e29a321a0068233d6d13526a1cf831ba77fcb3f6d1954ce016bd095cfedf

SHA512
0415d120281ef1a3d6bf827125ec8cf0a060afeee53b9b9f234d63b11b7eed5d4d9adf2a00a68778e468dd00bb130eb4c7669a8e34737fc681ab365c3ff74abf

Download Submit
C:\Users\Admin\AppData\Local\Temp\CcEQ.exe

Filesize
243KB

MD5
4597e59f58e68587fe0425f7bdbc7fe5

SHA1
6a509cc82a24baf7f2b549cb8e240f16b61a5dc0

SHA256
749421afcf0dcf0eed3d45734e8e0b08f1354240354d07a423eaa16c1e45a058

SHA512
053c07939cd1df1ac63a50a044c5e0c4405e585808b9bdd651d107f9bdbfa827d9a0308615337d1a5f445d5f7d444b74a6ec053213d539fca9881ce48368719c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CkQe.exe

Filesize
662KB

MD5
2db8c0ae13760281fd0e6443a0b2d7f1

SHA1
aeda6b7c2222937bdda4ec2be5737aa2f18102b1

SHA256
0796199c3091bd3502f7519ba23e46a701acc561e87c37cda5f0423e955deebd

SHA512
86d288a7f8b82da0857954c488871af53b874965d8db11aa76166f7f188b6d918ffbd4f6e5e26b67352c33903d430ef8f9b2370840d6345df719b822cbecf451

Download Submit
C:\Users\Admin\AppData\Local\Temp\CwYW.exe

Filesize
779KB

MD5
89f238b2081656df84fc5ce96efbd364

SHA1
38f10bb6ef2088c4dde037602e9a3eb2c05aa783

SHA256
f5bb8d498ab21cebb11f7dfb7f3fb68b6ebcb67a2394eb7077bc6e57b8d7105f

SHA512
9283b0c903783d1f20a30c5bd599b2d953578d0c1912c5beaf4a9c786e34bd313b5ee84e5af0206caafed086af47d4a356da6df7b4a2548e09356d8b0d27ea82

Download Submit
C:\Users\Admin\AppData\Local\Temp\EcQs.exe

Filesize
231KB

MD5
150b52b76fcf42f93fd7e8f255aed1b2

SHA1
a24051a0c88d7cdcbfd338ea8d8dd3a173116023

SHA256
ea783419b1bdb50988cddcbcc74375e970b3a0d77b8554d56ae7ec2dc262d3a2

SHA512
826b97942899dd7367d578ac22e1cdf49d273ed171f72060189ce2df3f41ea82653d7d18d146083a2a4be132f0c7cf8de3ac03270c298b6e2d75afbf204cba46

Download Submit
C:\Users\Admin\AppData\Local\Temp\EoEi.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eowa.exe

Filesize
187KB

MD5
64fb27b5db121c48b3f3a5b277e1eac0

SHA1
4b396bc53947df08d56aa99369fc758b84c91966

SHA256
ecbc6eddf6a3e070816fafbf6b61b5ab308f54a5d3b0361e1436c1f1bddd1cac

SHA512
75f0362adebd4e0176d7804590003632bc9343f518091d11de6a99dd770166b63cdecbed14635cdd87e8ab77c760e4f70fecb71b1d12addeb04ad7f5f8579d94

Download Submit
C:\Users\Admin\AppData\Local\Temp\EwMU.exe

Filesize
261KB

MD5
99517d069503a72093d4e592e164967f

SHA1
f48e0812deca60217a93a14e31f1ea2176cdc1af

SHA256
40623976e496a4fb44afdeaf143dc3af46b8c680ead19788b8c715c9465ecef1

SHA512
56e92d52ce8391879fa0864472fac5218aa69121026429c22e45ccd51cc4b410c9e1021db52be6fd44e4401264d27fc032d066e916c714b7d65ac4e93a7c03aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\GYcu.ico

Filesize
4KB

MD5
7ebb1c3b3f5ee39434e36aeb4c07ee8b

SHA1
7b4e7562e3a12b37862e0d5ecf94581ec130658f

SHA256
be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742

SHA512
2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\GwwC.exe

Filesize
198KB

MD5
53e7780a8969d23f12d00dd8a8e20e1e

SHA1
4076085c09356de2f52f9beda22d6b41c94d6f2e

SHA256
63e538065b1d05699efe07d8084cbb96f6286e2e1d1bb6bed9ef0196883e074a

SHA512
978d34b84367432b3a2cc7ce08be0e0605c295f173556ea793724b545e01e7dc6df10199c1d677d204d894855dba3c26341c21411a2793cd6fe5cef50fa886ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEAW.exe

Filesize
649KB

MD5
263763e3b4305c3ed1fcc9f1693e772c

SHA1
e18ffad529b15f40912fdfe3ef4ff450840a5492

SHA256
3c12e63460e82cffe3e5dc137f4c342395a58beaa423b1d9629822f1b3d78bb7

SHA512
1903e6184b2d51797ce93afa059922a45206454c001be320ca0a362a516ecd64893a37b03f768947f0cc2ff1dae8386fa73c0ae095c52fb796abf820b496b93c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIwE.exe

Filesize
419KB

MD5
8b72a2b74462b5fe214a3d7961d8a9a3

SHA1
055441097b270f916e997e5a5cd801eec19ff619

SHA256
c9830473a468211319313eada6ba4a59adb9826daff52833be8e559f08818a6d

SHA512
afd5fba878f6de62bfbaa7a2a450ba6b31161dfad7e2c60faffa3a6a4784efb2f8335fe8ae44341d48feae8d95f7bfbe35d884680aace04891b30a99a6353cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMEA.exe

Filesize
186KB

MD5
777f17834695867204eac756f2c61d4b

SHA1
896e9e28b7bc70daff9ab5371e98b96a3274b8b5

SHA256
bdad6f18496a30ee8e33b1a1b09f96ac8464f6b4ac6ac077b21cb07a3e56c639

SHA512
48a6c54cb2a3c30b813fb2f15ab05925ca5cf36e9c3819609b49c2f0dc04013b81e488d513423ca199c3a2070323aa51bc686153192c940c08700bb4bd6d83fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYEw.exe

Filesize
191KB

MD5
2f8930029523e984a998a9bdb7eb2562

SHA1
a84a4b2a2467be05d69d69b03ac43a6d7cef9c9c

SHA256
3025d91183cdff5ddf06867a0f79b58d50533efd35eb03355c624c98d3e412ae

SHA512
7dcafe5a34b5299ecd40b18dd33f16a5ed838bc6e52cdccde25b985272947be3fc2b14e0e8cd76f4ba6748f162a277d24abb2d24d64429fc49581495ecb4c523

Download Submit
C:\Users\Admin\AppData\Local\Temp\IcIK.exe

Filesize
805KB

MD5
5372f03b771fc251e245a14380ed861c

SHA1
f9e17f5244acd14f2ebcec4ea0ecf3a38204f1f7

SHA256
c4e4ca3e7cca0eda648373df56559a2f4d5d2d0a512a9e29a33b1362f544fdbc

SHA512
100558044ee688a11ff885b742a3dd4fd416ed5e39b436f86cc0d844df97b8c73b61b749b80b5f3f40e02d8a8dc2f9bc9eb94bd1ec2098adfe42b93e09afa327

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ikgi.exe

Filesize
185KB

MD5
255c1b0349827c48bbb5a899c98b9166

SHA1
64dc735135f56038e3b9be5ecd7a86db3bb32814

SHA256
3f94ca47af1abca47552f41ba8c27840817bbe019a77d5d88d12dbcbaac75f75

SHA512
8346ea7611dc578a13db1d2e6db22c08ea0837f023a5c3ef0dac65b73308ead3fd593c934a94fb7f5ae29d8f82cb504196873d1a27de19f323382b7f54e54293

Download Submit
C:\Users\Admin\AppData\Local\Temp\KIEe.exe

Filesize
199KB

MD5
9b38a043299b661848c0a27962400c21

SHA1
ae8a2e4e705b848f0a7d6cfee65383226840ca4b

SHA256
10bc0246b31349d9756632a4fdfb80979981e2d8a170f87e588217b829f7a57b

SHA512
7e0b413f97400d1b7c24f54b6590e9840a35a8392f4cce87dd4884225412c84f9efb15ab55bf86864eb1b4a7da67711fe19dc2679a0319ba7fc023677adedf54

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUkg.exe

Filesize
201KB

MD5
a77c831c49fb27455f16b8641e52e098

SHA1
f4413cf7dea8c59803cf0873c6241591ef63db97

SHA256
548663a36b369f87d908a3da7d8cf922d03f0af793a828d31e7dcdd0a7e2df67

SHA512
8372dc4cf0647a8616f2b74458e2424c86445d4270de1a12bfa3f99b4bb6231a15f81526aa455f3badeeeeeb482bb3a82db80013e024332cb70984a00c81118f

Download Submit
C:\Users\Admin\AppData\Local\Temp\KgAk.exe

Filesize
226KB

MD5
8aca9ca2485b8d4d42bc6d68913e6640

SHA1
e7e363833cd3aed70ef1dac93532eafde40403a6

SHA256
d977c45d9dbd7488087afe8c307d96902aef48b6ab9a91f73514e4609bc5660b

SHA512
a122a004958b97f981741a67485c8ef268113a4d8af38689c5da6c2c29db86b1ec58ccc4ecd3168c44a0d9bcacf46e229019747abab6a70f8a80d889dbae96ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\KgQs.exe

Filesize
407KB

MD5
2dbb8b754a7b3a9d209de733139ab8a2

SHA1
2e82fd7d63aa6c368fdcd3232e88fa409f6faad3

SHA256
801cf2414fbf1108924ca135e8c6178d34bbf84174394e30c82f45df86e3d471

SHA512
f95c2141c321496cdc8b0cdc7a921d2b620cd31c4c99ed01a06735cb6374d21e8993606d2ad90000338cacfe290835d24456f46f3f3b4e1c5b03a15286232837

Download Submit
C:\Users\Admin\AppData\Local\Temp\KwoG.ico

Filesize
4KB

MD5
d07076334c046eb9c4fdf5ec067b2f99

SHA1
5d411403fed6aec47f892c4eaa1bafcde56c4ea9

SHA256
a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86

SHA512
2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\KwoI.exe

Filesize
494KB

MD5
abaab63a6120449befc9db120958cb20

SHA1
a7e0bb58ee7721edcae4d96a5f0d8d4c338f17b6

SHA256
7a05ad6db28e3af3d25b881654567792f7d3537458db5c1b07702b43435c21ae

SHA512
db7c2aa07ebe32cece9fcd03bface0a4b14cab7b693a9f48ba28c04d970e096d9a1307afb4c4521a95980851af0afdfa9f7e33c3e75b0eab6624941129749199

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEok.exe

Filesize
199KB

MD5
aaff527ba493fb3664dd4f57bcb24e23

SHA1
77f8a59ca8c72c492179ed9264e1cf8423fc54d4

SHA256
976b812ff377a8aae14f39aeff922f5df99b7ea93b69567be8c8d1823d5623fa

SHA512
883dd2a71a0a4005cdcde6172b9b0ffdf26b8b108f31c0c1eb329f4251bdbec4158db503250da7577335aceb9e206fcf32051040c683919fb94af6bad4654e36

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIAq.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\MQgy.exe

Filesize
203KB

MD5
3656ef87ddb48c3e6bdf50b452af0bab

SHA1
d78f82ba66536046fe8d5c70f030338c28345d47

SHA256
cf17988f89e826b1acf6d6e8ff9cb1a76673e65a255ec3e737449818a8f33f01

SHA512
c59b21a8e9bec4cf31b114b53a8d4294240698e952f11d55c43f4dfb126b56efe077055fc2338ed9de55feb2871419c9b71a912ec0aeac11fd5ae865ac64e743

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUwo.exe

Filesize
680KB

MD5
970f93be293f3f5877ccda6b32897cb4

SHA1
c0a05d2144cabbfae5a54ee79fd1b132a6e08b6e

SHA256
13b4ad7d29c2b831095b99e48065e17af98506bc475458b43ca425cc5f6a1f46

SHA512
b0ef8fd8cfa321b585dd7a700788a9eb9439d15fc7a01fb4462961a1e245d5f01bbfa61785d4320d620553609c16610c33b5e9bf803b36c146573dbea91dc19b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYQE.exe

Filesize
202KB

MD5
194810ca37993d86d659f9ad3ea6a80e

SHA1
42db8470cdc032d03bd4fa8f290214fcfc2defbf

SHA256
6df7d54bc5bbff50909f050414cd6a40b9e9c34826eb3ebf239c5157ecb69493

SHA512
489d1611df63e974c4d1826c2634ad18396adabb4d498e5b1e4727a39e64dd0c8d9384b1b427c0b975223f7ae3b290d8977d87fceb32397f8a311d725bb0d43b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYsk.exe

Filesize
202KB

MD5
e78bc7bb67946132a704b10fe8f56fac

SHA1
ce311ddd7e27458d1f80dadfdbbb06115b3dde98

SHA256
f83bf97a7834da3c8430ffecabf93400781e0258adb6d2daa3e17cf7332ad9da

SHA512
0aa8e5f9193fe5391557f5a0d553b199deb427fdb9efd851c4a100a1f71222650323a2da618fe06853d5ade3a326c9d1659602de1c287e171d85e79a6c6a0eec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mckc.exe

Filesize
1.8MB

MD5
b8092aabb5755bd5cf972d69d9cc4f92

SHA1
b2c91c2d96658802720e8c5f73a294711fd92c76

SHA256
6fc6247703dfbf62bc87beb78cfcffc09c36e0603d9c4287e025cebbe079f705

SHA512
7099a03ca9da3b334fe8f08d1fa5921b4dce2e5cf29eab011c147600955bf37595d26273e37bfcd1a67a56200078b562684e2e0689b8b17a7ecc5e91606a5efd

Download Submit
C:\Users\Admin\AppData\Local\Temp\MwUC.exe

Filesize
204KB

MD5
a7fccc536eab84800de6332809e48c1c

SHA1
fa8fc4bfb362826727b162af5f09c3cfe68cae60

SHA256
0c1ef973ab908eef832a7e0bc430cfb3540c653f2a2769b3e4e87d9ac35b9c41

SHA512
8b04b37e3cd3a40d2b20e3c59ec7457085ae222f74ec24b963307dca7ab2370032423ee0eab9933f18a8980ea3780e7a318c2b5d38a771cb726cfe11e93ff7e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\OAUm.exe

Filesize
197KB

MD5
e2b62f9ef5b5a6d8ba617cb2f090ca01

SHA1
6a178582af82e3ba84fc9eb793e871d58e70e448

SHA256
073e7892b9d46248d6f52ae1621dbb57f3a41c8998c3b9f1d85fd57825f986d1

SHA512
114415f9ab18efef634374964cc3c038fcda66b266f8b416fe561d272e7d29ab79e8cecacfbdab47f9be17ee26e0627acfcfe604cff91ebfe4f3c2c349775522

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEgk.exe

Filesize
189KB

MD5
2494363908a86b56187731687a0d5d4e

SHA1
229ad6d1a227307a6550743d2091fa73884ca92f

SHA256
e9524d507668c5594bdc4de5fed0df7d6f2c9abb3e042862040ae2cc4be37573

SHA512
bed1d6aa22d9e000d18d0b07616233d479788e39f3b1eadbe5d5ea1ec0e53fe438daafc0391d4781e1a76946be63e3399d7bda8c3b8e61a2a0c477e1e63690fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQEU.exe

Filesize
196KB

MD5
6b7f0a807e35a81c932de64fc82ddb27

SHA1
18be18bf2b7d3d3a1e4ac8ece94127375bc3b662

SHA256
df6cfe9b473fa65401d5e59048e6dff7cfd9d711a394cc467857292b0ecae08c

SHA512
50298d7b93d60c25125247b25e88262e7f0d5f364d8919f2f2befab2a2cd4ae890739b67af39824ec1cb7bd81743fa885862c161c911fd4492b12531cadfe14f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUkK.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\QAAc.exe

Filesize
5.9MB

MD5
8dcf74ffbafadd6ecb992127ae2f8782

SHA1
d5603dc48554b30d3f6a8c00ee367dcabf114aca

SHA256
45cd9295a40f46fe8f9f14e9d395acbe7360b74eb6c20011da22cc2b75744c59

SHA512
a6c982ff55661acc25c755ed4f8f8287a4e0727d590482230858322aa85b36475e7d58e2c1d154e31fe44a3d8ec115005c3e3c97607ac02740eeb5d4eed6bdff

Download Submit
C:\Users\Admin\AppData\Local\Temp\QEsw.exe

Filesize
203KB

MD5
8c97601e468cfc1cbd3c879fa4d7e7eb

SHA1
dce23261f6634580e6765331e2826ee1f9a1f10b

SHA256
29af3f1bd5c73cc2b3a320002a578ac9a7b7508b26eeca60fa95cf26fda9e49f

SHA512
0726f1bf4fe4352df66c880c65e4b1c45363a3a1def1bd7637df6242cc2100b2390e9322f5bac8725ca10d696af29b4ad2117d998094fbdd8fe32bd0736965c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\QkUy.exe

Filesize
187KB

MD5
bda07a418316c595dbd3aec85e1f5065

SHA1
1dc001d3951081eb1b69706746cf9f69635cecdc

SHA256
703a57292504734ef3692a53325c134346e3725b25e5b2b60ec65cb75b710b3a

SHA512
0991b800245989291dc76db832d3806ce23651a4f1a4994018cb30c474b09a0be5cb3c56e7f08e751e223d5c3a94451f8d4f3b4cfb9213287a32e414a6fe1cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\QogC.exe

Filesize
775KB

MD5
75bdbb3fd61c354cf2ac56ddf4a0e9d6

SHA1
bc57d31ce0c5194a0453008cac6523a7da0d2431

SHA256
2de940d271cf94e79b052752e07c1a4b708b94a2533ffa96de8247aab67c84bb

SHA512
9847590e6f58da764f49ae1625410353eff7dc2362917b76502fbc483a35bf1a9fd942041ccc1983d2cf4c41d075d595fb7fdbb3507fbdbcf2b650734d6ac1d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\SEYw.exe

Filesize
200KB

MD5
a96f35efbd42fbfcdaa76f875855cf5d

SHA1
e32653f980316838abf24f8e915a100de6a928c1

SHA256
25a6f5b56b3cba2f28aae35a365f5d486e8ca0394b66f8d7d10305ca3b76823c

SHA512
0faf5c4c63d167bd0debba4d951498b1855e3959f6f97690870932424a6690a1c2d29ce8df4d23bbba331254d6eedf952ec099c616c59fb7771c17544a2ed0c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SEck.exe

Filesize
644KB

MD5
5dd57a32b0f4e099df80a1561db2395b

SHA1
d17acf746992a16209301f7218c4cee0ecfaa7be

SHA256
17dfcfc168f1826f85c8f5f261a0ae3e88c9a42c8da794019b9048513ce44da7

SHA512
402e4db3efe73f0caa4f05305fbce3def05d2acd9f69c75ff304461c064ffe63a2568593bde889a79079b30936c24ae6748c7ccbf4436e41d7d73807a629131e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIAm.exe

Filesize
207KB

MD5
a0f1fff42fc20d5c0ba0dc0b2aea424a

SHA1
01f7ec7431e09754461ba5777be86d69ee7d2785

SHA256
f057392ff8c5f7020b68e2c4213c0973de688da6595df42b9813d0aa71732575

SHA512
0bffad9e9d649bf147cd5a80914019a98a1c3ed70c05a2a13ee17b3b0accb07ab50869b59e0f11ebca5f01ba05c3b68d163f47d5f24590c3fb511e3600a181ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIgg.exe

Filesize
195KB

MD5
602c51fdbea073a24103f5a299d71646

SHA1
1c24c7a9067b0387db06a11dee03c21e52a7ea27

SHA256
1110c2e57482c1c459baf1b0124afe199c40abfeff3d87d670b0114abad12819

SHA512
d6dd23ea8a27ba429b79757933f984f7f3e5e6321b9979cb7d6207a83254dc9167a555b3467f3cc7ac5a1d127326dd51d6cbad5fcd2d6759ace2e5bef9ffc8b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMkw.exe

Filesize
205KB

MD5
6a43a16001a094f2b013b58c9e1e5587

SHA1
f4fb238f420bb701bba5bc8644a2e68d73cfd6e4

SHA256
8c053f38cf03d87bc8aa0122c45abf6677f9c848e52d903633ed94b31e0fe734

SHA512
34026b264d548f7754093cd4c4b04403ddd0da69152f72ba902110386164d45ebcbf2247143e0c14a630a8070e4fe147d584aa451035a0af8c6052c6ec9688db

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQIu.exe

Filesize
234KB

MD5
594d32dab9418d9b2de8c3494b76a107

SHA1
d9cd812a0e5703af5fb46dbca573dba238b6b849

SHA256
bf1c867b5dfe534a7c0aa7eda12228bb462ac8cb8f16c1dfa3d51f7a12e0a6f8

SHA512
ff1862e0b4fc1195d9caef42d483fa5f00c2a426b179f43e20840d94fcf07079dd4ea2263d32ce5d0666361b4247ce4ecc5820c0039f57de3377a0ded9f31d89

Download Submit
C:\Users\Admin\AppData\Local\Temp\ScAW.exe

Filesize
665KB

MD5
116cb1bf3e37d22b1347dde3f36f0a9f

SHA1
8ad899d0a57b84e0dd303b055553c55f320b4a5e

SHA256
c3c6c3e9e622dfb71e9d48025a03f8db0cdb31145d634c0c84ac4e3febaeb8f5

SHA512
c6c749319e3e2b321428897debaf9a6aac722d8e07e4ddf65dcd79f490c17c2145f8c4ba9a0d85f89c7663ec6f6238c47b341692cb5c1def677ea7b0e54ef229

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMMU.exe

Filesize
203KB

MD5
682d52b7571d57985e9da26b58b4540a

SHA1
64c03690d7df481bd7a4086dcf996ecd06c06ff5

SHA256
e1c50d3d0d3b8c157de9cd307b36e10cab6ac2f94fe0619444d2f5372d0c5a48

SHA512
7c4685cc7f6e62a2f2494c2c5b34a148a2c6177a498105ee0a4daed16cae7c3176b4783e63082e4ae9c95ee0f2c3aeed4aa90bac091755029c92ce363f1b68d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\UoAO.exe

Filesize
197KB

MD5
bcd52a857de99fd9d302ffeb55cd9c20

SHA1
7129633fe8ca5af2adbd0c85a40eb8aba13a8aea

SHA256
a0b9385c9d9d92a4ed4933bacb7f9a9bb7a97c556b16d3f361b98aeec1bb80d6

SHA512
90981f278e420752ecc94be53e8fc55a174be0e0088da61599a5386c44c4b97567d79e177ecd33dca57517c1aacfa05d0564406187ed42f5c1ebbd7be15d0ad4

Download Submit
C:\Users\Admin\AppData\Local\Temp\WAAu.exe

Filesize
193KB

MD5
a7bf2ffb596c4e0b19e87f5ab205b220

SHA1
592499289df12f78ab41d3ed0f8d4f38c00f4f21

SHA256
cf4498a9425a7ef1553dbb2c8a423c94751d9d17e48d18e5e97bb04d5ba86078

SHA512
b49e271f471b06d9d648c390774ba1722c1c6a5a5a82e5eefdc24a7e49bb43fe0478a4e26345c97c275a866b6c7530dc0d072e97fdac405a3945fca8f058cb52

Download Submit
C:\Users\Admin\AppData\Local\Temp\WAkK.exe

Filesize
768KB

MD5
a514080c0d2ecfda8b23f61b67baecee

SHA1
5abe02b1bb5145368641c93660d6e1d025c22394

SHA256
8b058fba60dc3890f2c4e6a4e5ac4b42d4a5a8ad9bf9f8652e93bcd68959755b

SHA512
9ae012c55e1d63c56cd7e43b88beba260d93ab9511fe0fed28a955e62247617b4fd7fb8a6eed00d450c718b8f82d19528741184f94b7b6d8993abc4ed6fbd1e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WCwkYUwY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\WMkI.exe

Filesize
198KB

MD5
4c944e4dca4c76607b83a6e6967d9385

SHA1
54138ab92bc390728a085270d406559417fa5aec

SHA256
5c91a010c575bee0fad12a993090fa4158d6cb810dea40e372905fe7943cdce1

SHA512
fa7b5086d2696954cc21f3f8b4db26b26b2a8b1151c72807b1be13e2153dac0635c902294925825796efdf0113b1fe41ccccedc6b5b2e4d5bf50a5c3e0f500ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wkoy.exe

Filesize
204KB

MD5
9023c32df2fc0c7978656a39846ee636

SHA1
8fd4894883f7837cfb7ae1ec0d1f9fd9ca8256f4

SHA256
29bd0f320ce7ad4666907769daf6230fecfe4e99877780a5f0dfaca7934aa537

SHA512
00ded683b01dd926e6bc0a3f59f2510ed31f7322d7cf65ccdfd004ece7cd2f92e7b430e0fe8e896d6d291b32caa4f821094b98522b363bad67065a3d79368bbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\WocW.exe

Filesize
639KB

MD5
c9e5eb89daf6203472d3b571f4a5db88

SHA1
d601b303f79a57900e8dc5acf7b39fb369b9da16

SHA256
e20f416f5b60265c67c1eebeab6435f2b061a510c75eec3e98b2e7c952577e9c

SHA512
315e39498b711c7570263475f5dccac3139fa7b305b84856cf99882c5044b79fd2b4ce6108956f34fa7b1c9eade9f5c2ae9c7403aa5cc4886ecd9b60faf009f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\YMMo.exe

Filesize
201KB

MD5
4b661156da9336673dda7ee47012cc20

SHA1
63b5d736c787ad819b96f09683826a01f2d12ba5

SHA256
45f9b87cc5935bf9453d4c3cf6acd27e4ed8f70e8e5dbfe97466d8d0a1835075

SHA512
6f71eb53dd2ba3d3144076e57eb965b8fccc20bff390fecb48c281a317365b44aaa08872509b19e44a3d7fb5074faf1b7fb2d8ac48a430053bf13d4715c139f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\YMYw.exe

Filesize
190KB

MD5
cc672b40099af757e278902ee4b3f532

SHA1
521c10d58314bd14b9580175813f5dce5110e5ef

SHA256
63fc41e1f1b8c3ddd4656b9950e4b53f1ce224b4ea0d54b5bcddce727490990d

SHA512
be21b5249729e0d1ff7326deed9a9d983c378c2a1ab4a2a8bf5e015a4549fb7396c1f3cfb91c568bc3eb214a13bf37f87dee3a3682b83ed9eb0f9e6c340db3df

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQsq.exe

Filesize
206KB

MD5
bd01ba74e57b377fa6873d4e89a6719b

SHA1
fab4ab8aa64779b84581d0e000772396b110ce65

SHA256
4b500b41f5db9ed3e9bfd22ed51272788e32a32009303d52b1c758cd5aa662d3

SHA512
8968026d2556ff130ad0920f2276dae39db2239e1f5f572ac5e5874a57a933371f0f5c645d294d631fdc0aa4207310e6832adcc7557e551c7b76c2af38588fef

Download Submit
C:\Users\Admin\AppData\Local\Temp\YwwS.exe

Filesize
186KB

MD5
d0b4fb8abfecaf51975fb35dbb129346

SHA1
e3622907fdf0bfc1802845fe81771343bafb545e

SHA256
c9afcb5feedacdb994e93078327ae228a8ce0641c62deebf6469317fa9064d84

SHA512
1687342157d0b345016bf0c055913a62220d68cc70012d489e53e01524388770778659f2274a4a6f5e5d59682305f55a3579ca7c7cf7449d5a73d3cfbfacca77

Download Submit
C:\Users\Admin\AppData\Local\Temp\aAIq.exe

Filesize
796KB

MD5
d2768a181b657d3ba44391450e097c38

SHA1
a3bfc170ea2eb66fb7746473d268c3a776727ba9

SHA256
b2255a23affa0ecb0d9ca83c58695593e86e6d609d6b814e329772fae30f7356

SHA512
d57c3f5b192880a03e942d81566b3d7b24c38cf6cc83c608c521679dc58a8d8c471f1864b6d3dc7e350b10ab0734680844fa25363e0fee9ae7dfc7086d474461

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUEE.exe

Filesize
188KB

MD5
1c82bdceeddbdfec404da0d7830e6297

SHA1
b459302629f9b508be6f437a6ccb6bee51f86b5e

SHA256
6fd1c59a0637f7153ca2d9e4a2f3becadf85548606fa078d5e711b657857e6df

SHA512
92f09f112dcffb535b7a379974ff895603da1e572e1b7aca90f2e6b6b174a9251661d811ace081b8a06c7f34affcdabf7af8cd43b483ae3198f783ef0254c8ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAYE.exe

Filesize
2.6MB

MD5
3b3dd6b27b2215ed7e9688458ad417d5

SHA1
cc70790940f7a06a006723d9c7de0ad2bc25d8b8

SHA256
a9f72d37d7ddb80962a01eadce3aa44f06218e753418ddddd4165a91d7d4a718

SHA512
20ffa2ea501c25f5b08d4323349057a144cb3fc4b77d4d3cfcd129aec9969781b5fded549eb983609b9ab053b783a31398cf6f501377edd877daa1fc52f3d662

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQYe.exe

Filesize
185KB

MD5
8bf598073b8348b99687a4397e1496d6

SHA1
c7bd7ef8b20c965b56e4c3cf6577add36d6a584a

SHA256
7dc62c335b9cf2eb443944a4986516ea34bdfeebe693efb3b540536a2393b1aa

SHA512
05f863149b4a3e052323602aa13b0518dd19a83354b237ca05b4eb40d9a84606d212934839d6c1dde1e04d12e2a151326472adb56bccdb980aed5fa0ec29602b

Download Submit
C:\Users\Admin\AppData\Local\Temp\eAAg.exe

Filesize
864KB

MD5
423c97d61c0e610686ed4d8d6121f517

SHA1
1b3cbc9a4bcb27e850179bad50a351cb58651b91

SHA256
082db9b9f1a33f439a36973dd38344e3307aa26d1106fff9d596edfe231e11fb

SHA512
4de7342fdd28e153e6ee43f56ea3b7bc31b002aed7905cf409f1022f2ef35d6967c2c45c791a1be90795401d2976b606d69a13b24a6e99a345eebeaf8951a940

Download Submit
C:\Users\Admin\AppData\Local\Temp\eAgy.exe

Filesize
758KB

MD5
2aba870b31638aab7457af6955891853

SHA1
157a05d1821e19e657aca665f2bc93d5fb382ed2

SHA256
5fd1506065456817859a5c3eacc329bd1faca67820a27cf6e9f2638e799ba607

SHA512
8e08c7d92fb167ca68ba0c22c3affce46007452f2d9f6fbeaa5c2735d1ed0776669479d3a1eb625f2bec96d23f1f32f92d5b015b2b00f3f635a7781d881f1959

Download Submit
C:\Users\Admin\AppData\Local\Temp\egIg.exe

Filesize
317KB

MD5
12cbe3eb558ede1b0b7dec18e6770fba

SHA1
580e84add901932c0bb41627ebefd2efa4798d6e

SHA256
8c5a2353fc8c2bc880481d8d600006d1d2697bcffd3ffe628615731923fafdcb

SHA512
adac54a9a2e0a898b8b1d2b04da695977032a6af8a9277845f5a28fd0bf9445372101c6247864d2c61b3b545ddaddffcf7b39550729e344b8528c848f8aa61fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\esUu.exe

Filesize
235KB

MD5
95ea17d08f2831a8baf0922535fbe9bd

SHA1
b73bfbe371aa5aac9b61683eb452908178d3c939

SHA256
54f99740f41f89a17b7e2d5fc750ded1668a15bd6cd5ed396c2d5364f53640f1

SHA512
b8c4395c0471afe20fa0ca569fb2cb6c440205b733b38deb0c2c7fb0b698142572d48de20836572f25c49eee6320d6f7fa47bb152eec6e2542ebd07651450091

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gAUY.exe

Filesize
200KB

MD5
99d9d58251656a75ac8b53b2e18bf577

SHA1
e8cb985b3b4ac6773addc79060326ef7a7c21c72

SHA256
a6a22ccd4c95084e90b50e885d285611fcbcc55ff66aac91db5ee15c82c108d8

SHA512
aba58f041ace6f089037d1ccff3188248745a54e84a5c02dcefa8a9c52b92061b355b3c2b79c96d09e99b2f516958bdf60312343007c33d608198015ede3baac

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYcm.exe

Filesize
743KB

MD5
88aa7b53c6bd3e009d81568020627ec1

SHA1
febe883dcfc6ba584dd3055b04f01caf8ac0a8ac

SHA256
45d2a31a7456fe772b3ed28868b4daec4b2863f04e57311cdc6228c89b22960b

SHA512
c0a2b888b403a0152ed4702e6e474cedc075648d63b381558bcf2bca34257c4ce803985bf2475a6d91cfa37f5512780bb5f44a22d5aee7a9c57d06ad1e6531c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQgG.exe

Filesize
209KB

MD5
6d079983e1c2655983d35ab52348bc36

SHA1
b5ecffb59cf54cc280fc81c50d2e28fa8e8f38b4

SHA256
7c7a825319188d3aab75ddfbef5b52edf0c5104c8eb8380708956c4d40c96d20

SHA512
cb0047b35b246eb856d0e29193a5dbeab6261b7d2a4785cbee5c45d4b94cba93f34ee525df1a2add200275b44dc3a9f1eeecd0a24ea6e7faa7fa6625ded17973

Download Submit
C:\Users\Admin\AppData\Local\Temp\iUoy.exe

Filesize
814KB

MD5
49fc99e665059524564579584b48cf7f

SHA1
aa9ab580252354e7272be4e46c7329fd85d24c3e

SHA256
677b4a657f413b87d5c037e8e02dcab85b126ca9847a60d930eb4c236196188b

SHA512
cdfe8cf7e687beb536f23c2bcc3bd80e5b202be176b496f069e76c6da12191fd0bd63dd0564159d41a12a00e60924fe4facb2d1c341d53f292b2ea3bc00975dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\iUsE.exe

Filesize
316KB

MD5
21a9cba4af83f46d9d545b7c4ef2e935

SHA1
aa7f69ce6d8eadbcb0c93014acf3546e28ec6420

SHA256
65e1b03934710a1b31440edde3e1a45740e13ca517acd827e14ef792c4a95484

SHA512
e0b1d1e60442237efc8f40b0a5eff43a909585f429159010ffd11d60a45c1fc202348057ec1df3a9b1aba689030103eab62cc9129d2edfaa53df2e0eea78e5ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\icQq.exe

Filesize
191KB

MD5
d22318f10f824b3c5de25fbdaaf00121

SHA1
e5153f6242e7a13f83b0a42f8acfb1ceb8d14847

SHA256
070fedac85d55ad332c301be45b6d018072b2f4edda7342819acefc8280e56b0

SHA512
468ab77c6024d27137e68ad081c877a9013a90334af980679df233713e744138198c230615bb84490e9f86ece7b89ea3f5c5b4acee73df6f51b9eec5455781ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\isUw.exe

Filesize
196KB

MD5
da098478510c54ccec0332346290d5bb

SHA1
06418d1dda33444b217b604b16860e4085a70f9d

SHA256
3f5b70e060e7e544e1a83e6b6d12dfd8bc2e41609bed5fb1366e0a37810ce2d1

SHA512
6b9ad8ac3b6d6462179ebfcdb520ca30afc2388e23d815067952619c8b8e8326ed22ccd8e6e07615033c422e16ee1a33bff10589991ddc32ceea2ad063dc33b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAMo.exe

Filesize
641KB

MD5
b082db5fa8aef01cc7cf49d7af773f1e

SHA1
e3d145b1b35081d957afe09d8068f190c0bc78d9

SHA256
f9dd142dccd03a640a85827c3c8881aad6cdadc9d70c4fcd97defb6180e9eee4

SHA512
8fa4f189b6c9c1e018eb132a337aa48f2ae36367db624f66d5c3f18353f9e58796effd4bd20940235d7f0a67a73dbfd29ea5d4008e110ba4978a5de75baf0964

Download Submit
C:\Users\Admin\AppData\Local\Temp\kMAK.exe

Filesize
192KB

MD5
f1064eb6cbf610e73dc1a6c69195ddb7

SHA1
e0c227e3671711da74eb73d1f6e7081f53cfaa6c

SHA256
2a7b1305f0166cc104b51d2bf0ce7aa37d12bb9671d951b87d0280443fadaa19

SHA512
a9a2bb7988d518d8e968a29d3f230990db454e067545a3b3ae56ad729dea3b10b30481e65ae2cd2290c9c0fc0f8efb03d390be6c716848e165a511c14de6de58

Download Submit
C:\Users\Admin\AppData\Local\Temp\kUga.exe

Filesize
205KB

MD5
b7314c55ea9dec9d36b5b70adf978d97

SHA1
d076152429864289ad1963f98480bea6dfbfeb72

SHA256
6157ab8254749da8634937a0bb9a57f9c8b1e17197708e7d0c829b406e0fe264

SHA512
c8d36c95417656545a7a4c88ea636e6be5cfa685a2a2fd9cfe00e9663e2ac11493849085da1426e1578848bcb21e678a5e45ce7096f592ec1b280e32a998de9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkQY.exe

Filesize
195KB

MD5
5959183d5b568e17a847ce86a94a79af

SHA1
ca6121fe53ff66537748e283e355cbed25839842

SHA256
cc0089eca9271b865da3019426492555eb84363bd9f573f5df6271ac0e2f3361

SHA512
1ca1c51a0b6a25b828314e1a647c3aff12c7ca4bd06cf2d5d44b5922053a0dbbc530167ea27034719263004ae18308e524cd3d3450e9af6ba7970b3cf82ecdd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMks.exe

Filesize
196KB

MD5
4baa4d6cf1de8998990d5e62c051b172

SHA1
ce727c3768dd5b3bcc7a2e907c1e203f3f919735

SHA256
977bdac19b07b78401d82b0524d730827cfdee7d5ccff3548c91e75d6d45d1fc

SHA512
b08ac7276776f403a31f0b5f8e1d61db0205673e676757701692e56eb2ed07d7331a92c73230e034f56b64b6cac20cd5c5e8c4aa1b41c3660d1176cec9b80a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQUk.exe

Filesize
206KB

MD5
ce93e51e6f86e7f03de2e9cfb574f70e

SHA1
32e9110296ece7a032902604fcc62d27e4f56705

SHA256
a28afa118a4d1d9bda46c099d5dee9eda565d4a559661200a2a9c744127a2257

SHA512
6d07b05a7eb165669fa349fc764b5dcc543005058a0a4249ecd24c01d545a1703e0d3ec2a05c797b9139460dce8504dd3c18c443c6b257591aef3d488012f796

Download Submit
C:\Users\Admin\AppData\Local\Temp\mUEw.exe

Filesize
806KB

MD5
4e93e3266017dd3d54861a3aeaabde02

SHA1
ae0fc8c84157bcc3ce0d1756a95d1acd5f20853a

SHA256
75411d071f8cf05538d2cc390bba1c4fa575858590ce40360d2f259ab616dd5f

SHA512
0cf6e32dd6c8b5d6328b155dd7d027043c7057215efbca1e7b7f9456cd46c9f1401329b4969e9e9622a5d8641c96f49baf7e29bff73659e0c8d041c4a08da842

Download Submit
C:\Users\Admin\AppData\Local\Temp\msMi.exe

Filesize
210KB

MD5
1e6a4626336b29e760aa2826b9681cf5

SHA1
87d47335a58a25da882c7f3d836b57b99463e298

SHA256
d2e4878e9be629ce272747a4cc0ddc8c763c18c7b26a61e41ba883e7ecf886f7

SHA512
38486e364cc8b7b06f0692df224c6a8ee460ca6c572f65ec32eab770958c487e493c9e42e7d267614a8bcefb9c282b154162af50a6dd0e76c2b2559be6126cae

Download Submit
C:\Users\Admin\AppData\Local\Temp\oIcA.exe

Filesize
319KB

MD5
312a24d3409562cd07c1de09940684e8

SHA1
3fbce17ea2aa9045bb53be46e6f5bdc145af19bd

SHA256
9b1e370fbec07f2a2e018cece48b5d209fd179179f08817962eec57761937bda

SHA512
a66fec1a9ee988ba8002b6a34656cf58bbf6f36f5333cd91f5b2423191e2183bc56558624d33efa82a884bfb5a57284d29906d7dcaefb8b34577bd69d7b35f58

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYwy.exe

Filesize
636KB

MD5
0e1d6be10cf18ea796f41a8bc6d1b021

SHA1
2c7fb1caaecf4c37b4a89b6425ee867ac1ed3afd

SHA256
5e6c85c1121a93437a2bc1614ea2c7eed32b6d7d4010a27a788286cb68220305

SHA512
b58854e01a794641fbce385ed2f3a1000f3e408ce228f4ac2895fb4a090b8fc0dbddceb8d570e8e632c6d3ab3a64e4973d572dc044f818ef2ad6c848f4b6526e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ooQQ.exe

Filesize
845KB

MD5
1c11fb792d1145a53f3af79553cb3328

SHA1
eeaeb74c350b7500db256e66ec4a998298f123d7

SHA256
7cd8c3116041ebdcb8229917c628aa7c49380ffe769b9a1b0238caa6271198ca

SHA512
55f589a417f40ea01c73ccd7db5401b1bbcc806a8b172130bb059601fcff2780867630f6cc2c4026a02fa03d235e25046ed0091dc8c60844ce0adc881a616b85

Download Submit
C:\Users\Admin\AppData\Local\Temp\owIW.exe

Filesize
211KB

MD5
a5b7f5699e4594f7231969a0bdf3bba2

SHA1
3cf3373d797e8c3c0b6fe49f36d2c5ffcb798aab

SHA256
19f78165c884f85cbb25623efc0be2f7beb685dcd5f584fce6773a97cd700b94

SHA512
1a1c676ea27a7141afd615c0452380dc0730d154d9694e45429d3241df344c36692e07c1dee9f595bf6f9a9f19e33259c3b59d829190f234aba57b9aabd4edd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\qAwy.exe

Filesize
184KB

MD5
de7dad96fa86de80da8e5d13c96001df

SHA1
16f025fd04797a0c2ad2059d810ba9794fde5972

SHA256
966f2bf6f7d29e425e220f207960c29162c8b4fd4c58c9397f967cc3fc545f69

SHA512
e51c4e4420171fefad1de5cddcbe29f4a6ce8fe097eac7182e899decfb6ed376ed4f87b96c1c99cff83acd2f553539f918f28d8a55893ce1b8b86f948af491a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\sMQM.exe

Filesize
817KB

MD5
ed5e8da66cea923752a524e05f2813d5

SHA1
dbfe30a8f12d6388f633fe52a75dbebbf6122d64

SHA256
f22f3ed278429a5f34c966402942a3f9f5e3702b99f825ef1e7d3a0a344e9439

SHA512
685d3666cbd22dc22ce01614975afeb45965652de3fdf7a88fc3f14c33365e1b33635c8c2ff171deb9422c4f5c5ec4274cf7526666e241ebcb9b230c2985d3ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\sUMk.exe

Filesize
187KB

MD5
56ee942c0f671605cc0f0f91826ca05a

SHA1
825b1a3399ec257a5fcee90a15b116a83fcae917

SHA256
c5aa3f5811b45b948ea1a5c4f36c0170dcab03702ad5054b982279618bd1fab8

SHA512
9adc96bc74c341c706395b8677c6ba672354ac3d230dc6aa6d5ed89b8ba966b2094749ba0d5bc38ddf26b4ba4852b26ce04314283d9bd8dbee2104831108f852

Download Submit
C:\Users\Admin\AppData\Local\Temp\sYsq.exe

Filesize
198KB

MD5
280643e7c6db289729a2ef9613ed3f9d

SHA1
fcb93faa1982c19853a4ff0690ff19257591ff17

SHA256
e5806548f839f49dada3d231dd5909304f5d4324d4d134417c05ed15159a8ddb

SHA512
bb13f79729bcc00a0c0da7ebfa54519f909e6bf7d722a9c65fa89cfab08fca0d0d08cb5f3786fe123393e0f3efc04194d4a09b574c9eefbb9a50bae561c401cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\sgcG.exe

Filesize
209KB

MD5
5a2f8702e5554754e1d6768f075804f2

SHA1
7980b7ce3137ac16b57315c3c754e4a288494a19

SHA256
108ae61831dfc9809a536516dfa2fc545df0c4c1e15409ad96f894d0f3d2c856

SHA512
604a95636fbf1b887e7b2f41ac9cd854b2ad03d83482da769ceedf84f3549e12f526972914eb9a590a2b0313a6f81614fd10660fc427da91f88fb7613e654bc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\soAE.exe

Filesize
188KB

MD5
3af8e0d35292f81befed846278e57c68

SHA1
a40691a9287ae110fbc877184600a3294e10944e

SHA256
e5210a58aed25b0d6c95d63b258a81964eeb815776a30f4d99ff3a9a0c088873

SHA512
76d9a7137100fa854ee0b774b410d0c65be09e1a03763c51b078318f8851dff7bba47a44dd4f0e621a500785e233dbe26258d666fc064604c8e223665d7dd5d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssES.exe

Filesize
195KB

MD5
8bb48dd2d02067210394bc979eccc706

SHA1
1f8bc9dcb34227f2a1465113d3ed4900bf320c97

SHA256
b073bb74364fbb7603ede92ea82fe496d445ba20d15d0d7bf530cb6a143f53ff

SHA512
ef05c9196cd0e7b95769b9b9349b551ee310466dec4755bc010cde4ed78db6cb1336a466d11276826a06d708a6f894c418d168282ccf56001661db912e28ffae

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssoy.exe

Filesize
5.9MB

MD5
91caa08ff0e3b826f94383a3579c405c

SHA1
3cde235ae768a6495ac89defab081c54bd4c2eff

SHA256
a08c219032d3c9671281cca7ee2c4a63c1a7419aa5e81395b675c10c42cdf5a2

SHA512
4966433d3e034b11336d93d6a6949f356d82d1f8187d93d3c9ddd4b830d8b80662862718eb2d7fa9c84d984b07afec6322f3c73a38bf3cd2e26d1ef6eedada88

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIAA.exe

Filesize
193KB

MD5
e9a736facddb9a43e65dbba965d86032

SHA1
20738d6fc53ceaeb915b4dc51b9a1abb479a9831

SHA256
9f5ee9851d63b5b4f62d75647e290a87b71992469d45023239472a066e2feea6

SHA512
45989fcfa0fb8cbde45663e9a2cd31c9337fc6a8825e3db76161fd49686e596d5a9387491eeaeb72cb1bb21660c58cd3512af3568005b9b5e2d365429c9fb229

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIoY.exe

Filesize
193KB

MD5
bed4558fdd3e6720d8a7af8e0cccf216

SHA1
9ee38c3ec784b9ea58e29c8360efeba33e952585

SHA256
c021dbf98f4d6a305eb3f1e283d1d56645e949ef52b590e28a97692f5af43a36

SHA512
df950986595ddb5176825dc60672a4dce7a213577f432d1de1349dc78b2fed92dc3789ba7c8a8899e4b8319c4465f76d074bca4a56b896cd5aa4261054d422b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\uUIE.exe

Filesize
200KB

MD5
50339592f41a23ddb39e3c979e7b70ce

SHA1
43136b024e38aaafbaf812380ffd8c201ca0729e

SHA256
d23de62dc9c3604f1c87db2db58b56ba47ec58fcc52a3d0f1364c3fbe09e02e4

SHA512
03a8269b5ccf0dce2912892732a0ff943935dd474e09229523b44f91b7745cebcd2e47c34e4db8c4e888b3fcff4a0db5648548abe77446b3f610dcbcbb259a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\uYMU.exe

Filesize
199KB

MD5
6dd805176bf26c00c5efced671e91eac

SHA1
67931a812baaf337db88f21e421e616e709ccebf

SHA256
9474253529460f150048830e249ceab63584fadc08afd692096329ead2093d67

SHA512
275baed05cc0823b4f0c3c601b9a8a7b069598902215ee5b57773c25ca9ff42376850701d31fc0d881c08711a4f0f66b4e20df92a0a45eae032817111ecf1748

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwIm.exe

Filesize
205KB

MD5
0401c4059ee6a1b3f0329f90ad830ad5

SHA1
d0ff5f31be46ef9b90f86a37920857d83de42e87

SHA256
14de11ee0eaee55dc00c93c75ebf1e1adea32fe7493511eab0cb624d5b606145

SHA512
eaa8a5e78cfb3487c6bde1d1e52b80d2fac70949341246c98b9bd5d76ed11f77346d67ec324e8a176fba1950e8947928eb167834a950fba653455a6c991aaadd

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYYI.exe

Filesize
575KB

MD5
f6ba8c8d3a49ac8233b6d6489ea6b5e3

SHA1
91d6c79a1327fe65726e7567e85e5b9c655abd16

SHA256
bc11ddada35686daa21c73416b4dcc2ef0689d2c224627c9c77cb2210c0e312d

SHA512
ec8d6e481bb9da72a008113c6687a29f700ea9650d522b09cc569e102368b4cd0e3f33ace158e13a41ea156285ee94e1581a31acdf3939354d3a154f957091fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYgs.exe

Filesize
401KB

MD5
49b523ed029e476cd6edd2c87695e083

SHA1
fc3bc3233ab63cfe8d198eac07034e95eddd09c6

SHA256
5bb26e4fe4398a5d0e3f80c96427a31b5182a9897c412a41905e4fdbce5bf4d5

SHA512
bbbb90c67b547fb9b0e35f74d9c6ff1713bcce57ae83db50f798a8366d62648ab9a5f7359d34a5d6a867e6850b0fd696ffcf5610658320af23b827c2f855acf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\wwYS.exe

Filesize
183KB

MD5
c98f4144976027741ad811ca3b974fb7

SHA1
fa09e18c3e0c021f793186ba702eb7a00566bb7e

SHA256
74b74ee702925b20690a02cae0e24806c19f5aaf22061be22aad35dce63d942c

SHA512
dc3016a1f36b6602b38cfdf0f70e3dc9ee0d0e237fd51d5a42dd9a8155378e20f87746ff0e8a824fd0fbbc2127e0359c8eda7f7bf7c714d33a1ccb8401a854b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\wwcq.exe

Filesize
658KB

MD5
7ccff89023e09394eef2bdd4fb218b6b

SHA1
c9b0e192d836befaea8405bbed3d840d57f4d81d

SHA256
d22b866aa91dae772a9eaa0e255c6947183952f2ed7b868f73f7bc52f4a016b0

SHA512
4ebd57b5f784134f36c44c30bbb061284d4d86148570f11298725f1e8717c351f02543b944da102454f39cf26d65f49bcdcb304e4ede0af345c5619b3fe4d22f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykUE.exe

Filesize
789KB

MD5
07b7ded0434a15b945f8595127fa2905

SHA1
bd701ca60f168ac47d5fa80d2d2857b3944aa168

SHA256
c2e642ec93fe466578085edfcf5fc938471669f61619334add0238753fa580de

SHA512
0e24c255c571db6e457ade7455302b62c02464733b65f8004d36a6d6c4c9f26049c732d06fa707214a7e95400932bdba37376347c7ae52e5907d18bbfcf06fde

Download Submit
C:\Users\Admin\AppData\Local\Temp\yosa.exe

Filesize
201KB

MD5
a07bac459f7b6ba40ed8fa81efab8451

SHA1
d7cdd10fcf5ca04ab45d2cdd8d9934d996074b77

SHA256
d5e476116e98a33ec1d725b7c171be84aff7f8e92d6fa37f8148a434df55c869

SHA512
7676fca53b6c33c12793211a12eac93495cdb3c2ee378cd8b48e07ba2ada27e3fc9f26a4d8a4d67f919168ee5b5bf1c55fda6cdcdff409cccca522b7c74070e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywom.exe

Filesize
200KB

MD5
536e7c21780f20ead1fb1e307f451952

SHA1
b17085855532df1564bf4883a5c1cc2ff61e8a1a

SHA256
31b6d68eb69f68118ad87c3ec2fd30954b0513dcc483b3a3d960a7ff784e0cf9

SHA512
b3c6099c9793d65d496aa82054d971e897d66630b4849ce715471afc19462280503771bae3fe1ed3a16d19b9213a632b04c8037319873334887cf587ce915fff

Download Submit
C:\Users\Admin\Music\CloseFind.mp3.exe

Filesize
686KB

MD5
4b71dd577eeb4528813301f60b44ec03

SHA1
89c7b9894ddb9068e26837e2746c98a347a5946c

SHA256
7d7f85e5e2898199f2a64c2d9571cba39343a1ddbc084b1ea484445059009ff7

SHA512
623c2c1b6f0e8a4eba5ef07a3a3f26404d7697296bfde491377c51898b09baee55d378df895a48acffc47e506496ee3a0ef1e28bd9adfa54c65564c997af0a4d

Download Submit
C:\Users\Admin\USgcsckc\kIQooYMc.exe

Filesize
190KB

MD5
49b049fb56df4dc075ab8f2a0d095181

SHA1
db3992769f892e71add76d37eb5d19404a7b44eb

SHA256
5d5b6053acff7796272fad5039bfac8ae3f2bc44bfcfd56be55abfda8d4480d8

SHA512
7ef103a702fca65c60c1a1fcbd25836e7190e108822d797cb7a705d5e11c9cf6c7786772f63a8de20bf69fa12585359a4f4ff08ab94d3d8a01fa62622e2db6aa

Download Submit
C:\Users\Admin\USgcsckc\kIQooYMc.inf

Filesize
4B

MD5
88cf165b80f10039a8670ae798d54405

SHA1
3472378abcfa832dde51f30e0405b7db4fbfed68

SHA256
77a08633c3ec2ce5f8b64a331a7b83bdff6d921d7b543497afef708b930def17

SHA512
292111b50a1056bd94c5c04b76892bceee3b3ebab24afb9e89d877053278353aeec4bea8e6a06e3f74fad353192722b6141a30bf15dd45417bcc66452dfd4dba

Download Submit
memory/116-267-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/116-256-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/704-129-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/704-144-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/736-304-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/736-314-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1176-19-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1176-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1356-397-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1356-389-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1384-323-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1384-315-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1528-65-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1528-83-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1544-194-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1544-182-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1644-296-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1644-303-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1680-152-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1680-169-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1772-229-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1780-379-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1784-140-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1784-156-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1812-15-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1832-69-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1832-53-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1892-107-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1892-95-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1988-332-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1988-341-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2028-324-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2028-333-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2068-241-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2208-132-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2248-264-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2248-275-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2776-20-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2776-33-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2776-218-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2776-285-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3864-388-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3864-380-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3948-79-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3948-94-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4084-181-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4084-170-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4276-369-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4348-207-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4348-190-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4412-57-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4412-41-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4584-286-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4584-294-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4592-5-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4620-237-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4620-257-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4684-45-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4740-353-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4740-343-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4748-103-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4748-120-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4828-349-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4828-361-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download