5a0630b5158d1cf91a46ae0ec99ccb8d1983eb3070b7c422bc31a75be9af3940

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
25-04-2024 10:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
Size

117KB
MD5

7f7f8daffd0393693e67969ab2723f0c
SHA1

ca2c0fcc4d37f0eb37179fcb1acb448da024269c
SHA256

5a0630b5158d1cf91a46ae0ec99ccb8d1983eb3070b7c422bc31a75be9af3940
SHA512

e550dc22ff11820d7a02f8e50cb91afeae3fa0b46669e6a31aa00d3901309faad6d53afad79be9270df50a42e013373d76910d1463b770a09d881bcbb0379dba
SSDEEP

1536:cVpMBh63xyp6UE7e/MUVv+stPTfe8XSJbOfef0fbfufZfvfNf3f/EcQz7q9zmo3q:K2hWyp6UMUh+MbfeYv7qJmQwJwMp5Kq

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (82) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

vugMIYsU.exesAEkAUwc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	vugMIYsU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	sAEkAUwc.exe

Executes dropped EXE 2 IoCs

Processes:

sAEkAUwc.exevugMIYsU.exe

pid process

3236 sAEkAUwc.exe
1400 vugMIYsU.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3236	sAEkAUwc.exe
1400	vugMIYsU.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

vugMIYsU.exe2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exesAEkAUwc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vugMIYsU.exe = "C:\\ProgramData\\rCwsgIEI\\vugMIYsU.exe"	vugMIYsU.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sAEkAUwc.exe = "C:\\Users\\Admin\\lOkggAMY\\sAEkAUwc.exe"	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vugMIYsU.exe = "C:\\ProgramData\\rCwsgIEI\\vugMIYsU.exe"	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sAEkAUwc.exe = "C:\\Users\\Admin\\lOkggAMY\\sAEkAUwc.exe"	sAEkAUwc.exe

Drops file in System32 directory 1 IoCs

Processes:

sAEkAUwc.exe

description ioc process

File created C:\Windows\SysWOW64\shell32.dll.exe sAEkAUwc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\SysWOW64\shell32.dll.exe	sAEkAUwc.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
3232	reg.exe
2424	reg.exe
5104	reg.exe
3676	reg.exe
4692	reg.exe
1804	reg.exe
4796	reg.exe
1076	reg.exe
4752	reg.exe
3188	reg.exe
5076	reg.exe
852	reg.exe
4040	reg.exe
1096	reg.exe
5048	reg.exe
1604	reg.exe
4944	reg.exe
4768	reg.exe
2236	reg.exe
4460	reg.exe
4748	reg.exe
4780	reg.exe
2404	reg.exe
3004	reg.exe
4692	reg.exe
3476	reg.exe
1576	reg.exe
3872	reg.exe
4408	reg.exe
4148	reg.exe
4352	reg.exe
1896	reg.exe
2284	reg.exe
4596	reg.exe
2000	reg.exe
4316	reg.exe
1644	reg.exe
3056	reg.exe
4200	reg.exe
3000	reg.exe
2876	reg.exe
4540	reg.exe
1352	reg.exe
3188	reg.exe
3384	reg.exe
1776	reg.exe
4056	reg.exe
4052	reg.exe
264	reg.exe
1240	reg.exe
4300	reg.exe
4076	reg.exe
1548	reg.exe
1516	reg.exe
3788	reg.exe
1976	reg.exe
956	reg.exe
1600	reg.exe
1804	reg.exe
4828	reg.exe
3476	reg.exe
3056	reg.exe
3624	reg.exe
3564	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe

pid	process
808	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
808	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
808	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
808	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
2476	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
2476	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
2476	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
2476	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
1496	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
1496	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
1496	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
1496	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
4684	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
4684	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
4684	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
4684	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
2084	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
2084	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
2084	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
2084	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
752	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
752	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
752	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
752	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
4212	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
4212	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
4212	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
4212	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
3660	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
3660	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
3660	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
3660	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
4200	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
4200	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
4200	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
4200	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
1976	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
1976	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
1976	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
1976	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
4672	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
4672	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
4672	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
4672	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
3000	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
3000	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
3000	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
3000	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
516	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
516	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
516	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
516	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
1748	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
1748	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
1748	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
1748	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
2204	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
2204	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
2204	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
2204	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
2356	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
2356	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
2356	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
2356	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

vugMIYsU.exesAEkAUwc.exe

pid process

1400 vugMIYsU.exe
3236 sAEkAUwc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

vugMIYsU.exesAEkAUwc.exe

pid	process
1400	vugMIYsU.exe
3236	sAEkAUwc.exe
1400	vugMIYsU.exe
3236	sAEkAUwc.exe
1400	vugMIYsU.exe
3236	sAEkAUwc.exe
1400	vugMIYsU.exe
3236	sAEkAUwc.exe
1400	vugMIYsU.exe
3236	sAEkAUwc.exe
1400	vugMIYsU.exe
3236	sAEkAUwc.exe
1400	vugMIYsU.exe
3236	sAEkAUwc.exe
1400	vugMIYsU.exe
3236	sAEkAUwc.exe
1400	vugMIYsU.exe
3236	sAEkAUwc.exe
1400	vugMIYsU.exe
3236	sAEkAUwc.exe
1400	vugMIYsU.exe
3236	sAEkAUwc.exe
1400	vugMIYsU.exe
3236	sAEkAUwc.exe
1400	vugMIYsU.exe
3236	sAEkAUwc.exe
1400	vugMIYsU.exe
3236	sAEkAUwc.exe
1400	vugMIYsU.exe
3236	sAEkAUwc.exe
1400	vugMIYsU.exe
3236	sAEkAUwc.exe
1400	vugMIYsU.exe
3236	sAEkAUwc.exe
1400	vugMIYsU.exe
3236	sAEkAUwc.exe
1400	vugMIYsU.exe
3236	sAEkAUwc.exe
1400	vugMIYsU.exe
3236	sAEkAUwc.exe
1400	vugMIYsU.exe
3236	sAEkAUwc.exe
1400	vugMIYsU.exe
3236	sAEkAUwc.exe
1400	vugMIYsU.exe
3236	sAEkAUwc.exe
1400	vugMIYsU.exe
3236	sAEkAUwc.exe
1400	vugMIYsU.exe
3236	sAEkAUwc.exe
1400	vugMIYsU.exe
3236	sAEkAUwc.exe
1400	vugMIYsU.exe
3236	sAEkAUwc.exe
1400	vugMIYsU.exe
3236	sAEkAUwc.exe
1400	vugMIYsU.exe
3236	sAEkAUwc.exe
1400	vugMIYsU.exe
3236	sAEkAUwc.exe
1400	vugMIYsU.exe
3236	sAEkAUwc.exe
1400	vugMIYsU.exe
3236	sAEkAUwc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.execmd.execmd.exe2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.execmd.execmd.exe2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.execmd.exe

description	pid	process	target process
PID 808 wrote to memory of 3236	808	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe	sAEkAUwc.exe
PID 808 wrote to memory of 3236	808	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe	sAEkAUwc.exe
PID 808 wrote to memory of 3236	808	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe	sAEkAUwc.exe
PID 808 wrote to memory of 1400	808	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe	vugMIYsU.exe
PID 808 wrote to memory of 1400	808	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe	vugMIYsU.exe
PID 808 wrote to memory of 1400	808	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe	vugMIYsU.exe
PID 808 wrote to memory of 3240	808	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe	cmd.exe
PID 808 wrote to memory of 3240	808	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe	cmd.exe
PID 808 wrote to memory of 3240	808	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe	cmd.exe
PID 3240 wrote to memory of 2476	3240	cmd.exe	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
PID 3240 wrote to memory of 2476	3240	cmd.exe	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
PID 3240 wrote to memory of 2476	3240	cmd.exe	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
PID 808 wrote to memory of 4460	808	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe	reg.exe
PID 808 wrote to memory of 4460	808	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe	reg.exe
PID 808 wrote to memory of 4460	808	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe	reg.exe
PID 808 wrote to memory of 4480	808	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe	reg.exe
PID 808 wrote to memory of 4480	808	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe	reg.exe
PID 808 wrote to memory of 4480	808	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe	reg.exe
PID 808 wrote to memory of 1888	808	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe	reg.exe
PID 808 wrote to memory of 1888	808	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe	reg.exe
PID 808 wrote to memory of 1888	808	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe	reg.exe
PID 808 wrote to memory of 740	808	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe	cmd.exe
PID 808 wrote to memory of 740	808	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe	cmd.exe
PID 808 wrote to memory of 740	808	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe	cmd.exe
PID 740 wrote to memory of 3436	740	cmd.exe	cscript.exe
PID 740 wrote to memory of 3436	740	cmd.exe	cscript.exe
PID 740 wrote to memory of 3436	740	cmd.exe	cscript.exe
PID 2476 wrote to memory of 4948	2476	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe	cmd.exe
PID 2476 wrote to memory of 4948	2476	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe	cmd.exe
PID 2476 wrote to memory of 4948	2476	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe	cmd.exe
PID 4948 wrote to memory of 1496	4948	cmd.exe	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
PID 4948 wrote to memory of 1496	4948	cmd.exe	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
PID 4948 wrote to memory of 1496	4948	cmd.exe	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
PID 2476 wrote to memory of 3788	2476	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe	reg.exe
PID 2476 wrote to memory of 3788	2476	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe	reg.exe
PID 2476 wrote to memory of 3788	2476	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe	reg.exe
PID 2476 wrote to memory of 1592	2476	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe	reg.exe
PID 2476 wrote to memory of 1592	2476	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe	reg.exe
PID 2476 wrote to memory of 1592	2476	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe	reg.exe
PID 2476 wrote to memory of 3736	2476	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe	reg.exe
PID 2476 wrote to memory of 3736	2476	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe	reg.exe
PID 2476 wrote to memory of 3736	2476	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe	reg.exe
PID 2476 wrote to memory of 3868	2476	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe	cmd.exe
PID 2476 wrote to memory of 3868	2476	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe	cmd.exe
PID 2476 wrote to memory of 3868	2476	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe	cmd.exe
PID 3868 wrote to memory of 4904	3868	cmd.exe	cscript.exe
PID 3868 wrote to memory of 4904	3868	cmd.exe	cscript.exe
PID 3868 wrote to memory of 4904	3868	cmd.exe	cscript.exe
PID 1496 wrote to memory of 2104	1496	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe	cmd.exe
PID 1496 wrote to memory of 2104	1496	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe	cmd.exe
PID 1496 wrote to memory of 2104	1496	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe	cmd.exe
PID 1496 wrote to memory of 3432	1496	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe	reg.exe
PID 1496 wrote to memory of 3432	1496	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe	reg.exe
PID 1496 wrote to memory of 3432	1496	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe	reg.exe
PID 1496 wrote to memory of 2828	1496	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe	reg.exe
PID 1496 wrote to memory of 2828	1496	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe	reg.exe
PID 1496 wrote to memory of 2828	1496	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe	reg.exe
PID 1496 wrote to memory of 3792	1496	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe	reg.exe
PID 1496 wrote to memory of 3792	1496	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe	reg.exe
PID 1496 wrote to memory of 3792	1496	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe	reg.exe
PID 1496 wrote to memory of 3156	1496	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe	cmd.exe
PID 1496 wrote to memory of 3156	1496	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe	cmd.exe
PID 1496 wrote to memory of 3156	1496	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe	cmd.exe
PID 2104 wrote to memory of 4684	2104	cmd.exe	2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:808
- C:\Users\Admin\lOkggAMY\sAEkAUwc.exe
  "C:\Users\Admin\lOkggAMY\sAEkAUwc.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:3236
- C:\ProgramData\rCwsgIEI\vugMIYsU.exe
  "C:\ProgramData\rCwsgIEI\vugMIYsU.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:1400
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3240
- - C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2476
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4948
    - - C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1496
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        8⤵
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        10⤵
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        12⤵
        
        PID:3436
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        14⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        16⤵
        
        PID:3268
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        18⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        20⤵
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        22⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        24⤵
        
        PID:776
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        26⤵
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        28⤵
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        30⤵
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        32⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        33⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        34⤵
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        35⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        36⤵
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        37⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        38⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        39⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        40⤵
        
        PID:3132
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        41⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        42⤵
        
        PID:2248
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        43⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        44⤵
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        45⤵
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        46⤵
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        47⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        48⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        49⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        50⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        51⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        52⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        53⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        54⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        55⤵
        
        PID:776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        56⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        57⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        58⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        59⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        60⤵
        
        PID:4692
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        61⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        62⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        63⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        64⤵
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        65⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        66⤵
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        67⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        68⤵
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        69⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        70⤵
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        71⤵
        
        PID:264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        72⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        73⤵
        
        PID:680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        74⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        75⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        76⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        77⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        78⤵
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        79⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        80⤵
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        81⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        82⤵
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        83⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        84⤵
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        85⤵
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        86⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        87⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        88⤵
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        89⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        90⤵
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        91⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        92⤵
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        93⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        94⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        95⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        96⤵
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        97⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        98⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        99⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        100⤵
        
        PID:652
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        101⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        102⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        103⤵
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        104⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        105⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        106⤵
        
        PID:3872
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        107⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        108⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        109⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        110⤵
        
        PID:3124
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:4820
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        111⤵
        
        PID:956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        112⤵
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        113⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        114⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        115⤵
        
        PID:724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        116⤵
        
        PID:3132
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        117⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        118⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        119⤵
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        120⤵
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        121⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        122⤵
        
        PID:4968
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        
        PID:3132
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        123⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        124⤵
        
        PID:4856
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        125⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        126⤵
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        127⤵
        
        PID:380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        128⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        129⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        130⤵
        
        PID:1548
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        131⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        132⤵
        
        PID:3620
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        133⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        134⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        135⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        136⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        137⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        138⤵
        
        PID:752
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        139⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        140⤵
        
        PID:4040
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        141⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        142⤵
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        143⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        144⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        145⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        146⤵
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        147⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        148⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        149⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        150⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        151⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        152⤵
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        153⤵
        
        PID:996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        154⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        155⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        156⤵
        
        PID:4856
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        157⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        158⤵
        
        PID:624
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:1420
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        159⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        160⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        161⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        162⤵
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        163⤵
        
        PID:852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        164⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        165⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        166⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        167⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        168⤵
        
        PID:2876
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        169⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        170⤵
        
        PID:3216
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        171⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        172⤵
        
        PID:3788
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        173⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        174⤵
        
        PID:3476
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:4328
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        175⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        176⤵
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        177⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        178⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        179⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        180⤵
        
        PID:3888
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        181⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        182⤵
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        183⤵
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        184⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        185⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        186⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        187⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        188⤵
        
        PID:3632
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        189⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        190⤵
        
        PID:4300
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        191⤵
        
        PID:748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        192⤵
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        193⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        194⤵
        
        PID:1716
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        195⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        196⤵
        
        PID:3620
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        197⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock"
        198⤵
        
        PID:4660
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:4392
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock
        199⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        Modifies registry key
        
        PID:1604
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        Modifies registry key
        
        PID:4944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:3592
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        UAC bypass
        
        PID:5040
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HGEEYsAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        198⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        Modifies registry key
        
        PID:3056
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        UAC bypass
        
        PID:3364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kQckgEEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        196⤵
        
        PID:3320
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        UAC bypass
        Modifies registry key
        
        PID:4752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kYQcoEog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        194⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        Modifies registry key
        
        PID:1776
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        Modifies registry key
        
        PID:3476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qGwgIgog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        192⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        
        PID:2456
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        Modifies registry key
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        Modifies registry key
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rAUoMoEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        190⤵
        
        PID:3056
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        UAC bypass
        Modifies registry key
        
        PID:2404
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LywgYEMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        188⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        Modifies visibility of file extensions in Explorer
        
        PID:380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:1528
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FCkUYcEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        186⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:3904
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tMQYgUoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        184⤵
        
        PID:724
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:3232
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        Modifies registry key
        
        PID:4780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eIwIkIIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        182⤵
        
        PID:624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        Modifies visibility of file extensions in Explorer
        
        PID:640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        Modifies registry key
        
        PID:1076
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IQokYgQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        180⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qkUUoYIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        178⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:812
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        UAC bypass
        
        PID:1548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mAkwcoEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        176⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        Modifies registry key
        
        PID:4748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        UAC bypass
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xOIAUYoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        174⤵
        
        PID:1912
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BIkAYocU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        172⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        UAC bypass
        
        PID:5008
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xEsYIoEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        170⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1516
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        Modifies registry key
        
        PID:3004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        UAC bypass
        
        PID:3424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\USIUEQUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        168⤵
        
        PID:8
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        UAC bypass
        Modifies registry key
        
        PID:3676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QKAgUYoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        166⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        UAC bypass
        
        PID:4040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SEQcAccI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        164⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:4540
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        UAC bypass
        
        PID:996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sKYIEIYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        162⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:4228
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        UAC bypass
        
        PID:3872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OQMIokkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        160⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TqsckIkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        158⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lMcEIQYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        156⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3232
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        UAC bypass
        
        PID:4752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nGcgcokc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        154⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4228
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:1352
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        UAC bypass
        
        PID:4232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qKQEUokE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        152⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        Modifies registry key
        
        PID:4408
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IkYscoEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        150⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        
        PID:3120
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        Modifies registry key
        
        PID:3872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        UAC bypass
        
        PID:3788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SqccYwUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        148⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        Modifies visibility of file extensions in Explorer
        
        PID:380
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        Modifies registry key
        
        PID:1548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        
        PID:920
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AEoMwUQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        146⤵
        
        PID:752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:1324
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        
        PID:2744
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NoUocUwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        144⤵
        
        PID:4228
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        Modifies registry key
        
        PID:1576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        UAC bypass
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ReoYosog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        142⤵
        
        PID:972
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        UAC bypass
        
        PID:3292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\deEksIso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        140⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        Modifies registry key
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dGEcAQEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        138⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies visibility of file extensions in Explorer
        
        PID:464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        
        PID:996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GaYMsQkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        136⤵
        
        PID:780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:8
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        UAC bypass
        
        PID:776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AeMAEwEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        134⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        
        PID:780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        UAC bypass
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mKggkUQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        132⤵
        
        PID:1516
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies visibility of file extensions in Explorer
        
        PID:680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        UAC bypass
        Modifies registry key
        
        PID:4828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SoccUgIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        130⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        Modifies registry key
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tUcsEwAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        128⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        
        PID:4228
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HUUAEsII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        126⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        Modifies registry key
        
        PID:5104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        
        PID:4760
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zqAswAgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        124⤵
        
        PID:436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NYMMAYIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        122⤵
        
        PID:852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        Modifies registry key
        
        PID:956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wgQQMMEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        120⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iAoQsIUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        118⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        Modifies registry key
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eisoscgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        116⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3040
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\huAcwgMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        114⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        Modifies registry key
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BEkwgUsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        112⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        Modifies registry key
        
        PID:1644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        Modifies registry key
        
        PID:4300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TSEAMYEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        110⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wSQcAcUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        108⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        
        PID:612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kEIQMAUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        106⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        
        PID:532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YkIcIUwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        104⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        
        PID:972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KIIQAQcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        102⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        Modifies registry key
        
        PID:5076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        
        PID:436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lQkYIooY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        100⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        Modifies registry key
        
        PID:4056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        
        PID:4748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nicgEMkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        98⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NskYIMEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        96⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rKogEkoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        94⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mkEwkEcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        92⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        
        PID:4296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wygUEIwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        90⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        Modifies registry key
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        Modifies registry key
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wIAwssIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        88⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:4940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\imsYkcAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        86⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        Modifies registry key
        
        PID:1240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:4908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DaMAAIoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        84⤵
        
        PID:752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        
        PID:924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        Modifies registry key
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dmgMMgQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        82⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hIowsgwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        80⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        Modifies registry key
        
        PID:264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KWkEoAoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        78⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies registry key
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        
        PID:3084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kEUEAUEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        76⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        Modifies registry key
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qmMcQYQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        74⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eqwkMQAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        72⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\POcgogsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        70⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:4660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lEQMIMUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        68⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:3232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lKMoUsMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        66⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:3676
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OeIYoEsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        64⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aakAIYcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        62⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:4200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oUQYgssQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        60⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        Modifies registry key
        
        PID:4052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vOkwkMEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        58⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:3156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hwwUMwAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        56⤵
        
        PID:4428
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:852
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        55⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lyIocQIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        54⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\duskoAcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        52⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mIQgcEEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        50⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        Modifies registry key
        
        PID:5048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cakoQgws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        48⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4148
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        Modifies registry key
        
        PID:2236
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:4768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UUkYkIMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        46⤵
        
        PID:376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3564
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WgcEcsgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        44⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        Modifies registry key
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        Modifies registry key
        
        PID:4596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vagcAAAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        42⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        Modifies registry key
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LqkgwAkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        40⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        
        PID:900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PqUscgMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        38⤵
        
        PID:264
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LccYYIkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        36⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        
        PID:376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\muYIUYEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        34⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qGYoMowU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        32⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        
        PID:464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        Modifies registry key
        
        PID:4768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MAkoQoQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        30⤵
        
        PID:724
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        Modifies registry key
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZGAogQoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        28⤵
        
        PID:228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lawMkwIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        26⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        Modifies registry key
        
        PID:4316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nQMgIMcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        24⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:3672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dKYkEMUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        22⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QqUwUcww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        20⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\awIYUYwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        18⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MiggkQgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        16⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        Modifies registry key
        
        PID:3384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WKQkoAgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        14⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LgYcokYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        12⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        Modifies registry key
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jaYAQAUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        10⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VwIMcwAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        8⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:1888
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:3432
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:2828
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:3792
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bOMUMgUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
        6⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:4224
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies registry key
      PID:3788
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1592
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:3736
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UgQYEcQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3868
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:4904
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:4460
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4480
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:1888
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eGoMskcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:740
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3436

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:900

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv GiAkhUEB/U+HvStBg15Mxg.0.2
1⤵
PID:3056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe

Filesize
697KB

MD5
348d3a9889224a6bb244520cbbc2f26e

SHA1
8d73d9b48277ea1e800a11e78c4e824d030086e7

SHA256
596d0af1770583ea5e32c691671531455ae6c9d5594d90bceef054b54118680b

SHA512
5b3458e008ed2b49a6777d1e27ac70821842b9d47f7ee84a88885662713debb102cf16fe8fbbad32dba73d5f9393731fd47028b7cb9b7c5e92f0c7558ec96569

Download Submit
C:\ProgramData\Package Cache\{ef5af41f-d68c-48f7-bfb0-5055718601fc}\windowsdesktop-runtime-7.0.16-win-x64.exe

Filesize
720KB

MD5
fecd1334a854a94789cf438d476b6c9a

SHA1
d916a6d1069db8d8b5f84dcee98dc3472df593c4

SHA256
ca1bf2dc21aff5e8784e33ce96797a1a8cc2ab1dcb9532eadf33943a9cd6289d

SHA512
5e623f70b85011943a6ecaf19d8c8963cfb7f7393cbbf53e176183a46b3237a13862fd62db5b06a4f2ae03840ae01cfaf3e0fbf126b5310a9d58052fab520d5a

Download Submit
C:\ProgramData\rCwsgIEI\vugMIYsU.exe

Filesize
110KB

MD5
949e93686c2fb078424d6b124604de9d

SHA1
a64542c74ef98bd3ad770d2b8793d3cef5d7db07

SHA256
212a9f064a0c855c56de16023d2a68e0f9eacd0631a31ffe0580920d0709b1e0

SHA512
13dc321ed68efc8b410936b1f5531b835686a2bb70ff6a0290e71b80245d35f252ec0b365199deed048c94688bc2b0adae891c982d816ae18f3c3ba4267d29d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMLockedFileToast.png.exe

Filesize
121KB

MD5
729b2cd5bf461a9b5c02c690e5f28f55

SHA1
df5ab5776847b2d629802d0ec4787461756fa79b

SHA256
e83d52704afb796aee514b465b9b5506482a7d2c86cc7c05f2eb7c8615eb88b0

SHA512
7e1911984fe5f2cb2656e67a38dfe0edcb37e6b30ebd5200b094f76fc15dbf4ba37c70e1f43bc69a58293e5e664d9974a9590e49f4e0cb851feead6730fd25b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-400.png.exe

Filesize
114KB

MD5
40564b261b04f4990accacd3e4e1d76f

SHA1
a3db9842d3a579d3441ed1ab7bd885f1c5ac6e52

SHA256
3a4ea2d9e736923874abe209b2bed42f2fe958f30a59958adf59bff9ca47bd7b

SHA512
3b2cb5e0154bde681cc3d0f39b23b3c00c839ae3c4ad30d4faadf9e36a64010e50141acfc19833ef30328007df30688d19b002bf9acf0b5ca208ab3c06c2c1be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-400.png.exe

Filesize
113KB

MD5
323a422da6196a17b88dcc71338b4a70

SHA1
34eb6b1c2fb2fa5a733e4d24fab762992a6d56d6

SHA256
2f37dd9af4a702c70ee481f64927fad503b0d34555523bb0cd2fbc71de00064b

SHA512
c406140aa12dd2166b2219a0e2a922c17b81710d0f64890322ec5e3a9d25d2208e5b5795335bbfdede57cf26ca8d6d458d69a8c523555f66d25d8c6df7f52777

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-200.png.exe

Filesize
110KB

MD5
5ac25cf45a4a5b95bfe5618fc5705fa5

SHA1
d82c21553a0448d706650ecd0222adea54a120fa

SHA256
9eccdedce5c1ee26a4a608980a8908f155652926af76240e8b24ad3d71b86cb0

SHA512
e9592de3b576111ca03823550cdfa4fef53f3e10149f0934c4cd8a84ba607af6cc389d8e090bdb5adc26ed5e6aff84bf0daf15fa61bf4308aeed9d71e0e9f97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-04-25_7f7f8daffd0393693e67969ab2723f0c_virlock

Filesize
6KB

MD5
6df7065f01a6050fe6a0fc315cc1198e

SHA1
7b01a12035d29cde184590b08441c61c507a947e

SHA256
67a4ceda66f3abe6e0d18b08351d09c00e29f6a2ae3e55ad5e721218d6e45137

SHA512
6b42f9485501a09460acf5fd75f61ec0f92ed0f29a7cf26c11b9a13dabbb730f5f88f6a3e0a2f1bb20f984f8d0320bdc33e589100efb40c4fdea36f16a98db29

Download Submit
C:\Users\Admin\AppData\Local\Temp\AcgK.exe

Filesize
112KB

MD5
391d1c31ec16f926b06b9e7e8fdc8ed9

SHA1
c510c5badd15d91b717a53850872698eec375189

SHA256
c84d7dfbefcd241e618d289e17649ee5f398f60c0ce03da81f311bf575f0ddff

SHA512
a4facac888f5cf84d80e318e9a59847f9a7c99ea0a76b6eb54f2f647b99adcc2d67deb6b9d15b9f67d40b5bed03ad19efdeea5aa76d1143bcd0c10b1640be215

Download Submit
C:\Users\Admin\AppData\Local\Temp\AkMA.exe

Filesize
110KB

MD5
48e4576bdd52ac3b855125197fbafdb1

SHA1
7d066d2e6ba728e8323a1095a316b33de1598da9

SHA256
63fe9a9e7dda9e0ed7144d64951328d85c6190e3be87a4283dc5e2065159e951

SHA512
ff4e058d9f8600b4b08662cffa8ea13d4390f86be887431c3fbf9a1dc7e53d3857e13fd30c8ee29e78e6a09a4d9c0a2d74b58bdbc709dac9857e5acd1bec0438

Download Submit
C:\Users\Admin\AppData\Local\Temp\AsoA.exe

Filesize
485KB

MD5
8059fb38580683926e58e0f41fd0e030

SHA1
3f81deea195f4e7963ef9f58e21f8b7cc8adacda

SHA256
eff32e8b81ffc4911a5c3ea283136f466e47941720acc63d750df5c1e6b609e8

SHA512
5e36cfa37fb6a38da470bc53df0c90fc2ac63da3713cf7bc78f54cf57c7ee9daa6bc02ef0188555c72b6636fee399a91011d0966bf0550463341840699ed0729

Download Submit
C:\Users\Admin\AppData\Local\Temp\Awsa.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAAM.exe

Filesize
111KB

MD5
f271bd12bd09ad5a21b202740586229b

SHA1
b2834726d456998dcde1a1c7a89bc98b3772b7c9

SHA256
db4e7f15271b8993f501463cab9b2bae332645500a0210f5f1ea85327c6e9a5c

SHA512
dd687d83166b5936e6d20bbab95406abcfc4eb0bff0c9390b1d7dde0e15a83cd91e29f373ec37915a68a260865d5a874cf17e7317a21b484f296031441540f5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CEYe.exe

Filesize
117KB

MD5
eeb95c4e8d067a63c06c1cf0a29c316d

SHA1
05dd37b2b09de6729920d55d36bf9c94f353e251

SHA256
bbacac4c222fdc4d5696a7fe3dcf7f8fc35e6d1d1fa3354a95c074a1abc47789

SHA512
2cfaf496cde90b875e0c4fc28d1a0eb977b2f946cdf7338adb1757ff2eeca631f4d16d668df97d1594b0b754a8aec6011d85d72db76049d9ca8771d458fc87db

Download Submit
C:\Users\Admin\AppData\Local\Temp\CcoK.exe

Filesize
238KB

MD5
99ec766d4edcfb855123592e371783d7

SHA1
f2374ddbb5d6a5342f7a5ee242c1e976fdbb028a

SHA256
9387d0965cfaad58e7105ef6ced58691dd6134d91d2dd9e61aa2633ddd5289aa

SHA512
c4e9ffb0e2b97c40b93af451d490a06dd805b9b1d4fec772fc9325cb1132ca47ec0f8cebb16c58f7eaa75c1e22ef238acd2d8c3c4973edaac324bb73b0e97262

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cwwi.exe

Filesize
115KB

MD5
c665e1b268deed0d662e048064e9fb21

SHA1
ad18980e6fa56cbc55fa9320079f4532140fe156

SHA256
caf5eb5738d94349fc8a25dfac51d35f169cb5cb809d924f3d68cc0adadd6764

SHA512
986bf40023997e956038ae7df43dcd115e0b9e367d6be254cf63d47ca72700279bdbba1707b7e7fa9267b8086690d0564c880a4595e2156f3ea887091a2bd51f

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAgW.exe

Filesize
111KB

MD5
5de747db2ce32a642517fd3177a5c315

SHA1
a328bc91b3ed6ee487bcf9f05533f54af4d1eb3a

SHA256
09126817ec501cbb6f18c0c3f92d8e0508c973ec86ebbb69e26b71973dbe5d09

SHA512
ec00db9db27d0291d8c2c46fd7584561c1b3c9f6ce280a23de423ffda3abf7e97c4457b534536a4f149ed8e7a132e5fbfbcc7e2a6a602d2a815d9257288ea79f

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUwu.exe

Filesize
111KB

MD5
9a1d31bf10bff267efec4a078694240d

SHA1
fd1da25082ef42c45a83edd15bc65d5911b76b92

SHA256
2c75896796c6f97762b6a113e84de10813b80b7860137a30fefecebbf793c0e2

SHA512
a92d7295802c8ba2c4b3d2d118c89578d408783eaf8c06757d3404b6a12910f8454671bf0ecbe8fdc886f49c2a3dfe7e222b3754584d780c1e197d89e8191c60

Download Submit
C:\Users\Admin\AppData\Local\Temp\EYIa.exe

Filesize
115KB

MD5
88affb87d70879edc92cbd2fe5f50818

SHA1
ebe673b905838cb20082487ece4ec40539d4112e

SHA256
8fd9f41a05146b2c80ff2930b8b9d5e3b1f64d1d0db5462091fc8b521bdb7083

SHA512
fc66203952cfdcaa6ad7a62f273076012dff03fc7b091b5947574a99ba3ff54ced110b34778b2861270a1e07cdd64722585cfe5a57c3554d7a9113417be203a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ekoo.exe

Filesize
109KB

MD5
965198d9ccb297afd8645845b8920e27

SHA1
f50945f06899231193b61e555c2c1c10c09c5387

SHA256
95a80f8cc6fcc3ae5ac7c1aa0775b29d36f5ec3918c476bd33c10ff9cc23f6a0

SHA512
674064d81ded252034729a616a3517c273606f6c3eec5c47df787ba4f3bc36328fd3b81f16c50022bed60a34673995d61982905551e5e06b91a968351a2bd8fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\EsUa.exe

Filesize
120KB

MD5
24b2ced9e338f64094b1a8dcb6ea6918

SHA1
a74212ac9d041603e99b699ebd340536ae5a5f80

SHA256
348f92fb62984db9fd190d2312d2d2545c0153338944104286e5e46890443699

SHA512
47bbcd145b60f8e5881742a2f23035046da283c665ea8950f6bf5e72ef47c570764f07f608c26d9dbbf95f715bcf10dcec32fb687443937f1f9c82fa3db22f37

Download Submit
C:\Users\Admin\AppData\Local\Temp\Escu.exe

Filesize
110KB

MD5
77e8bf0d0aab2fddded46ad3c4124a25

SHA1
b548dcf5443416c7c43c107d2e82cc3d66fbfae6

SHA256
e05782e145c7fd6652bb06b62ee4ba55a32a64cf7e84e22ee2eb2b7740bc7dda

SHA512
0075ab1f1c02eab9dbfd2222ad1750463e8d31f56e9b4a06851e956f9cf6c2764e051534fe583949e8898a92702ec7d58dba592d03fea10119fa024941dc0a6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Essq.exe

Filesize
236KB

MD5
9114b9efab6c3996447827ac7805e42f

SHA1
58d1029164db22c282ec7d1ca293bbe39753b346

SHA256
098161ef99c7da04adb53c06eb70c6e37e162bc68247e4adc01c765b61d9b870

SHA512
294b144595dd4ce8428d00e6d783521c47bf77577e627b3fd0fd87d5356470719f1ce044b870d5642ff81df1f5cbc3f32fa7dcd7d19de7cd5106256afd847418

Download Submit
C:\Users\Admin\AppData\Local\Temp\GMcQ.exe

Filesize
111KB

MD5
0135da3344077527d848f41be3b94e99

SHA1
4d8e18d67440467f764ae0518d5b5d1c5d3c774c

SHA256
45d32873ade0758a04fbf3145725a9e861027e819d61acfb8556889753fc7155

SHA512
33262952ed1af22511b3d5e1f8e8ddaab19a5fde8f59a239325a86c180c53a90342a81a94dfb104b9fbd88abeeca5a9c9bc5f7d1adf7703825a1785a2a0a384a

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUkk.exe

Filesize
555KB

MD5
e7a6a297324367575b1747dfb5543cd3

SHA1
6de8ccfd3dde035305bd499802c628677c1e427c

SHA256
c8846be347518e41f7ec6f21614157f63b6f48a8224900545d399ed9a8c360ef

SHA512
24dd9b38536905e7ec14248efd23b0df6d083e2add7e719a9a1c6724f8f9b49340d409f2f6badb32ec6d95a906b8fecc916afe8eeb813f06f6faa8a6b7a16c47

Download Submit
C:\Users\Admin\AppData\Local\Temp\GkAY.exe

Filesize
113KB

MD5
fc541ccf362d8b32964fd89861d8234a

SHA1
41fa411aaae22d7b5fc47eef08d83fd17466c39b

SHA256
cd03ecd97312a1a38f811a3e982145e1337112bde53acf58a6b19e3e3a97fe8a

SHA512
b8e8283e99405a35118c195ab62ad82a3612ff643c5a4dc9addcba88315d4c2dbb6afdc70b9eb9769a55f9fda3e692c3ce2c92658810d6623896e7ad89bdba57

Download Submit
C:\Users\Admin\AppData\Local\Temp\GkAc.exe

Filesize
113KB

MD5
fdb8e3a3ee07032bdc12b9a3b51e88d5

SHA1
37b9cb2f868bab0e8cd21f9da6a92fdfc12f6277

SHA256
b543f1362bf1ae103344ca673740f1730d7c086e8758f37afbc7a70aea9f8357

SHA512
135af6c1ef11a2153115088608525afb85db98bf376a973a7dd2608d31842b5eff57e917395dadb00b08e11848080241dc85458718980d5a7d6a6d736026c890

Download Submit
C:\Users\Admin\AppData\Local\Temp\GkYM.exe

Filesize
110KB

MD5
5e0cb92923cc7c36bd46fe326263ce3f

SHA1
631d898b4bb78cd2dc6c7ad73e7bdc1f85a5001c

SHA256
2663a618947c4e929f2548e037d88b1ec69217c0113531b30feb3de1a17c777e

SHA512
2fd5c85d667d69b78e2351cea2e85268646bf11f3693c3df4e96f4af284de0dbb24a9218239e8db2d69d7e5ae191636822b485fce4be7a692b3a247e262e0dbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\GoQE.exe

Filesize
720KB

MD5
2609fd52dcfd2b488a5fee669b0040e8

SHA1
3fcac0124c860e95fdc0805e30bebcb3718e9c48

SHA256
6fd9d723500da507000529ca6a182ff17623cdced5b480a03a8efc117ef4ea58

SHA512
1458fc41d00f9f7279530be332a7d99fc3fed42392eb7dcd83d65d7bf4f871ed5de46760cd435c7bf288a2285f0b9586414cc34e93bb8a16f702a70587988606

Download Submit
C:\Users\Admin\AppData\Local\Temp\GokA.exe

Filesize
565KB

MD5
cc6cf3d1e7b86be65fa8f0ae5daf51ad

SHA1
fcd4a89b6f1c5921f459dfb69d1472c8ac99a54c

SHA256
6bb955ee74e68fb0190f33b58cfb758915a9889ceb869ba83bd68f70de0c182c

SHA512
ea59945b22fd11d6b4f2edd26cca7dd35d06c46d0819ff3fd7f2d06131d14e8968c89977dd4dd9e5c64a625cb924e50f39a65cbdf644c7d84264f397ebf91f42

Download Submit
C:\Users\Admin\AppData\Local\Temp\IQcQ.exe

Filesize
504KB

MD5
06f61194d1427bec796d441875ac3857

SHA1
e758d7cfdb5ee9c0eeff1a7219eaf78cf7cca25f

SHA256
17e18d3d89cc16b6d65315dc0fb50af2bb28564a0dc400dfec52da5e94a2d484

SHA512
f7cbc37b787186871dfe6db9a08f3f50f1d626f5f84890f7b3f901167c88080e4fab58f2a252055995834a2ba5df5260a825424fcc428c9e82166db898c09be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IkAS.exe

Filesize
119KB

MD5
82a32ca025dbc7fc68197dea0eea14f0

SHA1
f642006b372762646e8fc1a401a00a45c34301a0

SHA256
e6ea46c21c6414974bca4c1a4b797229114cecff79770827f742d10c7c53339c

SHA512
51ba509ef56a480fa97cb386ed0be68f620ddb3a11913b1783891c043eb789d9ec818f7675be900b5e8e7a5106a0d076ad7edc67da82019e17ff2e49ca17a039

Download Submit
C:\Users\Admin\AppData\Local\Temp\IkAi.exe

Filesize
137KB

MD5
f5d35732468f51296463817f71dc053a

SHA1
341662aaa1014674fd23076d5bf354cdd5fe5c4e

SHA256
d850a9d7b522920689a883bb8afd80e6702ca8f5250739368481636067f0af1e

SHA512
b92401084ac385fbdaab36d740dd8cb5625f06976f9b8f2ab5801c669bd37135d6ec510c3e297588d7b94b415b03429055384bdb6902775bef37412a0cd9e27a

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAoM.exe

Filesize
113KB

MD5
33ba5a41eb8496b9e0162597d8468eec

SHA1
26e5a49e5fa1117180317066495f30c037cb59ca

SHA256
81b7c989eb2a1ad74bfa2743d11608dc409bc2ec59d87303c5d783ed3d940475

SHA512
a38298dea172730e265dc047e80e9a4e121d96072d393fdc0387d2cd4439a394d4a38603ed0fe0594acf8a5938465beb72c7a061d0693512e0d532a799b0e093

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMou.exe

Filesize
139KB

MD5
b7e94e04aa3119eadca225600482d1bb

SHA1
2322a201986cad573f3082c1a1179109aeb676a2

SHA256
737022c94d391de507827be0ea3094d3254c170f88ce67b8924e102b60180550

SHA512
3d07b0a29a8713e4e070ce4896c812790b04c570cb5689db3bd9d633c1c1974409aba1b4a71ef900a737cb4d666cd5b84ef9bca660b241ed2869f1e8ec83ac46

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUgU.exe

Filesize
120KB

MD5
74eb6ddbb43b5bd97791b936b39f9884

SHA1
46fec5093bfe9b70e738ab517ce2bbdd827f6358

SHA256
7f32964ecfaed72d8c215e2323da1e550bd2278de075bd5039841cad4b08e3ff

SHA512
a2d1c39b29a991203720ea91b673b5c3f1539549e75f5d1806c75620cd27ee421d527331db77ab914fbb13cbcc1bad5b3933e93f435ef0132526c2b7c72040a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\KcUy.exe

Filesize
118KB

MD5
8ed1115dfb67c791c9deff0a3baf3adf

SHA1
49753d43d0a3c368af96105c6b6ebe4a005d2b58

SHA256
02934ad6426e5e747b08c44f6a8376487f334cb3733dc8086924ae1a64eaded0

SHA512
2a1cbe7173e5480688773b9f8d7ee730a28b601ed9ec6b05507b67410663d4c85ef2585b174e2e1ed49f38d4f7ae0281f1fd1e4a39c96040ff77089d23f0e528

Download Submit
C:\Users\Admin\AppData\Local\Temp\KgYc.exe

Filesize
154KB

MD5
0244aae4d157e5146f028be5f4a0440c

SHA1
bf63cf4e5fbb689cec59e7d8d2c114efc2dd2ca5

SHA256
c473ac14a58c860e6137eadabf31cdc47637bd0aa5fe44db202e9acd3b7943ac

SHA512
8f9f5e9d987e84ed41b935317d4fc19bda9c9c8fc678b17f0795315f097d72c524cebfee24975beee6eaa34e1ca9c93b34a733ecd08dcf65e8a0b5b40b26f261

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAMe.exe

Filesize
125KB

MD5
ea5641dbccfea50dec53022f1065a79a

SHA1
51d6c3c92a2efcc1ff062a92730d7bfdba938e1f

SHA256
f114b84e935ac0ea3f22a45dad92f253f3ea91880143be558a922702aa3c432b

SHA512
5fb0ee34c2e5bdd2b6342b6b1a3b24fbec63b58964b609410dff65cd58aabf0b9c6c3876f53c6d23a68114dde5cc6946673c9880c0b345d2dfd1b8c092999d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIUG.exe

Filesize
112KB

MD5
913c2175412dd91ba44a2e6cde363988

SHA1
681113bb1dccc3962da0ef1da4177a63629cfc1d

SHA256
e3378a9a103021689c896def1dc747dd0a17e95cf5a6fd5611834063d8eea288

SHA512
bb03b73cd14ffc8b286a929f68fd685ab0fa4d681cf67226b9afbf4e701007ed52d23d33b9e780acbf0fd63a70b5ad1ca9c415b09a39a5bfcafdb16a4eb150fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MQAy.exe

Filesize
907KB

MD5
52157c8502dc9ee4591c7bcbc6124c86

SHA1
ba9d00d6f84da2e04b24c053fedcb823df9bae80

SHA256
68193a0467a6aef297ce9d1c01e37c45c0b1b10ecfe70ef1e9656475f7ea9925

SHA512
263af5d6ca5d4af8312ff2b6e4d1ef5ea5c38c13a0e635cc54d5bad56b8dd09360f6dc0702957560657bb0d7132ba0d29417051c5c1f0979d3e55e6eade72af8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OYMS.exe

Filesize
116KB

MD5
180ebc29610a81959881985fc2a9c951

SHA1
7b88452a978fa9bf749a44bd7c45be4aa73af2e9

SHA256
d663f6eee1b8a85a401aaf6714179a74f682cb046dc9c4739d6277d8050fed93

SHA512
8b864fee733c290ac44bf35442373cd9b6264e2fe6c5ffc3eb5f73f1a83bca3825bd3f7d239dd8f793417820e6fd187c36cbf7ed00dce52e98895c371606ec51

Download Submit
C:\Users\Admin\AppData\Local\Temp\QMIa.exe

Filesize
124KB

MD5
592900e0aba84c7e5231c93d5fda2cb6

SHA1
d888115bd3a04fb75a8fa15ea7e7d619be3cabd9

SHA256
6e238957754bc30d7913ce4ac619eedc84c4703cdd8fb9715ef56f566230b05e

SHA512
b4b7e48761afd9e5f941db654625c5d954262d6e15f6ec76aac11dc79b9e95fcde2ff4ca0a85b3e6d1e934dbe2d6fbd3f20e091105bd3edd16710f73eec5655b

Download Submit
C:\Users\Admin\AppData\Local\Temp\QUMu.exe

Filesize
110KB

MD5
1da5aab95991e39f8f23c2d661a114a9

SHA1
52b00e5cf83300cad044ce48c818b4c3fda83d8e

SHA256
10fd0266adee06f3547c78178149797c6a5d6df67e92c24d0cb1d00583339c0f

SHA512
afeba5d08af4022d0c77a0ec9925261bcbd3be75204f0e0ff1e32363157a9de532231e49944230a8fc16f7f02c1fe1ecdb3cc55bd55b4d36c5f7bd520e2b244e

Download Submit
C:\Users\Admin\AppData\Local\Temp\QcoG.exe

Filesize
125KB

MD5
ff140bb50d192ba7455d7c38724d2890

SHA1
a31d91af71ac94dedf847ee897ae44e91ef0ae07

SHA256
6b1d53b1c1f941488e19f209fc98bc059f257af9e66409126f7edbf141991c8c

SHA512
ec99946802e2c7ccc082d3d5b8c5d21c60b5451cec98370bc5f81a8f60c07d49c1cdfd119246272ecc2b705bc0bf74c7001a21fe9c6cbe07c2923c8a542b2347

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qcsm.exe

Filesize
111KB

MD5
f5466f04500f73f1dff981399aeb2eac

SHA1
89edcd1b82c459f637758f65f0f6646bccc8bc6a

SHA256
1ead5e8f175e581e959c51812b6ccbc60c26331211d35fdbca5306db993d20b1

SHA512
e4afef2b5427dcf14583434d7efb43f3280dc1caedda1500b46d67fc96374006e191bee3b7d39b70a4e09d237e53b8671cf16f4b394202aad7a62386a8313edf

Download Submit
C:\Users\Admin\AppData\Local\Temp\QoMw.exe

Filesize
118KB

MD5
3fd8e623aef670904124063f952b4020

SHA1
639c21a9ec3e8d97a12439df6c7084073acf0776

SHA256
fcd35afcc8848dcc3b1bbbc68164b80399abaa76f3580144da456139cb894ac9

SHA512
0af5a782bd1c455aeeb2d47dcfd2b0bd1355f33664836bb19fda90ebb974913a9c1596a4ff50f595fb747ff4c5f1ee1db5efb1c3d4574765002127973f2ef18e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIoG.exe

Filesize
112KB

MD5
78bee916005a827dd317c4fa3597a1d2

SHA1
283a94ff2dddc95dcd2cdf77294bdfaf8a5238cd

SHA256
a37c63c5b8d2b7b7ca4aa47ca9ed68f219247ff5d2601d30daafbe0a52675d0a

SHA512
6b36744372fbe23b5ad12ca561da5a3ad9c49d031e76cf3402f2dc55a6717f79a43e75ae4a8dfdb2d520f1a81b7ffbbca83cbeaeee1a2796c0234c2c7a3c6367

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMYc.exe

Filesize
721KB

MD5
3c8d6c27a17ba92f9f72358d3c6a4030

SHA1
a9e02932a4c8206a0b3f75e1acc6038f7c6a6ebd

SHA256
5831702c224a44cc9793342b13daaf395db32c4185908a4cc79dbeb3e3efae9b

SHA512
de7c823e62a05ba2657207e05a9109181adc0baf0bc069f979068fb24253980c2e988f844622650649b2bc1daafefa52480b6d0660d28544176878223e74dd64

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sgcs.exe

Filesize
112KB

MD5
a15b7e1466d9f07983765e179d4e1517

SHA1
4eca9be11075569a35e5447322588063f0147f46

SHA256
b659c4b4503ae20d5956fc2f0b15f3137d25f9fc79653b72560b98a64d1477c7

SHA512
95fb9d0dbec773868b1db116e3cd3c1f140247b6d16d0cc7aadef01d9e9c078e70b1df66429007959ccaa5e10647542c46e1220b54058831bd392e4a88b60111

Download Submit
C:\Users\Admin\AppData\Local\Temp\SkUQ.ico

Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\UEES.exe

Filesize
110KB

MD5
e49116ebe7ca8c28571acf4eb2dff7ad

SHA1
063ac757778c41dbb63c2233c4f75fbc32e69aa7

SHA256
f8ebe6d545aee0cf2e5c4f33252077919778a4d170ffcf78d7d52c179721320f

SHA512
e90dfab66c67a985d1dcd5706b0e4643fb7c01fd6e4f17087cd1cccd5338a38ff69d958f15dd7abeb05152f9530f9d3a95b47443be1809ac2cb56045e61bc73a

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIUa.exe

Filesize
112KB

MD5
a570f36dbfd29ae49155a98a4af56714

SHA1
5f306e3edbc64bd3af11bb9375e5ed0b0cd11f7f

SHA256
68267e1578e7fbb7b755d1958c695a111cc14a59c14c0ded119414da44c3418b

SHA512
042d92b7d39455af20f4b913ff5c78bc04e0382ae155565bdca92e84733173f93652db9c46243505c5f1ea060b62fdb94943ec0bc69e4697d4d36eb50677fb1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMkw.exe

Filesize
110KB

MD5
14a90cda4211bc9c988e1a654786e766

SHA1
8ee1f09afe7f5bf7beff0fdb0c6a201083856882

SHA256
ae00078da0f2362dfa93e74182af6390e4070c254d8f96ef4b0d4b0f171b14af

SHA512
7dbafb956b4c6ffa9b82fdf7faeac59c2569777957927d5bf8066fe7e3e0f3e4f63736faf6fce3669f43a684bab7e1f8929b1a30e919d55071df9136ea9c1027

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uosg.exe

Filesize
1.7MB

MD5
f05057c63c8e6372bbf6efda1192a165

SHA1
bb915462edc7aadcf8e060d938f2915b5bbf82b6

SHA256
9fc2d8e2575bd6c81a352a03a28443a802da04221e860144529a638331bb86a9

SHA512
267dd33d26c67a200006f9a027e711f468399f203d1a0c4e46225ea987c3d2424a285b50db6a4c03f979823d4d6bda9e91990dc5568eb08ca97687b6dfd172fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\WAkM.exe

Filesize
848KB

MD5
2a84b9b46c05251fb9f0ebab96fe0020

SHA1
85543a254faa699a5d69ce7fb311db2df54dd892

SHA256
cfd3a4576f4f8f5fd4658149f6873c02403b9d00103e212272316235165080c1

SHA512
7d52b89fe526fbf0e8e221394acc8a8e411bb07fcea414bf553cd2fc35784b2844c7302267124e6d1a07ce1e4d5a49e041bf8fd3402e5921f5dcd4580c3ab418

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wggy.exe

Filesize
237KB

MD5
2dcf1b6c28a6c0d80d484c60d0c1a02b

SHA1
b2dc2d86dfa36d9fc2ce8bb0953900c39eb43eac

SHA256
15183bf722c45d2720f824a395a8b89796f3f5b80d078e1e4ef9ab2459279c5c

SHA512
616a2b926d70e5c0ea609a87d1fc3a4e447f267d6d282546b9bd7d2747f7f38dba238c8955c3f75111a4162a0c8204b06d7bfe4149e86e48ec9fea4407789bc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\YMEM.exe

Filesize
745KB

MD5
d1dedd5c40b84616d17e2f0836b716b7

SHA1
4259cac6ea3a309b7c5aebb45a57e48741d55759

SHA256
49da022a6181a866a4f3368cd57481d9f8be7dce4f872d529ba98a5f6554f01c

SHA512
74b5fb01bfbf1211446ebe77241cb1ab5709c4d3648bb9de08601a2812b5f42b5d84f14f07e6d189ed10eb2da932b3485b7b7ad7de24b8de2eb8c9663039f237

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ykkw.exe

Filesize
111KB

MD5
9cc4cc90a819bd25ea075344b1210b2d

SHA1
e82fba0342f42becf9cc5421be533ea6b698324e

SHA256
402a2084e5686f43dffa2c209aecfe04e58ccc295c4348fa066e4c4f4df0d922

SHA512
6e3f563c5771bed1e94496eb74467c420dda3e5348a79a060634a372b1e2edbcb3714e5bb353729692c56a0a8d7e0048d6d564e709dfb43edc1c01745372a1cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\askg.exe

Filesize
237KB

MD5
aaba6a9a104113fb77aa1fe8f8da6765

SHA1
e027a4b4ecb8b9e47cfb44eeff43c3babc81f3bf

SHA256
006a214870dca4b564db8b473d48a35175f8fae44865e3af87f88997c76cb0ed

SHA512
85aabd09c76b13580cd694cf72c9a6d0b0a6bdca5441c2608f245875e81a054e4ed9f1f26c04a99ce241a3a2cb0e061bac76b34b2d8a2472c5ef4d8ee84653e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQAE.exe

Filesize
535KB

MD5
9eb8a9da254017955cbaac94685ed2f0

SHA1
e7cd5f238770a60b5f050cc9630c12e08c1ff79a

SHA256
bdd8542800a1c306c05501564350e48575c8fef5da726fdda3bfcf60dc242b13

SHA512
028c2a93ddca1694b4fa26e470d572814c8569f413b2595e4885c44cda3f5b66a12e9942f64b7f1d6259b310aaf8e482d5a0ffc58b59275327d19ff91a6136dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\cYcG.exe

Filesize
117KB

MD5
bd373bdcb6e99d8ac3c4ce18d0407653

SHA1
e80f8319e338c4f21413546e93363a951d9e60e8

SHA256
953ca5c3d3008f57faac8a57b58b9b325b8692dd18772d5b5e3b5702701abd80

SHA512
86f637157f71f3a7033f873334ff1e8dc56bb504425a0ab72ee85a77b67f2d66cc3042c5c9496fdeb8c202c24fd12a050e2b39785f0dbb1259b5ace434aea62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccAo.exe

Filesize
110KB

MD5
0d945d84d63a387d55d1ae4a9846b2f6

SHA1
abf1f9386461b983d07535e8ee61cf42e4ace98d

SHA256
6def59a8e461ea5ad625cd657d47e38f63c3eae59da83bfa50bc6e7b918378ec

SHA512
b94c729862c41d3e23eb459ee0ec592fe699f586538eb9b7919a8f3ec9030aff069dbadeb7d3b6467c1afe9eccd8e58ffd0741a811760bd06cc1b229f7750958

Download Submit
C:\Users\Admin\AppData\Local\Temp\coko.exe

Filesize
113KB

MD5
8b29c34cc4df1829c687ce7e00ed5c11

SHA1
19b190e4286d33d94e23352305c889b3c86b1517

SHA256
795707fb00d76985bb987426b918f5b6395663fd26a98c2aef3a073ca36efcd9

SHA512
a107de405c782bf3ed2d5f2de1cfae6f272d750f8875fb4928bf1051747c8b2e1a474dffbe095860f42ed898174e3de6a9790452114302625322a1567d189787

Download Submit
C:\Users\Admin\AppData\Local\Temp\eGoMskcg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\eccC.exe

Filesize
117KB

MD5
bcd41eb6edb25324f0e1657bed118a11

SHA1
b508f25e630f0097aaa1f54d8401efdfd8d3181e

SHA256
cca8cd3041174b5fe3e828c98e92527e41096f9e7b7884717279d5c5e4160773

SHA512
7400d15654151ce3adce5b97d81cb0ac9835fee896313291481633c870ac94a34cb1076f5376289fb5438b069e6c4bcddfe432d30cb4d91d1421d8020983a6b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecsu.exe

Filesize
112KB

MD5
203ed84d40da2e4c851739a045a4244c

SHA1
020692c01738377501be2cd9752c7ee63081cb6c

SHA256
4ca2e6290f43213b705c8ac2ea3e3810f0c738ec2cb37aef260bc0605cfa1982

SHA512
5270b02bfe3bf6dc07e4b07395e6fc36f3902fd07a27f52494de672aba529a582317fae72916f220545d8ef0c4e89df1e7a47c618790716c672db3d291b09d17

Download Submit
C:\Users\Admin\AppData\Local\Temp\eggK.exe

Filesize
120KB

MD5
f48c8ef0ea8719741700db974323482f

SHA1
10a50112608806aa7db4d59f6118354946f84a4c

SHA256
6ee7d2c2f9e72c4c16c116eb683b764171aa2cd48467a961954baf3aac899470

SHA512
327c42bd91723c8ba56739f7266cd80b6a8852d5351bf2d5481e6556e34385dbbcb2455ed6327ead9288e8c632313bbdb19fd904d976444e7f678c2a86b2be1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekEQ.exe

Filesize
678KB

MD5
ddce1d0ad74c6c399bb363eda1a4f8ba

SHA1
fa3781d6721244fc518ef2a18ffd2c7531b710e8

SHA256
8c9e23e5a664d35d462c7f054634a94a4c76a03a118c04e8b9e5981050e07b68

SHA512
4e3ce104d1ed8569132222d5abf3dd803bc8c510314334b8a91021a3494d5dc2909cb102c1f10fd6c80d10554f8fe5da9d02ee54d76deebcf875d47efb9fae54

Download Submit
C:\Users\Admin\AppData\Local\Temp\esAE.exe

Filesize
564KB

MD5
dfe123c79213f4ff1596e81880815b19

SHA1
337592e3c7982f4f90e413063c4b24a92c8b34cd

SHA256
0f398eb1c81ed91c15dca58e7043581416fef181cefbbea54e345a1bb8d38979

SHA512
a7391f40ad10359b70b393750607e1369757a6bdded7036356cc08785ae2ccffe300d7a06f1347faed3341f15b7a7d135b7a79f6676ab80b8a0a97c49da77503

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewYU.exe

Filesize
137KB

MD5
8764e2acb5f95dbdbf56c1a28ebfd091

SHA1
3aa7b517ab8a58b42f76b81e66e7908a42ff5b90

SHA256
e4e7ea45763328d0cd8fb9d54a32ff64845c8f9dfc0e225d4c36f99b7e851982

SHA512
14797b1c4c351bb0da6e603feb2afb61cbed7b6348ef7880d00c58b87ec328af2408ddd1d893796a504b2d930c2f5fe71973309d5942212489f89715dbe7127a

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQAC.exe

Filesize
745KB

MD5
eb3251d996d77354932ee7217853b704

SHA1
ed18b35b55896b95505dd09d61f714e0791bd865

SHA256
7a353eba62ab8ff92d74b817e981947722cf8a8751b5c3cc382f73925f918024

SHA512
2f1c0f6d458b96a85b3fc08049ee1774ee655ed59f84d42693bdfe494b5bf3db060dc1984f7103ad58e20088cd3a68d7e310e1cfebc3dcd0774a61bf627e1dd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYUM.exe

Filesize
138KB

MD5
ba454528491d08b973bd501e2907196d

SHA1
f1407d9b2bc8f3963fe6076686a3d01feb44f4aa

SHA256
9cd141a964e52a893947bee1da4794b019c9ff6b754a63eb5aa6b315ee9a9f43

SHA512
05b0d66ed8c26a74a4d2837f77d375e286102e2aabe1512a0d5a8ef1e18e276a25857c59e1fa62f957950d80f554e3331848bc9e60eabadc7bc89997d901db04

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcIK.exe

Filesize
432KB

MD5
64eeb3931e5fa016118f484bf6b59abe

SHA1
55a88a4393f9ee923fe725de7254594cc3b1f1aa

SHA256
2840d322f6a3da708509385f9c0710c7efacef0f652eaff8be9e6d08aa5bf810

SHA512
f5d7f48205f713f300f3b4f46ce6bd7edfb1fb36bded739582b7f44eef4e3574a030dcb341a552bdbe9c72dff96fee893875cb329cf61f45e0d94b8ec6eb13a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcMo.exe

Filesize
112KB

MD5
f5d2b4006c23f6226db33ed967add047

SHA1
9c762bd553a2b4d900266f641b268c366c152222

SHA256
8c9e6c634aa053ac123a28a4380707f9e6984964d9855817115726fe231ddf99

SHA512
4f121a229b70b0b3b54958d451d434f5e55bcfbd33c4ee21d5214c4d09c519ac0306ca10b3f8849b0839726be698d11d0d1571acdf3262ce8d5843a96f715bd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ggQq.exe

Filesize
135KB

MD5
564bee5781fc0a147f7a00fe3c7765f4

SHA1
e4a3c202b57a8eaf8c658c26bf1c21dec913ea99

SHA256
a61433383355ac8864a94349d36858df7df2710ac81c931d563355d2fdd1c1e8

SHA512
7ce61c9a8e091525cef4a50a3ee6b14ecf2ca40ca40a94b458d426c8110eee2219c4967a57c1709d8383d49432acadb8972056ed1cd8e2b42f87675830e9b614

Download Submit
C:\Users\Admin\AppData\Local\Temp\gsUs.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIQk.exe

Filesize
115KB

MD5
cba4fdefd6b63b4eceb450b6c529054e

SHA1
79c35cdb414c10d3d2dbe7e1ca5be50f3e24cd7e

SHA256
9fa63c8e906f0bacf7ab2c6112ab56ec4647769725e74e8b27d74eb564268b89

SHA512
1dbf3fd7636f86891480bff0e1d30cfdcc2aeb7d98cc592256b4c6f9d193f52f31f9f0fea41ebc956e8575ed4813856a6e568cd6e6c8a5f2caed35ec8224ed63

Download Submit
C:\Users\Admin\AppData\Local\Temp\iMAS.exe

Filesize
564KB

MD5
9947f87fc6133b86aa3033c62861b21c

SHA1
cf5890c4a5e21bbda7bcbce0aaae2af46590b453

SHA256
9bc9ad116bdbe8b4d4631c9a31ff1e956dbaf1949ef4b50ccccd0d0b6248ee67

SHA512
1ac56465cf009c9778f95772f6c93f7f2785774c67f10732130b33378639c48c965f17283a36f2b9366ab44bc0e38af77fce003f0276ff28152a2aa28ade1d6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQgA.exe

Filesize
108KB

MD5
9e58fc909836a9f20582ee2dd697a648

SHA1
25054992362e9b8f02c717571b717ddb660f978e

SHA256
1fe396143d0184f9292ab92e5bfb8d6128b6ff8045039fadb55fbf438627e5eb

SHA512
f5e77b973f8187709726ca8653e9fb774429138c124cbf72cab64a8f9785a117485f48238bbb9c07add4a3c3fa36917e034e392b665432371b636d966e0d8759

Download Submit
C:\Users\Admin\AppData\Local\Temp\iUEY.exe

Filesize
123KB

MD5
9394437bb5d81ec766c6469cc03366ef

SHA1
4356fd45b295675c76961183111fd416993a918f

SHA256
1c38e801523087ab9dc8c12fc713b757c35981ecab5ea97b883ae161dc2a51a8

SHA512
3059fada9550d51dc1efe50d4a68bb4aa98e3763e8299206c78845f562c124c4b591b3dfeadb1932b2b279c1e8f872d32bb77525f4cf3f3b7f2fb2e4a9d7cd04

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikQQ.exe

Filesize
724KB

MD5
6089213d7c29359d0c4cfb4cd3bc3730

SHA1
d14b93ee75680064124b1ef5bd933be45d8521c0

SHA256
dfe4ff5b396d94a2fd41e57a57c43cff459a7340656e3e202fa5329e9baba82f

SHA512
034aa9cd104d151bc2ab5a0adcee21c93c71ca5fbb7d80f30e2c9a365a492d41da61d706a306129cb0f1b2cece8f7b4c7b336752db97c8eb7a13841929c94bab

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikYm.exe

Filesize
113KB

MD5
61cda4d7dde4fcb72f80cf968b41681c

SHA1
53b63064779bd19515bca3d5be314299792fcccb

SHA256
e46203362e502ac0c0904afea030e3e9f296727abeb97c7f4ecad8022bf8d9e0

SHA512
3700f2176d0e48441a8574cb60c064cf606de397c76570b6d55fa884977d97d869523099b2e35d69599d2233905b84b157dd3b5a790750be963937207a6691a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ioAe.exe

Filesize
581KB

MD5
6cb4f3ba9600ad4382b38a3f1c2c1696

SHA1
ad87cfacbc5a6bc6274a5cf5341bce688ccf32b9

SHA256
7db79988804baf018838bb997d3d2708269595f0b192639c627b33a344e7de0e

SHA512
fd1ac960f95dd336f08d7426e458457fc1eb192b3ffb48f0ba4786dcd4230ad5dcf9d7359eee7c461fd1068a72b02da607d76091cd6c91f152adc0e05b265981

Download Submit
C:\Users\Admin\AppData\Local\Temp\kYko.exe

Filesize
425KB

MD5
8d4182b58566cba69246906d711f202f

SHA1
f47785ad5e3076880df463e7d5a38014297b549f

SHA256
fff7db1bddff51c23acf4d7782b92742ff2b5d21b8021a8e72a758688e90cc76

SHA512
002ed3be4009f09b3a2da0df7238c564971aa64312900012e1478f4063fc5b50befedf50366bc4c3aeb19f24da976866168811cee01619adaab99e111bccce99

Download Submit
C:\Users\Admin\AppData\Local\Temp\koEK.exe

Filesize
154KB

MD5
a85c73b587dcd71f25a13c5ede401bfa

SHA1
51c35bc1d01f2dbb0fc766d05daf0def84b36f0c

SHA256
bce93ee1c761425e7454a3057b0acec8a2572f79b1e937f499a610495f13d426

SHA512
28a5f9f9a0ddb0e5b8536b240c24e0f6ce9d3db6cbccf86b3661049942890f6e0215dce193db38feceac47cf1d109709553530487927c12f3de1524afa2cf361

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQcO.exe

Filesize
114KB

MD5
1ff05417ea9a0e4a58cd4fa2ee0ee49e

SHA1
28c9d75fb82f51e47d4991b3374680642f720601

SHA256
15b6cf652752687d46d5eb40e5b2ec46f410a3b4d2cc49ce2c9d86451c4dcf41

SHA512
95008c8c6187d36e49b414c8222583754f3390b93661cfc0158f2f6c30bdac3584ca991db4b642bff1af0a94fb7bff1d8417153d93b7aa5e821cf5ca925cb719

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgMW.exe

Filesize
112KB

MD5
d06e23862dbfe8e2b997f24576171177

SHA1
3d2174483fee194eb1c3d942eccf0f0ad8b0e8c3

SHA256
48ffd5a068a83bbc05a40a2f1a48896468466bb52090c606ed20cb0a57ae09a6

SHA512
0433dd0771175be2f741b15530d7688ee857339d76ad1708e32930963abafbfa4a13c52b1bf48e5a847599136f961b84ed2e704ad9bae59ae5c919563c5778d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkwa.exe

Filesize
349KB

MD5
a81799f83b2e589c836390e89ed93b28

SHA1
1c645f56d86b3f01079f98852f87465fb041b515

SHA256
83f563581dc02a02b1ece0817a278be9cbb52d2896d08a80195a62dc13847620

SHA512
9581c47a3e6db6bbc7065f73b885db9c1f141ffaf7fa215bf6e3c1b2a5a9031d775259ec87260fd5ebd878da430e3a8f260a5a47f6b611aa8d479d988fd8753f

Download Submit
C:\Users\Admin\AppData\Local\Temp\oEAG.exe

Filesize
117KB

MD5
8551ffd5c0f8d9ad2609b48293d08fcb

SHA1
0c1faf6f5c05cb66ed2c975a8ba3e4c6092e4272

SHA256
4e0fadc17c9546fdf8bd25415572107d02474b4266b3975c042152e5b0b07858

SHA512
d3aa2f750f1e0ccef4b1980d65922dbfaa2f3b93f028db2bf0e014beffcbfe9fbb034fb069d0347f8a0a9428679fa2678d4bba1a3fbaf04297d1dfb0ddd5cbdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\oEMk.exe

Filesize
556KB

MD5
3d37965905ae5fdc46027475fd73cdb6

SHA1
c106c68968d0200bbc25e6019ff98144394ce3a4

SHA256
acfcf84802fab8a173f9dd858cd6eb662c60aab91065676aeb76a341686ed7ec

SHA512
3893e08c89ac551d71a3fb6c26e960db3de0b96652d3d22234e86e8c3529f773ace493d2e3428eb900922c507f4f32bbca0cbfbc86c893b2375b29cc26275690

Download Submit
C:\Users\Admin\AppData\Local\Temp\ocYy.exe

Filesize
600KB

MD5
655c7096d691e177c0402ea602ec732b

SHA1
a0c5976a1759674d5313b21bf1fdb725227c84e9

SHA256
d5cf0b23a89030f6efdb34a556c5134596734ea11c5007e2a5c2dc24560ee3ae

SHA512
93e2e9f47d39e18fffca601f2922d447579286f6ab7890325d9e312174bd4d3375d5427fc1735813469158a369732e4627d4982f7ebc72d28f08aa7e96c7b445

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogQk.exe

Filesize
319KB

MD5
7329478a021f6796ea7ebc60199b6880

SHA1
090637045290608c7a66caa8748e854c4b08da9b

SHA256
97ec02e749a27e4c64fb43008f73c790fb02f08dd50231cef81c157ae7b783de

SHA512
b7dc20da943b739cbe689fdb4c6960eedc45054db1ec1ecdd13ebf14680fabce19d268c9d3f339bd4e2f070e6f0712a4c9ffddfdbfb0683179024d3f6a06f5cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ooUI.exe

Filesize
149KB

MD5
eae72888596782860729a47fe379952e

SHA1
b0b478ab8c9aaaa49064c6fd39c9486db29265d9

SHA256
13451bf675cae774769bac6f17c65b2f2d6447db0a15513c8754e827fba518fc

SHA512
2ff844225c8f8c46565f32d289bddb169a1ab2867517fff0b266dedda9e101a6a65c983ad53882c83b61bf19d2468c2c686549e36ff27b3ae3061a97b95a5155

Download Submit
C:\Users\Admin\AppData\Local\Temp\owIc.exe

Filesize
115KB

MD5
2dfa4bc1baf1006ababb0097918b9465

SHA1
80cee4ec4633a101775809abf730656210c45af7

SHA256
bc264f82a86638ceb98ef8c043c6b4fdfe576251c54eb69f8c5a0d3e8bca94eb

SHA512
783463ee68b93bf44e19674400a0d4aec7b980287e466fe1c2cee619606edb7fb91ace07f53e6078e11eace6496eca0e30926471f7eba6b65ac93d6c070baf29

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUIU.exe

Filesize
114KB

MD5
de56e55ed867775fb84e50a3d21fac00

SHA1
56e88872167eb4b901cffcd3d58e81f9474fc608

SHA256
16742bb9a94c76e4f3210787f54201fda4120fca990abf343972abfa902a3678

SHA512
56a90b2b6cf9090a97601cbca2b0919d98d8826e132e202171bcca1840821f5ae14b8bffe1273228a9164e623073560179c48b2a57d5c37a124c903968814126

Download Submit
C:\Users\Admin\AppData\Local\Temp\qYYQ.exe

Filesize
118KB

MD5
9149c15e3ad43840eba02b72bb635847

SHA1
b818d8c8fe53f7fedd51a1cccfe8f5fa25ec7650

SHA256
7d23cafe28fab6046c42dcc8f61ebfbecf5b56a6c4447cc1b318c104a0f0fb55

SHA512
3478757b7bf9afe9ec85f790e5d0f166e0260c5e26fe8f3a4a9dcdff7c23608231f898e00922a398854e06774a1dd16a1d7712dccc99385bf5f7d19023e557c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\qcIw.exe

Filesize
110KB

MD5
54cbd56ca3b3d044e8c6b4f951ed2e7d

SHA1
fb7ad233f09d3f6ddb14925605f6eb4492bc93d2

SHA256
e39e1f94ad3567a0c4c06d2d3b8b62b5fde51d390c7429d3405cadc19c4882eb

SHA512
44810617a590eb64c04e23b5a904b1538b4c8709250e857b162e11d3c973ad234001efb2f3e0fb571855cd8566b791f4e9931261227ce16c6d83b4550e698463

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwQE.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\sgIm.exe

Filesize
113KB

MD5
e56bad87150d7eb0865f6c0b0a010c12

SHA1
90ce37a8be6be03412bbacc52f4296d4a1e5ea24

SHA256
47acdf702fa6f79ec6186d0740dd34d03ab7db551f9b7593d5f6a43450a744ad

SHA512
c5cd08dd4db77bb10a65254afd62d1732ff9d48a1f2eb8f83d911a8bd2d082750441e28c9d058327eed6bb9c75b1c4645a6cdc554358a5ad77014042c4da4099

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssMY.exe

Filesize
110KB

MD5
03c983949e259b557a945b3605c67b5b

SHA1
9b01b6b6ba34b42f9f748d983ac540e3704bcfb3

SHA256
e8f3f107b96160e7c8a6cc849a24a330c38d970c43bdf9c51309e1df3fb9b18a

SHA512
716c9b1ba419c412c6bce392b781764500cf7f36e2671317c25c7e5d049518bde7f1a5fdf265d38a504132527f9618490424c75ea4808b6b50a47faddba893a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssMa.exe

Filesize
114KB

MD5
e2de624717adb3da0083aef6814c10f2

SHA1
e03d1309451df2ea4be534ce4a878d37cda6e8de

SHA256
d55991034dafb6f837dc0fc563f5ccdcf571ae2fef7e93a3e0eea99991017ee5

SHA512
a83c660ea5372b65865bf38745a301bb8646c143bcf0352bbf89064344a8ac07685d3c17f49d774ac0c1637be1b58fd1bd66cffed882a03101a323d008b5d025

Download Submit
C:\Users\Admin\AppData\Local\Temp\uYwc.exe

Filesize
112KB

MD5
f01576702b660794de66fa6cf219d262

SHA1
6bb6a0d1cbb7a5b72bd76ac713d09ab0c8e74224

SHA256
f6b5b99a0725e7b6293d6c4b3cc913df1da3dc3d050c85e6cf5c07bfee34ed10

SHA512
f8da352fd18db36d4a59b5e79383f0eaa9744f4c9dd926a5e54a0989dab63738018d37f19d4f300a335027184deb98946383b842e2293c71ac3ea2eb4a025417

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucgA.exe

Filesize
110KB

MD5
fc4aa7e748ea45523d0894140db26da7

SHA1
fafb917c1003a8007124ddd6a239f0d5a61e89e6

SHA256
68f79418340897cdb7f80022c6f2465cdef6da0f4fb19fd6ee057f74851972de

SHA512
04c91f3f04fb45fac4cedfa3854d3dffa53256f95d2d0012395d91fab640be3c47db9a23158cf6a958cab82fcd5c8b120e524f28b18ae5ab905f7146a351b85e

Download Submit
C:\Users\Admin\AppData\Local\Temp\usAc.exe

Filesize
700KB

MD5
d3f9ce30008cdd792a69862f9a67e85c

SHA1
15c5fb9d53226a3822ad2a76a4531849522cb433

SHA256
f9a90e7445c4ac2b8a3292d8224316a40ed7fc9da64f6f1d1292e550b4feb20d

SHA512
16e512cd0bb045a74865b361c6c159f99ea3e05e806d1dd985589595f0646d0e7fc3d89322cdd8d2ceb70baab647bda8ed30258026399682ad13a5764cd498ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\wgsM.exe

Filesize
348KB

MD5
b4ea23d1fefe3bec89d8ce1b37db4d3d

SHA1
a3d810a1ea48d37083c92392398a82cd7586b8bd

SHA256
e26d32d6603cb5e385606db76b48e81adee96d5c35f915303d114c46b6159b03

SHA512
e9f7c6af856429fa816c5157589cb40a6620749efbb75adec41ec64251f3ac08fd1f99534dcd76f27752d68406d7a41358128330b7574508e41ed1ad9d523ebc

Download Submit
C:\Users\Admin\AppData\Local\Temp\wgws.exe

Filesize
111KB

MD5
42edb471c9655805742a8eeb4664a202

SHA1
2376e756f46f2e303fedeb0c2af3a1d3b2b82ed2

SHA256
407a7bd41c43eac1024830e18b6025e50628cae851ae95afcef71b636f7ee0ab

SHA512
38cb3aba2288a089cdfe43a63628fbd208e0c823fbc11844474df1cdc0218d0b650edacb771c1cdb5eae0ccc69cfcc43ffc3ddd48602f99a861e0c9099ada3d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\yYgW.exe

Filesize
148KB

MD5
1d5e1db262d9f79037861827f5714f75

SHA1
89055b8e74e3c0ae2f496ca67513fc9e871fe54f

SHA256
dd88047804c2bb8e9454e654b2b29c168d37cc6b943c9a29e24b86775f266c1a

SHA512
75f011ec3b006d027e1a89d798865778cf8bafff9a35dfad92a44cea667dd1cac00041bfb50b73f726bad4066b6dfedf8a3d0747dbb360f368d18d9832673708

Download Submit
C:\Users\Admin\AppData\Local\Temp\ygoW.exe

Filesize
109KB

MD5
b4f76992d55c4f714ef25aada4da5fbc

SHA1
4b2b0d3d7685b7a5a81c0c1cc640f6bd14625ab8

SHA256
a9f36c3bdc3ec9db9c1d9de43629a3835c2d65a5713572e71f82d12a2462818b

SHA512
1accd1b146d28eaa8032339983d9d528d8f24833719d8aa00eab34a553e78206818ecbe9acdf0c03bf06f83a5d5d26a5cc82dbcca6484120991b0f53961b5f85

Download Submit
C:\Users\Admin\AppData\Local\Temp\yoAC.exe

Filesize
110KB

MD5
4c1da590b18b4fd50790fc46b042e3c8

SHA1
c24856d64b667879eb296399e3f24ef054f555c9

SHA256
aa48bec34d5c6caf1b2e46dddead0aa19dd56fd65e1a6f14be94f4a39afd6239

SHA512
5b237e961bbc9743d1996213b1bc7df86a5d70085b28e5768d641aada34dc19128cfd1450bab8f94f4248f31d075857c5dcb4cc1a999c1fd2906417936a3ae3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\yoIe.exe

Filesize
440KB

MD5
ce3325f11791870479d61f2931e11843

SHA1
351ef3c05e3ee736abfe149781a2818e310f5025

SHA256
ed32a829a8a303bebddf423e0b850a6c88d7e33002828ccfcfb9ba290cd67218

SHA512
6d0151787c85b1a66e26be7b0a285e13c5fcf21029798dc46e16dd3a940471be66bf22cc2da9c0dcef7e41e933161b232c7b4f116d851e46aa185884e12ca59d

Download Submit
C:\Users\Admin\AppData\Local\Temp\yoMA.exe

Filesize
752KB

MD5
f278e164b6adfa52c526b749b212afaf

SHA1
7fa96a4267b2db40a3b886e3b997b2bd080db9aa

SHA256
cc9fbefde3f2786b34894faa314f5392291fab106416124bb2bf3f718799084c

SHA512
da6e51d0c79b8e7be79d27a6b3b0ba94e1c98d7116f7e34fc54e0f1be8a0b2e6d625336ae3cfe3d5bc914b99c38ecd7fcb3e6a07bc4d2c20410873f3a54d507c

Download Submit
C:\Users\Admin\AppData\Local\Temp\yoYE.exe

Filesize
110KB

MD5
284caa5809f35a7f08d7122612c1418b

SHA1
b79b471853e471a13e01bec0890b3a341c094607

SHA256
f47d16f644321cd1de2fc75f950fb5c5f64f24d055c85c9f93957b58413232d1

SHA512
28bddb2a3ba2e0ebd83f6c5f3ce0bf056cb72e78250f35e026228c31f8fc6516ed1ea14f595446abf64390fc9a98347824bc8f57fd0db34b0f9dd15778ce625e

Download Submit
C:\Users\Admin\Music\DebugSplit.zip.exe

Filesize
597KB

MD5
1471b345897bd10272849fcb3ca4978f

SHA1
76f8ad95092785272cb9c6f1216bfda3c7fa2069

SHA256
7b4accfb2fbb2c1df38d4517cc9a3f5bcfb55db39a07d0695d43f44c8a7977b4

SHA512
64b60820b4e0d60e0ba62e578dfc2c157a22a534239598279e239cd126023bea59ff2fefeb8bdae8e58ed860554e11e6ee7951e09d1782324b07afb1674a415b

Download Submit
C:\Users\Admin\lOkggAMY\sAEkAUwc.exe

Filesize
110KB

MD5
95f424941bbeab61c53b4c8fb1e2f9e2

SHA1
5fdc69f421a31f7905c6d8d643967fb6a11b75b8

SHA256
01504980d3998a93ded11a9d435f8b36a5313bbffbd1e9f0906118521172efc9

SHA512
c3452a936deadb08ee42c57a3322f5aceceb3b7e6b2318ed58ac8d333f8f3ef2eb0f54ab3ee82df8df344b78b48a648424b90618fb02d57fb25eaa12fe67e9fe

Download Submit
C:\Windows\SysWOW64\shell32.dll.exe

Filesize
5.8MB

MD5
efc43d7ecd656d039cfe18bd04864309

SHA1
d4b282f726ea32415cc9c50cace7756460e32925

SHA256
9fb8f6799b3889f0a045b890d0b343088f44e2b8ab578cde8067caaf542d9238

SHA512
2acb57e3005450d15119b328aa23ac0a9451adc7042391470ab578b3013b5fd5411c1da1b099ecc8fd4149bf377dddcffa827c7fab95638233fdaadfb9b9aca2

Download Submit
memory/516-152-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/516-167-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/624-279-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/752-64-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/752-80-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/776-322-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/776-315-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/808-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/808-19-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1088-292-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1088-304-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1400-15-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1404-355-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1496-28-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1496-43-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1692-270-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1692-259-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1748-179-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1812-373-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1812-380-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1908-330-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1976-128-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1976-115-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2084-68-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2084-52-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2204-175-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2204-191-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2356-187-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2356-202-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2404-305-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2404-313-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2476-32-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2476-20-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2616-262-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2616-246-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3000-155-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3000-136-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3112-237-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3112-250-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3132-347-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3132-335-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3144-296-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3144-286-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3232-339-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3236-13-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3384-287-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3384-275-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3592-371-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3596-213-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3660-104-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3660-88-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4200-116-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4200-100-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4212-76-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4212-92-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4672-140-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4672-124-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4684-44-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4684-56-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4692-214-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4692-226-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4848-363-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5104-222-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5104-238-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download