7f836e9c2aa331198d13ccf65eda775fb4c6c24a6363e476cf652e9d2051e22c

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2024 10:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
Size

138KB
MD5

098aadf85c858488724f397b9b78a4b7
SHA1

4391c6b5c084e3f614b3c5a39f3f70b0b96eb4d0
SHA256

7f836e9c2aa331198d13ccf65eda775fb4c6c24a6363e476cf652e9d2051e22c
SHA512

585fb69e90f9d562fe9fc7c53bb72c0b73ac978a10307793d2d1b36b9bd7b1f0e324de69a3f26d2dbda2fb2031e61898ad6471524b884e49889aebeee79f39ff
SSDEEP

3072:o3OS4GfRRJNTkhg8gbgwhMsen3do87x1cI:op4GfRN4hg8gfMje87Z

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (90) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	kMgUYgYI.exe

Executes dropped EXE 2 IoCs

pid	Process
2308	vUwIksUs.exe
4912	kMgUYgYI.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vUwIksUs.exe = "C:\\Users\\Admin\\aSIAUQME\\vUwIksUs.exe"	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kMgUYgYI.exe = "C:\\ProgramData\\VmoIcEck\\kMgUYgYI.exe"	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vUwIksUs.exe = "C:\\Users\\Admin\\aSIAUQME\\vUwIksUs.exe"	vUwIksUs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kMgUYgYI.exe = "C:\\ProgramData\\VmoIcEck\\kMgUYgYI.exe"	kMgUYgYI.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell32.dll.exe	kMgUYgYI.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
4428	reg.exe
4804	reg.exe
1432	reg.exe
4844	reg.exe
3120	reg.exe
4532	reg.exe
648	reg.exe
3144	reg.exe
1224	reg.exe
4800	reg.exe
3528	reg.exe
448	reg.exe
2344	reg.exe
2504	reg.exe
4464	reg.exe
3904	reg.exe
436	reg.exe
1272	reg.exe
4880	reg.exe
2896	reg.exe
556	reg.exe
2004	reg.exe
3156	reg.exe
3388	reg.exe
3920	reg.exe
3120	reg.exe
3688	reg.exe
376	reg.exe
2372	reg.exe
4012	reg.exe
2920	reg.exe
4468	reg.exe
5016	reg.exe
244	reg.exe
4488	reg.exe
1124	reg.exe
928	reg.exe
376	reg.exe
3592	reg.exe
3596	reg.exe
1968	reg.exe
2964	reg.exe
3132	reg.exe
5060	reg.exe
4200	reg.exe
3920	reg.exe
2668	reg.exe
116	reg.exe
4856	reg.exe
2600	reg.exe
4764	reg.exe
1560	reg.exe
1224	reg.exe
2484	reg.exe
3648	reg.exe
2072	reg.exe
644	reg.exe
1800	reg.exe
3316	reg.exe
4336	reg.exe
3688	reg.exe
532	reg.exe
1396	reg.exe
2368	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4548	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
4548	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
4548	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
4548	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
4300	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
4300	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
4300	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
4300	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
4840	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
4840	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
4840	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
4840	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
4984	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
4984	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
4984	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
4984	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
3672	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
3672	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
3672	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
3672	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
3124	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
3124	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
3124	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
3124	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
1256	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
1256	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
1256	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
1256	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
2548	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
2548	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
2548	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
2548	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
1576	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
1576	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
1576	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
1576	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
4896	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
4896	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
4896	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
4896	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
4716	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
4716	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
4716	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
4716	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
964	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
964	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
964	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
964	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
2448	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
2448	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
2448	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
2448	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
3144	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
3144	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
3144	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
3144	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
1632	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
1632	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
1632	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
1632	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
2560	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
2560	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
2560	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
2560	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4912	kMgUYgYI.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4912	kMgUYgYI.exe
4912	kMgUYgYI.exe
4912	kMgUYgYI.exe
4912	kMgUYgYI.exe
4912	kMgUYgYI.exe
4912	kMgUYgYI.exe
4912	kMgUYgYI.exe
4912	kMgUYgYI.exe
4912	kMgUYgYI.exe
4912	kMgUYgYI.exe
4912	kMgUYgYI.exe
4912	kMgUYgYI.exe
4912	kMgUYgYI.exe
4912	kMgUYgYI.exe
4912	kMgUYgYI.exe
4912	kMgUYgYI.exe
4912	kMgUYgYI.exe
4912	kMgUYgYI.exe
4912	kMgUYgYI.exe
4912	kMgUYgYI.exe
4912	kMgUYgYI.exe
4912	kMgUYgYI.exe
4912	kMgUYgYI.exe
4912	kMgUYgYI.exe
4912	kMgUYgYI.exe
4912	kMgUYgYI.exe
4912	kMgUYgYI.exe
4912	kMgUYgYI.exe
4912	kMgUYgYI.exe
4912	kMgUYgYI.exe
4912	kMgUYgYI.exe
4912	kMgUYgYI.exe
4912	kMgUYgYI.exe
4912	kMgUYgYI.exe
4912	kMgUYgYI.exe
4912	kMgUYgYI.exe
4912	kMgUYgYI.exe
4912	kMgUYgYI.exe
4912	kMgUYgYI.exe
4912	kMgUYgYI.exe
4912	kMgUYgYI.exe
4912	kMgUYgYI.exe
4912	kMgUYgYI.exe
4912	kMgUYgYI.exe
4912	kMgUYgYI.exe
4912	kMgUYgYI.exe
4912	kMgUYgYI.exe
4912	kMgUYgYI.exe
4912	kMgUYgYI.exe
4912	kMgUYgYI.exe
4912	kMgUYgYI.exe
4912	kMgUYgYI.exe
4912	kMgUYgYI.exe
4912	kMgUYgYI.exe
4912	kMgUYgYI.exe
4912	kMgUYgYI.exe
4912	kMgUYgYI.exe
4912	kMgUYgYI.exe
4912	kMgUYgYI.exe
4912	kMgUYgYI.exe
4912	kMgUYgYI.exe
4912	kMgUYgYI.exe
4912	kMgUYgYI.exe
4912	kMgUYgYI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4548 wrote to memory of 2308	4548	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe	84
PID 4548 wrote to memory of 2308	4548	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe	84
PID 4548 wrote to memory of 2308	4548	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe	84
PID 4548 wrote to memory of 4912	4548	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe	85
PID 4548 wrote to memory of 4912	4548	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe	85
PID 4548 wrote to memory of 4912	4548	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe	85
PID 4548 wrote to memory of 3196	4548	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe	87
PID 4548 wrote to memory of 3196	4548	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe	87
PID 4548 wrote to memory of 3196	4548	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe	87
PID 4548 wrote to memory of 1596	4548	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe	89
PID 4548 wrote to memory of 1596	4548	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe	89
PID 4548 wrote to memory of 1596	4548	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe	89
PID 4548 wrote to memory of 748	4548	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe	90
PID 4548 wrote to memory of 748	4548	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe	90
PID 4548 wrote to memory of 748	4548	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe	90
PID 4548 wrote to memory of 3388	4548	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe	91
PID 4548 wrote to memory of 3388	4548	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe	91
PID 4548 wrote to memory of 3388	4548	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe	91
PID 4548 wrote to memory of 1488	4548	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe	92
PID 4548 wrote to memory of 1488	4548	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe	92
PID 4548 wrote to memory of 1488	4548	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe	92
PID 1488 wrote to memory of 1496	1488	cmd.exe	97
PID 1488 wrote to memory of 1496	1488	cmd.exe	97
PID 1488 wrote to memory of 1496	1488	cmd.exe	97
PID 3196 wrote to memory of 4300	3196	cmd.exe	98
PID 3196 wrote to memory of 4300	3196	cmd.exe	98
PID 3196 wrote to memory of 4300	3196	cmd.exe	98
PID 4300 wrote to memory of 1492	4300	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe	100
PID 4300 wrote to memory of 1492	4300	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe	100
PID 4300 wrote to memory of 1492	4300	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe	100
PID 1492 wrote to memory of 4840	1492	cmd.exe	102
PID 1492 wrote to memory of 4840	1492	cmd.exe	102
PID 1492 wrote to memory of 4840	1492	cmd.exe	102
PID 4300 wrote to memory of 1324	4300	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe	103
PID 4300 wrote to memory of 1324	4300	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe	103
PID 4300 wrote to memory of 1324	4300	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe	103
PID 4300 wrote to memory of 4800	4300	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe	104
PID 4300 wrote to memory of 4800	4300	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe	104
PID 4300 wrote to memory of 4800	4300	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe	104
PID 4300 wrote to memory of 2748	4300	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe	105
PID 4300 wrote to memory of 2748	4300	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe	105
PID 4300 wrote to memory of 2748	4300	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe	105
PID 4300 wrote to memory of 4200	4300	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe	106
PID 4300 wrote to memory of 4200	4300	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe	106
PID 4300 wrote to memory of 4200	4300	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe	106
PID 4200 wrote to memory of 2880	4200	cmd.exe	111
PID 4200 wrote to memory of 2880	4200	cmd.exe	111
PID 4200 wrote to memory of 2880	4200	cmd.exe	111
PID 4840 wrote to memory of 1936	4840	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe	112
PID 4840 wrote to memory of 1936	4840	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe	112
PID 4840 wrote to memory of 1936	4840	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe	112
PID 1936 wrote to memory of 4984	1936	cmd.exe	114
PID 1936 wrote to memory of 4984	1936	cmd.exe	114
PID 1936 wrote to memory of 4984	1936	cmd.exe	114
PID 4840 wrote to memory of 4748	4840	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe	115
PID 4840 wrote to memory of 4748	4840	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe	115
PID 4840 wrote to memory of 4748	4840	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe	115
PID 4840 wrote to memory of 436	4840	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe	116
PID 4840 wrote to memory of 436	4840	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe	116
PID 4840 wrote to memory of 436	4840	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe	116
PID 4840 wrote to memory of 4464	4840	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe	117
PID 4840 wrote to memory of 4464	4840	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe	117
PID 4840 wrote to memory of 4464	4840	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe	117
PID 4840 wrote to memory of 884	4840	2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe	119

C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4548
- C:\Users\Admin\aSIAUQME\vUwIksUs.exe
  "C:\Users\Admin\aSIAUQME\vUwIksUs.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2308
- C:\ProgramData\VmoIcEck\kMgUYgYI.exe
  "C:\ProgramData\VmoIcEck\kMgUYgYI.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:4912
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3196
- - C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4300
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1492
    - - C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4840
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        8⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        10⤵
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        12⤵
        
        PID:3816
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        14⤵
        
        PID:3508
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        16⤵
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        18⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        20⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        22⤵
        
        PID:3864
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        24⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        26⤵
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        28⤵
        
        PID:116
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        30⤵
        
        PID:3320
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        32⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        33⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        34⤵
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        35⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        36⤵
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        37⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        38⤵
        
        PID:3612
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        39⤵
        
        PID:812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        40⤵
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        41⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        42⤵
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        43⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        44⤵
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        45⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        46⤵
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        47⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        48⤵
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        49⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        50⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        51⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        52⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        53⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        54⤵
        
        PID:244
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        55⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        55⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        56⤵
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        57⤵
        
        PID:596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        58⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        59⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        60⤵
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        61⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        62⤵
        
        PID:1872
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        63⤵
        
        PID:812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        64⤵
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        65⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        66⤵
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        67⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        68⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        69⤵
        
        PID:208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        70⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        71⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        72⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        73⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        74⤵
        
        PID:3864
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        75⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        76⤵
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        77⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        78⤵
        
        PID:452
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        79⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        80⤵
        
        PID:4524
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        81⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        82⤵
        
        PID:1192
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        83⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        84⤵
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        85⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        86⤵
        
        PID:704
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        87⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        88⤵
        
        PID:3940
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        89⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        90⤵
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        91⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        92⤵
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        93⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        94⤵
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        95⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        96⤵
        
        PID:4980
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        97⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        98⤵
        
        PID:3080
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        99⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        100⤵
        
        PID:1020
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:3864
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        101⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        102⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        103⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        104⤵
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        105⤵
        
        PID:960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        106⤵
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        107⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        108⤵
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        109⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        110⤵
        
        PID:3936
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        111⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        112⤵
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        113⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        114⤵
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        115⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        116⤵
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        117⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        118⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        119⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        120⤵
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        121⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        122⤵
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        123⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        124⤵
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        125⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        126⤵
        
        PID:1916
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        127⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        128⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        129⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        130⤵
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        131⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        132⤵
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        133⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        134⤵
        
        PID:376
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        135⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        136⤵
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        137⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        138⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        139⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        140⤵
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        141⤵
        
        PID:264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        142⤵
        
        PID:428
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        143⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        144⤵
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        145⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        146⤵
        
        PID:4260
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        147⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        148⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        149⤵
        
        PID:704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        150⤵
        
        PID:4868
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        151⤵
        
        PID:244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        152⤵
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        153⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        154⤵
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        155⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        156⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        157⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        158⤵
        
        PID:3132
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        159⤵
        
        PID:372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        160⤵
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        161⤵
        
        PID:764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        162⤵
        
        PID:3900
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        163⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        164⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        165⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        166⤵
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        167⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        168⤵
        
        PID:1976
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:4744
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        169⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        170⤵
        
        PID:1560
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        171⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        172⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        173⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        174⤵
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        175⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        176⤵
        
        PID:4748
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        177⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        178⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        179⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        180⤵
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        181⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        182⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        183⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        184⤵
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        185⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        186⤵
        
        PID:3280
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        187⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        188⤵
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        189⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        190⤵
        
        PID:1056
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        191⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        192⤵
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        193⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        194⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        195⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        196⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        197⤵
        
        PID:264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        198⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        199⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        200⤵
        
        PID:2448
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        201⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        202⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        203⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        204⤵
        
        PID:3020
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:4200
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        205⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        206⤵
        
        PID:3316
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        207⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        208⤵
        
        PID:1468
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        209⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        210⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        211⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock"
        212⤵
        
        PID:5108
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        213⤵
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock
        213⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2352
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        215⤵
        
        PID:116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:436
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        215⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        
        PID:384
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        215⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2560
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        213⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        
        PID:1136
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        213⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        UAC bypass
        
        PID:3648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vkMsAEUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        212⤵
        
        PID:3784
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        213⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        UAC bypass
        
        PID:1432
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        211⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iiEogoIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        210⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        
        PID:4944
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        Modifies registry key
        
        PID:4856
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        UAC bypass
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qoUgEAgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        208⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5016
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        Modifies registry key
        
        PID:644
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        UAC bypass
        
        PID:4744
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gMIMoQUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        206⤵
        
        PID:2092
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        
        PID:1632
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        Modifies registry key
        
        PID:376
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vEcMIoYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        204⤵
        
        PID:5044
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4120
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:3120
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        Modifies registry key
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NqgEgoQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        202⤵
        
        PID:5108
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3484
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:3156
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        UAC bypass
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HGsAwAUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        200⤵
        
        PID:3592
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2900
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        
        PID:844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NCwIgIgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        198⤵
        
        PID:4312
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        
        PID:1916
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:3932
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        UAC bypass
        
        PID:3936
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iowUoUgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        196⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4376
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:4972
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        
        PID:1908
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YkAksIAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        194⤵
        
        PID:4860
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        Modifies registry key
        
        PID:3592
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        UAC bypass
        
        PID:4612
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YIgIsssg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        192⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        Modifies registry key
        
        PID:116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:3860
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        UAC bypass
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SyAAcQMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        190⤵
        
        PID:684
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        
        PID:3936
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        UAC bypass
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HaAcgsMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        188⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        
        PID:1432
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:3428
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        UAC bypass
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HaoowsUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        186⤵
        
        PID:2468
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        
        PID:380
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vOEwEgkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        184⤵
        
        PID:2448
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        
        PID:3744
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xKYIQQkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        182⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        Modifies registry key
        
        PID:376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kkwIsMUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        180⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        UAC bypass
        
        PID:532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WSsgkkUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        178⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:1356
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        UAC bypass
        
        PID:3768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EEAAIEEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        176⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        Modifies registry key
        
        PID:4336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        Modifies registry key
        
        PID:4764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GEQIQUcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        174⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        UAC bypass
        
        PID:3388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fkYkMQYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        172⤵
        
        PID:116
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        Modifies registry key
        
        PID:3316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lqskEcIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        170⤵
        
        PID:2124
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        Modifies registry key
        
        PID:3688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        UAC bypass
        
        PID:3176
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NQkwYEQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        168⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1532
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dIMgIMwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        166⤵
        
        PID:4336
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aYgQcYMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        164⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:532
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        UAC bypass
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EAwcYcYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        162⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        
        PID:1256
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        UAC bypass
        Modifies registry key
        
        PID:2668
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oqkAsMoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        160⤵
        
        PID:4584
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:516
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        UAC bypass
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\daEgYQIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        158⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        
        PID:2540
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        UAC bypass
        
        PID:1440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xskIAQMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        156⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        UAC bypass
        
        PID:4804
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fkoYoUIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        154⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        UAC bypass
        
        PID:3828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RwUskAME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        152⤵
        
        PID:960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:4648
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kIEQsoEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        150⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        Modifies visibility of file extensions in Explorer
        
        PID:532
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        UAC bypass
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SuIEkkoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        148⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        UAC bypass
        Modifies registry key
        
        PID:3144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XiEQoIEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        146⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4160
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        UAC bypass
        
        PID:4996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dAogEoEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        144⤵
        
        PID:596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        Modifies registry key
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        Modifies registry key
        
        PID:3648
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DssAAQsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        142⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2368
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        Modifies registry key
        
        PID:3920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DuUwgcgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        140⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        UAC bypass
        
        PID:1224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MgQUkwEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        138⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        
        PID:2424
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        Modifies registry key
        
        PID:1396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UucsUkUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        136⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        Modifies registry key
        
        PID:4468
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        UAC bypass
        
        PID:264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sQEMUMoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        134⤵
        
        PID:2584
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QMIEYkEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        132⤵
        
        PID:4584
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies registry key
        
        PID:928
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        Modifies registry key
        
        PID:4844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        
        PID:3904
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jsAMUoYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        130⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        Modifies registry key
        
        PID:4464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        Modifies registry key
        
        PID:4200
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BqIIokoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        128⤵
        
        PID:1224
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:1564
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\resUUcYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        126⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        Modifies registry key
        
        PID:2964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        
        PID:452
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hYEEsEEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        124⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        Modifies registry key
        
        PID:1124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        Modifies registry key
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gQEIsIcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        122⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        
        PID:376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        Modifies registry key
        
        PID:648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OAgUoYso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        120⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        Modifies registry key
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QMgIYYIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        118⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        
        PID:764
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:2004
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        Modifies registry key
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SYAQIEYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        116⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:2744
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RggIwoEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        114⤵
        
        PID:1008
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        Modifies registry key
        
        PID:4488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nOwQQEMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        112⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        
        PID:812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        Modifies registry key
        
        PID:2896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        
        PID:1276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VoUwgMYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        110⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4516
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        Modifies registry key
        
        PID:1432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        
        PID:5104
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KIsAQscU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        108⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:2892
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        107⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SmIMAgIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        106⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        Modifies registry key
        
        PID:3120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UQwAMUMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        104⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        
        PID:4744
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FqIcUwIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        102⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:1812
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:4516
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        
        PID:264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PIMscEkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        100⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        Modifies registry key
        
        PID:3132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        Modifies registry key
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LicgQEUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        98⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        
        PID:1344
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZKokMEcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        96⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        Modifies registry key
        
        PID:2600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CQgEssUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        94⤵
        
        PID:4308
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:5072
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OuYQYMwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        92⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        Modifies registry key
        
        PID:2920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        
        PID:3428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IAMgAQks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        90⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1344
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        Modifies registry key
        
        PID:448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        
        PID:1908
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SmIkcokM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        88⤵
        
        PID:2656
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        
        PID:556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        Modifies registry key
        
        PID:3688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bGMwkEoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        86⤵
        
        PID:532
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:376
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        85⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RkEcAQMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        84⤵
        
        PID:4808
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        85⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FgUEYEIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        82⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:3768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ngUgIMMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        80⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uiQsAQsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        78⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        Modifies registry key
        
        PID:1560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        
        PID:3632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ikcoYAQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        76⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:1436
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        Modifies registry key
        
        PID:4012
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QSoQcgkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        74⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        Modifies registry key
        
        PID:4804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vwgoQMcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        72⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        Modifies registry key
        
        PID:4880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        Modifies registry key
        
        PID:3528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BMAEsMUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        70⤵
        
        PID:436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1608
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        
        PID:704
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VCQYYEgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        68⤵
        
        PID:264
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NegEIssY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        66⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZissAsMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        64⤵
        
        PID:2728
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iwssIosc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        62⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qIogwAUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        60⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WIkcYkQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        58⤵
        
        PID:832
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:764
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oqgcoIko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        56⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lYscUcgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        54⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZUgQksUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        52⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies registry key
        
        PID:532
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:4796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vUIYwgcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        50⤵
        
        PID:2708
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        Modifies registry key
        
        PID:3904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZSQUcYUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        48⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gYkggYss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        46⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies registry key
        
        PID:1272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QEIEwEIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        44⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AOkEUkcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        42⤵
        
        PID:2300
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kOQwAQQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        40⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        Modifies registry key
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FocQYEUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        38⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        Modifies registry key
        
        PID:1224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fmYMkUsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        36⤵
        
        PID:384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        
        PID:468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:3768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HeUokIQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        34⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        Modifies registry key
        
        PID:2372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        33⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vEEkYYgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        32⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        Modifies registry key
        
        PID:4532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iMsEMwso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        30⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        Modifies registry key
        
        PID:3120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:4944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MCUEUcgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        28⤵
        
        PID:812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CUYAUwEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        26⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UwYAAYQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        24⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:1028
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        23⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bmosQsMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        22⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        
        PID:3624
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        21⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\licAIoos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        20⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:3736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\daEwMIIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        18⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:4196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xOIsUkQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        16⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GOIwUMsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        14⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        Modifies registry key
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sysYUcwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        12⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        Modifies registry key
        
        PID:244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:4324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kGkcoksk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        10⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kcoQkYAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        8⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:1584
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:4748
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:436
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:4464
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\haUcwIwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
        6⤵
        
        PID:884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:2896
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:1324
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:4800
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:2748
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LmQkAgwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4200
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:2880
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1596
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:748
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:3388
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NYYMIIAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1488
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1496

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

Filesize
237KB

MD5
a1bf6279bb424918923a0e78948c23f4

SHA1
e848665559968a624f16c1b975b5e69cfef2a11d

SHA256
ac5eca61118cbf99c706f11a5f18e77a71d7acdf0240a4cca3ba24ce06ef9a97

SHA512
cf17fd8505f735c9ff2e4d58ffc2671fd477286fd74c6116f30f2837aac98e8e869bdb7706fc7f79e8d664b73e18fd95221ea2aa25cabbe14827f62556684d58

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

Filesize
236KB

MD5
6787737fd0e58466ffe6d41d6556a4f7

SHA1
1572d4612ed908800dc5ebb964fbf96ba5ed82f6

SHA256
af0a2d448d78af14e5d7621f95ff90d76c07bf5f4c701fef8c5717ab54cebe9d

SHA512
1a4c2da1f0eeacccea80e7ff9157d4cb5a662b46b23c11d63a597f555c6d3758d6b653e954f10b78709f1ca4faefedbd0ff4dd28146c4f5f845c488df1ee3263

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe

Filesize
696KB

MD5
147178a2d8269ab6a7d9727b3fa9ea4f

SHA1
bcc5423226679c6b0985ef328da6645428832a81

SHA256
5c0d9801a00cacd626ad4895be2aaebe50a3f2b9b6243dcdb9aee4f466b509f2

SHA512
447eaf21794121231c002e4669851d25bf81a94494b06c7030546e397cb1dd511a8b87b1c49624b9e83d55dd4dba4f22c9e6b7e61e563070c9791b22204771e4

Download Submit
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

Filesize
743KB

MD5
599f71b6bed8f9d92d6362fbfa1b3036

SHA1
3bfdcc741780ca65f7ee7db5aa4b0b1ca71cc21e

SHA256
988437b8884d8aa610d71237fcfe9cac20bb9dace91a6ff8044e36a394cb1607

SHA512
5235557d09f8f6944afa5bd753cd1c22406ad67993ee784fb66d9cd62476bf138e3db4e27885e7e876b2bc131a7bcf024205f55112544418983b9d71aef5e6ec

Download Submit
C:\ProgramData\VmoIcEck\kMgUYgYI.exe

Filesize
109KB

MD5
92f5d4f9a8501961d55b0a0a4cbf80d5

SHA1
5a99df8f4c21fc6ae61df801f6dae2ee8c6403cc

SHA256
e51d74210d45d841ce667b51920cd19e844049bb6bcad2f05372c61f86b13fea

SHA512
5a3edfea900cce8bd1fa1f6f733d50a7921393885ebdc81973a574e4cc7456a1c263057e5077ec38330cbb4c93d3f773d2e3d00ad9e4935ecd40785b6d800f0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorBlue.png.exe

Filesize
118KB

MD5
ed1553181b3e1e7d22bb3b8bf22b78d8

SHA1
7fb3c4d5a0325fb5371cf6b4a4e4e5793d5be22d

SHA256
d582f4e71fbd3ea0a9847bd69a16105bb717826d9fc6926cd7b19fe0e20e682e

SHA512
c11d8f61f970185693c215eb3c53aa2f47a42a2c2d5e758bd925470f478a444a5d465b4a2cffed8ef0b4f460e0ec90fc4742492ab7eab01c7fcc5ef096a5e58f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMLockedFileToast.png.exe

Filesize
120KB

MD5
771b26b302df6fe2dbd9770a118c3efe

SHA1
3e253cce0325d068ae9ee40b3017695e21fc8f57

SHA256
7f0cd37d813ff4ba5f8cd6cb6bc74c42b353b536ea426e886ae38e0061890e70

SHA512
3dce480c3ff33b875bfcb1b8e6e3eb56e36414152673f6d2dfaf034ffad4f56110105b961bc79b5ff4678f4fd35b629d025991173010f8d27b8758ec8e417e12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMScanExclusionToast.png.exe

Filesize
120KB

MD5
ed2603139ea164060defe8aba501723e

SHA1
240f21d31ca41542dc6c2c62d2491e4a1ee2a593

SHA256
6d9c0a4b5bf83e01cc74b062de5ef42c679889c428cfba3f671578b99f9c2f97

SHA512
3117130d3ed36d3f9268f8634a14c66a69bce7541dbd21c6ace0d7a1346e8ee1a5b05ec987b71f64361d2a11a2f5281fa2ba9d9eefd272ff4f6892e86308f945

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-125.png.exe

Filesize
110KB

MD5
03154de5def8e02306ba4fd0c7840a31

SHA1
81bf006d064e22beaa89112ae80faf57df556ec3

SHA256
243b8ba724d134507121d98db94e0e905f7b3d3de52757c09313604c562fd738

SHA512
7cb0814050e17e561f71af3a1ab56535524002144379f88d2d4ab91e3e15632392174be7285c7a86510be3d56d19c5822eceff71386527d10ba41b2fa1ba89c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-05-05_098aadf85c858488724f397b9b78a4b7_virlock

Filesize
27KB

MD5
6fb2a38dc107eacb41cf1656e899cf70

SHA1
4eee44b18576e84de7b163142b537d2fe6231845

SHA256
62e85a0f3a4cbc01b6d3390d63de0f7d051e1e723aeb071416a38799c50738ea

SHA512
939f4a7f03996833d54a36f608949a579a7e6c37f5a477694287158fae1403bce8b5b57603ac45f8caf683129f918093e5663703c05d44e78e9e3606a0d683fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\AEIC.exe

Filesize
116KB

MD5
7baf576afa0c123a8535d9b2e19890dc

SHA1
51ad1e4c60520cb7fce250fa765301b35d270d87

SHA256
24d5e356b256247b87c9e5c2eca2cd87d1fde93c9bdc878899d4dc4fef70219f

SHA512
7d3621817be11f8f2ef8114d083641005d4f4989730399e150c03353e5bd859f1f2543e4ec1a9bb1752321f476c4c0dcc9b0abbdc5333ee7aa242b34c9e27926

Download Submit
C:\Users\Admin\AppData\Local\Temp\Asku.exe

Filesize
110KB

MD5
ced3dd3432789afcef308275ad673f1e

SHA1
1577e48d2fc2aacf3a8c48c36797f4a8aaa3bbb0

SHA256
243e7d4570cd1973b207b10f78727881ca50dd7fd993a2df7a7d50187a66fb14

SHA512
72fd482db18df645754d6cac6dc923c5062284f54cc380c67a6e3aa57c82e22afe535454efba788067682b12fa06b8e560a184a859c58c81b3a31c66ea81eaec

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQgk.exe

Filesize
112KB

MD5
38e9347f0454627eecc2ebec61885e15

SHA1
4a5cd47918e115ec3444dd76c3affe97c6ba995b

SHA256
4ff333b5e73f3b72708f375453e25019a07c41e7b519018999471d2ae95b1096

SHA512
2f5ad8c54c5da54d8bfa0888ef766bb3e178534edccfaa0208511b565c7497fe56c81706a1b6301cef93e729a433925cc4959bea3a428d425a95b9508a103d8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYos.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\CooW.exe

Filesize
116KB

MD5
42d0e900a460ab9b54bb2d8c950a5261

SHA1
efdbffd567b25cc72d0f52377cb8e04b7e5ebcfb

SHA256
c34ae9bbec05e32a7ee7052d9ed99c9e69f66852579859b822534cd6eccea814

SHA512
927c3f3293716e6eeb28aa84a79c523a28733bf5b3097828a10ea59a9f8aa622ce2e778720b1fefc6f63b3cb9f9b9ca5c5cc11df218a8f487bc31894a3e09ce4

Download Submit
C:\Users\Admin\AppData\Local\Temp\GMgA.exe

Filesize
111KB

MD5
1c02a694ecdb86fab2c99e84fb60a685

SHA1
0d89010fd3202208e4a0439fe03959955bcb34ab

SHA256
8a07b1118d5297a90b53f94fa9d8d64237503b9cd19c07f943243ece92ab63fa

SHA512
9de2a1ad4f6e39c75da717a6dedf7ddac6adb38355cc32c5e3f48f3dc968d2f45cd2ba3ab39c3307a48999f3c1aa2c5d5650a0cecb8207df00255b825c8b7455

Download Submit
C:\Users\Admin\AppData\Local\Temp\GQwK.exe

Filesize
115KB

MD5
74c69977480f85938bf9d8b9f033a30f

SHA1
0abf72ce883f54a28a89a6a8bf08be8bbc6f5a24

SHA256
afb011f1dee0315a629400005070ddf6173ca6908c98191a03b33a65893e4a90

SHA512
c6d012c1da9a3fb4e944e2db3a625d6a97e16c4ca6fe4c706641de7a4d800501886040a0a3fd1c87e72a100041b0e67cb7839a439b41a87f67d6f32b6bb5e869

Download Submit
C:\Users\Admin\AppData\Local\Temp\GwEm.exe

Filesize
112KB

MD5
63f5f89970480b6f5e651bcdf32e5a91

SHA1
ac68f434b72c081f2e34d08793dfc7bec835f950

SHA256
f1c265e1312f3fdd971c2782837b47c0d4c3f4abbb741b233a8034cf1e9edc90

SHA512
41ba8e9aa9f2f0f3df5c4d42c2a00b801ced997cdc09d9f9be6d5720af0144b162ad797ab228483d7cf6d95c3b81ed2207163357cb3c77bf07c26ccb74e07eee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IAIM.exe

Filesize
1.7MB

MD5
5c8737cfd5b87183382abbcf14eafec7

SHA1
f7f2509a82c52a0644b089219eb660332af0f702

SHA256
71cf279cc39ecb962248b50d4e5d37e44b773ccff34ae98298003da4039b3483

SHA512
da79ea040a5b86fbd85cf1f1b8681c31fe2743f52d903f644f5bbb4ca422b22c3720c6c79fb26212067eb6c5b74e728fd4af4873d0e23e48dfcc3ed656453e96

Download Submit
C:\Users\Admin\AppData\Local\Temp\IAIg.exe

Filesize
566KB

MD5
6aa6229b532136048298f87d5b042ac2

SHA1
cd73c46f2b68ff9bd53a62bc46d8cd55a124b516

SHA256
faef4e9a9251de67901040cd874750040ca68d32c5ac93facbf6dfea49a0f8b2

SHA512
2ed952227af283bd65b55119f35b3f4ca9f3aa7a45698c3ef581c4ba06857b4b10313c1e5e1d403e790b8296a777dddc1c8cafa7af61b2f2a26a3b873ce2f9ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMcw.exe

Filesize
722KB

MD5
63c08763c13f5be2523a2c7000a5c7f4

SHA1
cd271959f7f8d796fff1ab20ca3664907e0b0f62

SHA256
e86436e17247df33a23bcec89e7cb0217af28d8571384ebd82460b5fe798b898

SHA512
ffdd805f3f2775cb5246ac3cd4ae9c547ad5ce936468b35c81b9dbcec9f50c942bfd63a3a098eac414b9244f8bb1b96442124b786ea22794201d738b15587106

Download Submit
C:\Users\Admin\AppData\Local\Temp\IgIG.exe

Filesize
112KB

MD5
3dbe4045640e9f9968a2282a99b69c57

SHA1
7079f0b73e1ab7347aa168dedca4b3d471fb6486

SHA256
6dbcaf32136f01a0e6a8e0c3d31d94742d7ee5b2aa8783beaf8d5881a8d599a0

SHA512
3917c52990530cca11bb266b7cc3ea92d176339ae47a6c3dfbf75e801ba24bd5401bcc8f71d1ba8754061f1ec65827c21918c65c40ce3853463e7ed291647a3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IsoE.exe

Filesize
137KB

MD5
dd280fbc69e27ac1c8bbbed72425af2a

SHA1
b8122d30bfa762f0fb28f0940ee2611d661b6b0f

SHA256
4f35d76091acd008d9a1bc681f349adfbcb4aba250eb8833f4aab0c21ffe1a04

SHA512
e78f57568f593d6bf1f9f7ef4d63de321b2609b579f2524a7dd636e37d4dcf4fac3ff97a7ce34ef0f3b4a45fed4246e538a50778c530d4f3fbc7e2e313edab7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IwwE.exe

Filesize
116KB

MD5
f46f291c4690cb9f42b00af8cad703ab

SHA1
728b9244cc5cc2428d84de28a1727c88e43ff0ea

SHA256
fceb11c220c12a2074250fc6af61f4232412e1804d3f8b9040aa624de7f3712c

SHA512
fa834e2b1629888255666c5f1a51daf8c22047d24b8a991af8ee01ece072ae0493f923023e0eb41f1e613b1335544dca9d24096d753af8ba65f8bf074c3adafd

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAow.exe

Filesize
362KB

MD5
ec2b76a0e15eff95ac9149e89f55c930

SHA1
a739dd78624dd55b2bb9b615e9a901bacf9b29db

SHA256
17011cb478c7a70c292b3702a41621f6c64cf2e6ce126f52a8fd3da6ed181c2a

SHA512
f8f1e9d9556672815168209aceecaf42a3e5022cdd0bc6a289819d893da6bbab3ea9c39d5c0080c8381ee6851601720ea8dad590565a4e38ed4701432448a782

Download Submit
C:\Users\Admin\AppData\Local\Temp\KIYE.exe

Filesize
122KB

MD5
df43384b28c2797e18127aca83765549

SHA1
4d6f567a307744cceb23efe8d2ba3a8a2adbd6c9

SHA256
7d6ce41b10cea775ade52adecc52c2ffa8011cd89342637b14ec3925fcfde476

SHA512
87a3ee514621df1a233efdc77da083e34bba78b51f6135c817df6f561876945eb1634d8eeade9318a62540e868b472e99e774ce32dd2790455c36be8a29efbaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUIE.exe

Filesize
112KB

MD5
a3510c28c640dee4718c714fb270c8c2

SHA1
aebce58b24c4b4fc26af4992434cdb7c5b703c35

SHA256
e027fbf8b515ffab1b109d37e5d5038a5caf8464b055003934d699b09e4a2aa2

SHA512
7c100e5bea9be599a4a2ff1fb2068d2838b7a617c0eaead6992192d4049869fb8ed60205ccccbdcd07f89a3d88c3918626381c98f0be49336752ceba69afca07

Download Submit
C:\Users\Admin\AppData\Local\Temp\KgYQ.exe

Filesize
374KB

MD5
0a21b9a50658659e9a43e23e5c432f1e

SHA1
33538e1fae04a9363d3b987ad7a4c92e0591325b

SHA256
37fa8fed97aad2a024785766e1d06ea806529dd2dd976f19d27a2b9e72750476

SHA512
e9b212e6740326be5c63bf8dd2fad880b4a296b1b3b7fa8c22457450ba6956f6b8e202e120a85bd31ca140a4d0e765e1f742e40cd2142b4b9fa24dc5e58ae8e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUsU.exe

Filesize
111KB

MD5
2b0f373f5d0589501e497d10ce0d81da

SHA1
1a8603c75deeb66fe672dc0ea5996d50656fbbea

SHA256
32e3bfd2745888e8ed1fc1afcb5dfb4449accb8b7e2366aa984b1e92f65793b8

SHA512
0149b1ebcff2106a84619f67e2837f058bcaf38b27eb3ae8832e331e7047046645af5d75e480c8a7b0bcf7358286d0449f0a7e47329bbcc6cccdb81418ebfdac

Download Submit
C:\Users\Admin\AppData\Local\Temp\McEM.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mggw.exe

Filesize
113KB

MD5
25df386fd6c9b921133b17a27a7a6c7e

SHA1
814ec81c88ede472de0985d3bfc97e6edd319ef9

SHA256
7d50d57ae2b0d2584c1f30e55e056e22083a0ed6d570c50133cb601054f33a76

SHA512
b818b025469f9fdbd9840caa818cdbb80a53bbd57f77fc715c854b9e62c583b5aabc42d7a510644699859ba79675048a2313649620f215faf5cfb1969e230a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MoMS.exe

Filesize
303KB

MD5
05ef08da8ae269baaa073cb0517104c9

SHA1
b2deec42f201eba00bd03a6a01be4678432657c7

SHA256
0a0ac4332a6911342a4d152192530cc88df62b3d5ce6ebf67203d2ead08eb415

SHA512
b7286dd29c2e49c235555966010ac91b7d447a2eb4c7a04e74eb1cd66eed10d1ae339f7d392650948919a2c76f1c8fd21ef34dc1aed0976467f10019c763949d

Download Submit
C:\Users\Admin\AppData\Local\Temp\NYYMIIAo.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\OcEK.exe

Filesize
371KB

MD5
20086ef44ade5a0a8179e57268cb1b33

SHA1
7e132f9bda260b90abd668bbe31404d172340ef7

SHA256
fc1687a66e95c6bd3684d1e29367226a689652d64b30f746b36b3d1f4c4539d9

SHA512
696e41a35460ff04981c6e4763fa5c721a81bb13cb83233cb3e9bd5f08e44577b74a9c36a5328045327edd1dcb9645f83465fe552cefe71c2d402c287f116500

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ocwm.exe

Filesize
445KB

MD5
73e88beeb59be87a0c91e1edeedcdcfe

SHA1
dad0ffc5613639610d994b9d2c74b77331f27c85

SHA256
797243f70da93d6f00d6618e6878f7992b907a3d2285f12ea02dd97b3163b3a4

SHA512
9fb1557c9f1d708c33d80362ecc565ecb586ea10ef7d536382f7e574538aeef4f462b80bd5e5faa0e62d5c32176bc3c6163ded698a8b153af2c81c3d47466093

Download Submit
C:\Users\Admin\AppData\Local\Temp\OgUo.exe

Filesize
115KB

MD5
6c0d3982d8cc6787a37a61bc851dd1d3

SHA1
2e5fe3770f7d19655eff780e8299cae8ab04823a

SHA256
93e80d953e234d34acec3cea5305dea09c770d09fe13e86ef3e969293754eb9b

SHA512
fad8a4a7846b388cfd7622c606ef70fd5dea4a016c049cbda897d8d63ff8763f8024e95e042323c53b2afbc62dcb67d8ae552322f43211bbbe8243ff37329997

Download Submit
C:\Users\Admin\AppData\Local\Temp\Oooc.exe

Filesize
115KB

MD5
9d823e42158dc6435a0dc0ee3173515e

SHA1
7d1be079710656128e7b32a796b505ffefd75eaf

SHA256
397f50ff2524514870b38fe8e78e27e944ea928d0a916dd3ca617fb492b0d85c

SHA512
ce1bdd824bd7337da9e7316db2dc393717ed2572994c5ff5feeb50c53104270d208df7df7d60bfaa06a7bbc72b2e28fec3e12466cf0f2855d6b4a8c4efb27ad8

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIAS.exe

Filesize
110KB

MD5
dda383821835e9174608d7f96ece3d71

SHA1
e312e90efbdfcab2b656acaabf6ba849011e5ebb

SHA256
1b27ddd20954eca4a178f75850c74d44a9a531e046e4cba1ec71214b5cb8beac

SHA512
255b04f03445191e48deb7e6f97e580358724a6c1c840867e71e933b1b346da2e4eeee33aec312d06566195a87a062f1436b887fb1ad4a50bc84bbc67ac8fe10

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIgm.exe

Filesize
109KB

MD5
eb553c4969dad76e50bacd3a52deb865

SHA1
f16c1c4c070d54ed24ae2dee629b3baf1ffa8abf

SHA256
6f64a55593076d24e30e99ec6df0d49445d960fcce43b4d24f34c60300c7585d

SHA512
79a8de782f8fc7fba0ac22bcf08cda4ae038339b8710953cf4d7390606c89f72e63de5d6f47b7bc130715368670d7a5ca16f31bd4f272b176526a3e70e4d3e10

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYEq.exe

Filesize
110KB

MD5
ec52c8ce5b3fb24876a3b1a49c9ba434

SHA1
7b417e455354ce9fa8a0634e47346f5738cdc1a8

SHA256
007f7742995142837b062e1463645e7d482cdd78f2896d8bb7ff9bb4e729dfa2

SHA512
f653ead911f88b6566854e41b07efaea165162a58e49685c1e3bbe393b5b62499d6fed952ba9d1d43898441562d752b7d6cd13c0d0e206c677c0009ba85cdc3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYQi.exe

Filesize
317KB

MD5
6708b30e6104e7c70afe8b125ce29360

SHA1
e515018607fc06263f0295042f10e3b400e94d14

SHA256
5fe43308249a47abe9a8a0a60f1d22941c258781d80406e4142edfc30e2a2c69

SHA512
f03eddf23782082162d689adfd84cead2f4cd4f485decfecdf2ad2b596590e38dfb7fc4ddd2c90033fb11cff95b895283e5d8c24fde1832f4bb965bf3948b327

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qosy.exe

Filesize
110KB

MD5
abea690d70e3b3be52d828e46458899e

SHA1
3d2c69745b48eb338111374affa19efc8c3c670e

SHA256
33f2851e5fe990f48823b52050325ea7fb865254ba8b749d126f7edda190ee4c

SHA512
ae23f09bf8430ebac429d13e373281f00978bfb032a3589ef852e1dc9456f536e231b5271a0b53653b7ed427e36ca3438712325390ade986f2638019124853b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAUs.exe

Filesize
566KB

MD5
a9ec70bd6631353f588693f28417292e

SHA1
5685ec877f439a351f1ed3baa34341d22c80605f

SHA256
104740a4eeaec7ccebd22b2f31110f1e5877523a83d99e266a2721f58a087fe8

SHA512
c49b1240ce4d32e5227e1b5551ceee1442396f74efd0004113f19c7c9ba993670f7a8da62b8a3ca0e547d7a2cda52d39efe9e69d080b10e82515e2abf939c386

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIgk.exe

Filesize
295KB

MD5
e29e9094e3fea5c048eb79a496bb4d61

SHA1
2d58b9bda7fe4ec9fe1dbefc1981e2aea1e847d9

SHA256
7a8867d384717fe284573a5a4a341487f4dcd5ae170f4a61aca85495e8657d4e

SHA512
f33b588226029078e5d6200e03bc072c83d44508540523da4538e4de33e0cfdf38c9a6b5f467bdfb7e7be4cd91df13e6cadf312710d572a244e4ddda1224cf30

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIsu.exe

Filesize
330KB

MD5
ea4dace2ea4a0cf1a431c4a0c7efd2f0

SHA1
e5bb13e8be406dd9e3b0c75b38aaaaf9bbb6b8af

SHA256
de212cddc9a63fabea4cbc41264ccb065b7c7a67d3c8156f3246b5ebe5718818

SHA512
9f6b15fe02d9ee08027703fdc6bcf89a9c0b7581888c4c78e3a9c0db31d5db969dcf8cd2ee8acab60153a1df7515612704b1c8e7791ccfd1290d7ea9a968d394

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYMg.exe

Filesize
112KB

MD5
efbe70da1d9a5578685b568be0687343

SHA1
21781addcbaab4605d9d783835fb30407e4a7491

SHA256
27e774b347242247a2d6c2b8f2af27aba383dd9747fcae3330ac8286c7dd250b

SHA512
e560343a49a0212f501ba176adf4bb8ceb1c33ca2611753c37ca58f6e0222dda892e81cc27498b3e171f200a0968261a3b8506fd95efef2e3231206fc3dc78b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\SsQo.exe

Filesize
393KB

MD5
b5144e900adbdfb62444ee688dfb961e

SHA1
cc15eeb7476296fcfd20a6ee1f43300c2ea71e57

SHA256
e859949aabe6e2bac366e1d0f59e96d2b3750609362208cbd538cb4839728dc1

SHA512
60c58a1f7e312b759adfa48c87099522411c59bef78519794f004569e56b83839eaea9f98018428ef283487fe8c92023c128a975d7cabd7be85dd04f6005ac2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\UYEu.exe

Filesize
111KB

MD5
90bae140f7a962847b128003a8506db1

SHA1
b751bbffd11e99c171aa668175926c28be6160d8

SHA256
6820d6f3530b5e3c4d78d3da2c0fd581a33bd03e7071bd672c5dd08ce7c5f730

SHA512
21ea250da2644b2b453bd77431ddd6f396938278086e9c8834bbcb19ac69c7a10ec5d1e588e0ce99eed3e63412d6cbc8b4ac5e6d293c5699664428fb9bd3d90e

Download Submit
C:\Users\Admin\AppData\Local\Temp\UYsc.exe

Filesize
114KB

MD5
f77065c6db61fa29ae457ddb7ee5d38b

SHA1
e83bfb5a238fff8b6352e17697c5d84ed8b9cc72

SHA256
db5bbe69c8665c89e32c42d2022d570cc2fa436fff0a8829dac1817b78cd9ad2

SHA512
b7a25c1842f051cf6a487d1066d502585e9be7f54e0f9ba4772cce331bf66deb3e5ed8f53036ff0cecbc8a781c8b8eb93c4d0470bf67cbb5e058e11d718285cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\UcUa.exe

Filesize
567KB

MD5
cb04b76113dbc83f864188c5a866e76a

SHA1
571075942bee539a4a45f94b52839f3e495e8752

SHA256
dd134afa1c8f109b6e7ee2a5c83aad79f3f0f6ccaebe00f1682f7beafab1d1a0

SHA512
658a4cc25e5536a9977ff7b631b00041cb27ececcd696969a2ca54ccd28aedc0f5c28131d70a07650f2e438bc764c9dd299ce8ff9c96e70bf829a7dc1c7a20e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uwci.exe

Filesize
237KB

MD5
a2c91be108c4bcee6e550d5eb3392ee5

SHA1
cd2d16c9eb26cfb9bd96c6d8a91eb3233882232d

SHA256
939e204f6c34100d5b037bb6e9cfcef11318b9acf77f61a370d2f7c079d66466

SHA512
709b7cb73a6887bc50c9253c1fa702a609533f6a814e754693ad9161aa811c67e3b35d4825803ef0b4d3bc5e4f8ae6ebb91475ab4b65eeabff2a729d07b00f38

Download Submit
C:\Users\Admin\AppData\Local\Temp\WIki.exe

Filesize
443KB

MD5
1912457a4674c5a21dee4e4f7c52f249

SHA1
8f765dcdf456e7d9ed460fc1c1781b9d29bac9f8

SHA256
e519cc624f196cd61e2afb1261b8a3ddd693778c6e62ed008c048cdb4154c3f3

SHA512
ca2c590d927d54560aded1de1ab653ff882ad7f183fb25f063c6e8facf2fb51b3ee97e7f7f053d4290ccb6591abe71eb2c36d92bf24b9e56f1096e0318919052

Download Submit
C:\Users\Admin\AppData\Local\Temp\WUAi.exe

Filesize
111KB

MD5
f724d7ed35b7ab76d58fdede00c876cc

SHA1
aa852fb8faee9bef311b54df251cedf02eb7c29d

SHA256
7b84ad8be066c61729789a6981fec13e7ba00b4b045ccb8bb32f737eaa20dcf2

SHA512
01efe3a12cfd5558ba3b1d3f98016073ab354299ca4e9204097fc785b20cfa95880743dac421b5c64af7923147cb6f783f41a2e6de43fb82806c747cf9b3ff09

Download Submit
C:\Users\Admin\AppData\Local\Temp\WYgO.exe

Filesize
118KB

MD5
a560bf815dd8ea80e633c6b985b1cce4

SHA1
6fa4e80d2367a40647809bd461d2362f08269799

SHA256
85e539bd2475661180320007ebe8edf50464808ea02c4956d9dd1ef5e0b3a0c8

SHA512
866528bfa3322292458c08385781ee4371b506238cfe0710972e74a7df3d781ec4bfa8a2450fbf8458d04a3ed958a6dd989ca3a3d5ae0c1966449831b6f91b79

Download Submit
C:\Users\Admin\AppData\Local\Temp\WwMq.exe

Filesize
111KB

MD5
0f7d0b4649ec8a18fbfafe2ea6b2568a

SHA1
bb9609b7ed3554b4c07acc70458ed9fe5d2cd8e4

SHA256
2937b88a135a19c71312f2f35578d4ceba5c5540ca4c9ee9d89c6b2092a7cdf3

SHA512
b3ec04eb34266bec5b495f31dec69d8886cc576cc3dab9139fc9857941090e7a015f1f015f158e5a2629601207f6403b87e0b4319bce491ed7eb1f7e7133f89f

Download Submit
C:\Users\Admin\AppData\Local\Temp\YAEk.exe

Filesize
139KB

MD5
786b57fcf8676c0a12a178d12bce2475

SHA1
5593ad44419960751df21aede39a8ee97fb2412d

SHA256
8aeea896f9afaaf3e724f9d026ca25265e47cea1d7a5dd71db2ddb73e585d108

SHA512
1145946e356fef8b62b0f8a4e2a7afb1afb2b15829cb28bf65c44d5e4290de6a665c7a0312dbc8ad679456b98da49ee492a08af46ec4592a376a3e7d122d16fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\YAUG.exe

Filesize
149KB

MD5
ad096f0d3b8ee64916d5323ce8f71f7a

SHA1
16a30575d97eafada3fca7f94b47842a33f8646c

SHA256
4ece0413d1d161623fee0f94bc81d5e287dfaf1c898ab2e2d68cd8584dbc4f37

SHA512
522a965ff4a1834863f117f492f644368f36d101b0b5140bfc3d5564795c69b826b97637e3fd4b28f4b5f1b1ea541672fd3aa0ee330e12e8bf5e4eab20232727

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEEu.exe

Filesize
113KB

MD5
5fcf8c3ae493020cfbb9deb9340d81bf

SHA1
44d9759aa38255572a9f95f7b166a6392b1ed8a1

SHA256
7ead68e6e011c04febc8e347bbb456c623735f2b531e41adda6fe84dcc65d0d6

SHA512
e33b16447b9dcef07437377a495b9eb4bcedbcf140529fb3a08932d80f1ea22d9bf18ae2fc3b65756b6c20796f5248e78c6c2d06469180d4d331480d32b030c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\YIsw.exe

Filesize
115KB

MD5
240dbcdd34764e7cd9e88b154046ad88

SHA1
5abcd6e3d9892794ed50dab327718fe6bdbcb597

SHA256
ee38c99024879f36a6d71070f71b379de01a2aa25a2bf3f37368dff093ffe329

SHA512
515abc16826326ea2240cc1e2196b5eb7bff7aed941738dfaeae74664a6ee5a13bcb6626dadd3ade4d6c18a8500a4036faeb5ac4acbc5b8613629341030dfedd

Download Submit
C:\Users\Admin\AppData\Local\Temp\YYsm.exe

Filesize
111KB

MD5
85c263dfe4730a34d18df933861f92b3

SHA1
f7bfe0ddd5596ae4a2f6d96cd96a88d04a5a188f

SHA256
8b939a9c8c65e842e576fb71a9932adcb9c4344298a3e8c774ba79a68dc4d158

SHA512
00f56f131ee8c9342454f0f3a751ac31d52aa4a266b9cc8b149b96daf169e4e53a87ee335a0169bbd8a3bee2e81705c9f52fa4bac7400482a645622cc78944d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\YcwI.exe

Filesize
116KB

MD5
2c35ee59a1b0b5789958c0f3be057af2

SHA1
e33d6017f7c3b1027cde4832db5d38af8710bf78

SHA256
0e617535014fbad8d5b4fc76b4f41a36adfd558ca64a4ce1b788b3ffe175efc9

SHA512
3410b5ab8fbb612b50c22b41ce28d7b0038dcc9433b11cf3a2d0b0f7640513f8c59eda73ecec03b854c1138eeb3462bb9ea7aee9b265a7500ed77bcdfb99101c

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMgg.exe

Filesize
719KB

MD5
b935fe2ee26961aab5241833e9a35bdf

SHA1
54003b832d438d0efca4512db8c11a7cbc3b6179

SHA256
16119aaea0a05bcd713e24de965b55c342487a6b8c3f71d11a715982f9ac1e04

SHA512
f67075b967b2f4daf0653c660f8604c87dbba6f98bfff0945b447c08a38e54d4e2b949f6651fad2b1d027466134ecc438d78f0acc76bde508f67ba3ad4b3b5bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQci.exe

Filesize
334KB

MD5
46e931582a44edfdbaaf81a7a699f844

SHA1
491049c52ad1366e5f033ae5cdecbfe37edb90f5

SHA256
5e73a6c9c29f6105ac6ff931f10be10ac8c57f63c1e3745acaffb6970488970f

SHA512
4a037a22f3ba0d603d7437436e2b6db30b28adf0775e6f2a4ab480db3e8ef6d5ac3372697bfebf3f59172400e109e99d0f4543e4f835024453f64213fa3cc675

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQwg.exe

Filesize
700KB

MD5
dc46318e31de0bb9e21ab5a369148488

SHA1
012fd58a623a10b4859f052edc64594295f52949

SHA256
df4f029d8fc9c86f80dfbe5da3b82008adcf45c5d755245823ca3dcc4cfbe99b

SHA512
ff15b3c9eea9dd55e4b894b72067f9fc95bc4d8319c227c46fd7c342623a72695b84d5a59d8d1645ee7ff40e2641765228b194aaec50287422f8748e63a260d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUck.exe

Filesize
272KB

MD5
42da8d598efc76dc71fbc768de492082

SHA1
05849ab44cae3723a4c9f6a9a6ac573466da64a3

SHA256
4ce7564e1ba737cbc92f860117bff1c603e93f4eaee7a8848144a3e11029741c

SHA512
19ec6f05ef2f5b85617e5667c075b67591ae860a5750816529184d42badf3009855b8cd0d90b983ee339c59e186885c733905ee0589014ef9bc16f11d0e8b6be

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUoO.exe

Filesize
262KB

MD5
3bc9ec098b624d0d7a237437c288919d

SHA1
89996cc6adbb9da5a6a295ce7c00e4d1d2f4e511

SHA256
34ac0bfaf6289dd60ba791ff053193ad531ce3fa1de9faaf6e1371fa300ac488

SHA512
68347234f545dd7d9b6855831177640bbdb568668a5d70a9c465727e6a46ab71da6bdbc1915438d9cce9fcdfe3031fe115ce6c01d2386b49de5f46bc965fef01

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUsm.exe

Filesize
119KB

MD5
9520d20b9c7f6b1210149269a4b9ccd5

SHA1
2f54b4dc237bf9e76ea75b5d494bc76a2e83b7d6

SHA256
3453029c7c4db20793330c87ce5c135fb0a32bd7ab0bba3968fe93fcd21b9332

SHA512
449e16921a358f064651fb9f11cd79d608a15fa7c8b835435025a67d9334af3d97d746b7f45445852af68d38a29e4a5c9a2b79dd3362c17db3d7b7bf6d059112

Download Submit
C:\Users\Admin\AppData\Local\Temp\acIW.exe

Filesize
112KB

MD5
e049666b9b7bf2d10cebc2e0b4c9af0c

SHA1
78779fdbb7b1772e9a067a1fe3ddc79d70572f9c

SHA256
67bf476c7321cda73d94499eeb6a9b114238b8a64645aee8642949e948331bbc

SHA512
fce6ad506ec8c7970f6999cfda7b47ee31f24ca00c5db47d3a7b1c7f77f6b43509a133267ce9ef4945629f95fb76371f531ede66b2d57fbb3365adf7690587d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\awkq.exe

Filesize
484KB

MD5
35d575235fa04c667a0c68febbbde8e5

SHA1
532de25e48aa2fab5ab1b456d9161ac5b8b69364

SHA256
c03843bd3a097c61e8bc001c17ab19e92bdd55250754b4fce9fa4e07025affe6

SHA512
a38248ac48f1ce9e25408da35e4fd01295e385c279d44fdaa5fefcd66bb3175bfefa88d7c57c3fe0e2d65b464749aa3b36d90721b683a5769fb29ac14a08fbdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIQM.exe

Filesize
109KB

MD5
9e1cc93c20120eec9fd9de00e55386bd

SHA1
ba575f92a9e98acda74978c0e70eef49a3125244

SHA256
de0f458090a3a623624eed059095a2d934b6784925d6b74d861884c1722f8cfd

SHA512
a84529d84077226105c00d024457948f4d358668e11012943f15a0e7df60e95627c9003444b854ba19c9a6ad855e9ab362b0a88e30a20fc84eb9ede1d60ee101

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIUy.exe

Filesize
111KB

MD5
4b641e8509ec8709bfa87dac44b7ad37

SHA1
f907201a4359ef33899703102c9de691d3b3a979

SHA256
66050494e289885698761045e7b6ee13000b5ccc35674c65ff8375456fa22c5c

SHA512
54b87d5742a11cdc5cfcf3840075a6648b520072108c08e4fcb7ed31c8ffc6c873177d3a2bde2e4eba2acc40199a7ff7a3a64d168aea668df215193d28013d6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIYm.exe

Filesize
352KB

MD5
c5becd27d97124eeef66fa8dc47440a4

SHA1
7483eaee3d44f068604225dfce6bde9e768c21a2

SHA256
8aaac2378db20ead301a9643903296ccfe4b8f258f3c8665fd6e3f7af7a409f5

SHA512
8aaff092f1a0c82a2014f4e09f681524aba83badbafbc84296282941c273dd2f7144dacaf41a034222addc6cb9b17ed7db3d49b3b2efb42ce41f4f76f57774b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cMUE.exe

Filesize
557KB

MD5
a4388687b83d96819cd81ea7d009ed7d

SHA1
daf1b005ca9117fe1819860203542e606e9fde6a

SHA256
5005b67fcf33e3ad18d7f968de8b06c407ec91a152ea398304490fc90ef82a35

SHA512
146d8c7397b70652866eaae3eeaa259b575b4ff06df4b1a946e6e704788336f90ceb6ddfbe04204b4f896df1371fe90603eab60e1a8da12dc920a2e62b1e7ddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQoK.exe

Filesize
140KB

MD5
bd952d8eba77fc6807140fd2b65426a6

SHA1
0c4ab2740fe1c8568a26f9bcbfdde2e9a2289cfa

SHA256
ed9161ce5988e0bb67afb02b051fa098a73160aed8ac6d51df2cb6647d8ab008

SHA512
5e17ef1125939c7522a564d273cffe19fe07420ebdc367629bf61eeab3864307d6cd79812bfb91863b6a10bc502aed0c0bd25bf5dd7b97b3f3c1378ea374c6e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckQi.exe

Filesize
327KB

MD5
61d857de46a3d8cd16a6eb1c9653a3a7

SHA1
963d4bbfbb6e8293fbb54e1ae3048f2fa9c0f99d

SHA256
2cfe3598880b04dcb26dd070acbef67384b1ac550d4d8c45ec1ca91a29feaee8

SHA512
b43ab7fc5ef5aca5331860ff983a404b84c9f1893e1c4b816c1872762a029a10e1d1ec460debc8997b84fe9920e62b0e794b1b9f9aaf7b600e030d60ca1998e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIsQ.exe

Filesize
110KB

MD5
0a33e769e6b8b66b5b44cf54471b8954

SHA1
5163ec755e5cdb5d56674f65b3414b4c134c5b5f

SHA256
8f4f78935c8e65dfc9a1b9f3b2375a604de2db292a633ab5ae61f4f5ea00e287

SHA512
35ead7981e2849721d5e98524d764f97332746753dd02348364ebe57217e74347c4ba6121ada43bfa600e0ef1184e8df8aef37d353629ee307e8feb7cb68e6c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\eoEy.exe

Filesize
110KB

MD5
89a6dbbb8d75c5c9f4b0ff142894315e

SHA1
f0dc0c0036667871af57debf2c594f3c8ae9bf21

SHA256
fea790c011886a2956b654cb39e5ac8bfb990ddca63187de1178e06e426b4fae

SHA512
30febf3518a44c5bf3a5fc5554e28f68e3ac712d09d5404adb58f4cfac54ad7359bdaa8ca549420819414d61ea8b245944aa451d75b3f6b57ed354f6e2ccf2e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gAIY.exe

Filesize
113KB

MD5
42a7dd6a694b04ea7ceee7971c619a59

SHA1
aa3c684c9fbb73203401042feed3b6e0ab48c59f

SHA256
abeee556cbea04b43f99f67c938be7e9922ff206d7b8cb25f6a78c338ffa4491

SHA512
0fdf2843137ae106715db4d0fbcd8fe203800f2c3c56471b08b66becd29775d0be37e674ac8dc956035fb01deea8565b45ccda235cbff8fd0d455dc57d487dc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\gMAM.exe

Filesize
111KB

MD5
eb85d2c009c76f4d053dedc18a4caefa

SHA1
79ebf71c6b213ac43f99f29590e352ad989a6098

SHA256
26799baa53c9ae81f701087f4268d57f0bf0f7a0c6f0ca3c4872b53b9cf38c08

SHA512
4dcc3448db70a5a1cb0b1a0576a7c95ca0661ed97e823c4b47398ba6728f58a39207a0a306ecfbc7ab73e225a245861e84220baf896f2f592f00341c92a837c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\goAc.exe

Filesize
118KB

MD5
a00776ae2518cb2a5c32370d72bac531

SHA1
ec5f2118402f0ccad8d040a965129711a79ea716

SHA256
b3c53898266718f7640009078f36000daf334098e493aad5b4254bbbdabbf71d

SHA512
f2e23743fb2077beff457ef70cc5a950a026be52612b545e341a564de39981733962d1437ed3653b8b7de5e9d96fcb3d84ca59dde0d19bff58f248f00b4b6939

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAoI.exe

Filesize
157KB

MD5
496660d8b6bb5cb042713dc5ff5d2d65

SHA1
2abb10d948d8e6aa9215b5974931cea68a9f05e0

SHA256
0a3f7ab7baa15e1cef42fdd5fa85e5adfe78284c3ca7342ef772764281d50a80

SHA512
a1eee722680d900f7d143b10b7b88886917dd5277dbf7f899f80075da9ac03afc8ac6ce16b335afa3ee9b30879684e6ada8a539fa98afaec6b751ed07c5fcdad

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAoM.exe

Filesize
113KB

MD5
bd8bac8cf86a16e653bfa25c473f4aed

SHA1
fd9bb2fdadb9c5347ae7b36b3a55915f4b4a9346

SHA256
8ae7d48295bca4982739c99bb92f85bc73719508a89a2e7e53f0cb8f3fe25f5c

SHA512
66a9dda62693a93d3a48346efaaab9aac5f2e2983767df70537f3696dd6c9ea27f86e6053fe7af4fabddcc1e0617ca9e5f09bdea83a2586363b74c7c1bb32649

Download Submit
C:\Users\Admin\AppData\Local\Temp\iEUw.ico

Filesize
4KB

MD5
7ebb1c3b3f5ee39434e36aeb4c07ee8b

SHA1
7b4e7562e3a12b37862e0d5ecf94581ec130658f

SHA256
be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742

SHA512
2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIoy.exe

Filesize
111KB

MD5
27bdd1f537711e28e0c722e5b836c8e2

SHA1
bea16546b8c511bcae430ccd2f4765740b4e77ad

SHA256
583b7e8f40b617e7c11c8d5c0d93c2d0a431268fed65f238493863291f1ab38e

SHA512
50c246834b72f343fe0098f6997c7cc213182c2a9d22ab7a7034ca6b379471f51125f1194c770c7edab8dd3808982a411f7a851988fe801097f64412407c03a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQMm.exe

Filesize
425KB

MD5
7e919d2fd7c2020bfe96febe5f33c6a2

SHA1
0d433de14e3573e7973c24aae74b3bad27207fe5

SHA256
f14b54cf7eb632d59a61af451698993bdfdf40ed4bf3f62ab0f7378131d9af7b

SHA512
84ad6e2a7c0569d17a44c1d9ef50dd6790e8178611457892d55d6f3676ae08efc9e468c4d7b6e424d0ed442af67ac2ffda85d2d2fb86a8127a7cd338f98156cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\icAQ.exe

Filesize
110KB

MD5
09b2f4fe87e34f186afa7d0cde89bddc

SHA1
4af47e678824ec4050fb623b7ffda9c8681108ce

SHA256
4fb6e5beed3321fb2ad3822c5d89d0ffa83cfbad81dc4f30a13fadfacbab8822

SHA512
1eda9d5ce47d10745cc8df336600229d3225f888f005fd75b68ea736122a0f5ed1c742e014c49545bcd1d130982471ddfe075cc34b8a97f0aaeda9eeed2dbc62

Download Submit
C:\Users\Admin\AppData\Local\Temp\issk.exe

Filesize
556KB

MD5
45879bec096ce09539e3bed7ae721620

SHA1
b82a93487af039e99facb28e1d0439504ba11e35

SHA256
3a34c5cbf88a26ea8ebeb1d918f2957e26e84727025de6a8ee2a93aabb452356

SHA512
14366c105d8cdbd2c441acb19a13e5a0d889337d9646be4e7711fc8ef9a1fca99325ff5442d2a0650ee49f49a87514498bdb9367c146e64bf05c571cd21efbf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\kQws.exe

Filesize
255KB

MD5
c1e9b6118417d08ac3b9f6155b4863d9

SHA1
38a5cba6167dbf31ef9125f0b5ded19bc8011eae

SHA256
065d0218d5f11475a6a0b620b1e4c5ccbefe4e082659a819c22df77bb25bc239

SHA512
a0e11ca3a190dd37abc28a85f7564301f9a8277a2d75292b7fd00360b63fc8550603855d8a7e8bec121abfb4cc6c0119f1ec04c415865bea421705ed308eb28b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ksIq.exe

Filesize
115KB

MD5
bc23330b64b50d4f412d994d025d98b4

SHA1
0a0f2057b3f4e0843d81cbce267986a4d5d594a3

SHA256
fc971fc26ae87cc07ee18806e0ceda3de2cb5559357aa9585da3fb12e5f610d9

SHA512
9fa22c49c48747cd11746be132190799da1c211bbf35b37bae240aa8eb96d02161e5b9d53f738ec43fd2d8d8ff8089dd5a3f44186f2512f5761fd6e28fb85313

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMIw.exe

Filesize
112KB

MD5
91a04dc1897529ff946b9a331aecd73e

SHA1
1c2affdcebfea6fb80a7dc4cf66bc02f5c7d30cf

SHA256
d49b18ab07dec7d0f9d80ff230086932d394786654e0f7350b0b57ec4fc3dfe4

SHA512
c8f8ba23e31965fe876b7fa8db4ca37cdd4485b1541f96af0b011c63cf1b1b59f594e0d1563627fe64fe6abbeae89bf05c1c03d94a2eac8fdba42ee90904b6cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQMi.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\mUUk.exe

Filesize
721KB

MD5
3383bd01df9143c73128b5caa743d0a7

SHA1
1a73de43c72e76b7d0057d00df7f17e199d54b5b

SHA256
8e5510b9bed7d3f297fc92bbfad9801d0c320b5570a550c31f4487e9720ba2a3

SHA512
2eb3c7825917047b123172ba3bfe8fdfcfb9c3100dfa86903c9fac19aa2b621ca0cb3c9f951304d8b57698b4e7507da6d628345d817f8ea7bde23b06772a2e62

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYgu.exe

Filesize
115KB

MD5
70a1d0cb47838dbe66baf0cc8062ac87

SHA1
ad0c45cea7c872b4e822673e28e1335b150ae0be

SHA256
ecbca5815f3b3dde5f81139807f0cc9170ddef639f5083bca3953dac52b97ace

SHA512
1bc3ede7c2f99a8492bc74a3c0a19de340ad089a438906a29f2e301a749ee9170306272322cbb088ddefee19bb035472795894b54618ed3759998ac195f36cac

Download Submit
C:\Users\Admin\AppData\Local\Temp\mcAU.exe

Filesize
112KB

MD5
e622975f9fe023539873ff42a89bf6ff

SHA1
d7d72f9b75485adc47e606e4372ba984fc4372ae

SHA256
4177bc6d4e27740a440b084c521d2a294809cd0ebb3524a6c238c55a359fdf45

SHA512
0cf16b5598677b4187f415d6172291ed6c8f30895e5e2de81b52c0441b607924325413717bc7065ec4d9bd743ef767e340552e158e5a16fe38fc57043e9c4fe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgEu.exe

Filesize
117KB

MD5
dd2ae4222f7e658305a0bd1339b46b8e

SHA1
09a628fcef11d5d0c61f29dc6e9b55bbefbdae51

SHA256
be4066aeb3f44bf7104f1e585e6284327ba0193b9cd20e4d71684f7b831b37e5

SHA512
5c332a558f214accd09557067adb5f0a5df98ccce0193f7606e6c5941298d610498a61e460048f4624cc0ff2367309c96d272a4508f3fd778d84490aa316ce0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\mogM.exe

Filesize
150KB

MD5
01bfe578c2d534b56a83a61a2fe58dd3

SHA1
0e03e682f7bb85f487b67f7da641a425c6837755

SHA256
33b5387cce5a26638c5bd28b137c4e53276f96680577bf96766313de3613862e

SHA512
a3432f184aaa5bed11d39ec7a8acbe0bdd322906d6cb351600c7a8079c58f0cff8bc412aebea9b1030e88a9eabf3cf97097c94a1b979f6c867be639782bf7878

Download Submit
C:\Users\Admin\AppData\Local\Temp\msoy.exe

Filesize
367KB

MD5
ed0f58e167a440c69e7e8455b682b3fb

SHA1
88aba1326b2140397d996bb53b3a07de04572d29

SHA256
e080aaea2f97d50618e0cb6a7e02ea7bff9565f570f8af509ea811a81eb62ab0

SHA512
b5a29052134e43eea73282bcc3d52642558e0612ab4ddc3b9e0b081881173f6a39a11c62839bbf0f6e3af42da738a3f72665c44058c91cdf713d59cad635d99d

Download Submit
C:\Users\Admin\AppData\Local\Temp\oIMG.exe

Filesize
5.8MB

MD5
85b57f5ecf8d4e74764bec669b04d099

SHA1
4c9265835ae83bef1206579541811e7d173bb9cf

SHA256
47518e44c5b33127eceea9c4835b99f9469e6bb4badee108620bfd8d256defb0

SHA512
b33e81fc5384ec889732e0ade17b20cc420ef9d630578c5e4aa322667823c17952f6d7a717a3e158d0e90d34c22e12373a8e79f743b2b503d90a4126ecefaee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\oMgs.exe

Filesize
598KB

MD5
ac75a3467dc2e78db58b1da0802c8a24

SHA1
8c3d34487a6570edb5a200ca5684043ef4e0f322

SHA256
517f54ac2cb9fbe69ddc2be62369573ab6172da21186a1b1638013805f9a11e3

SHA512
3f41b371c7c30ef6afd17c9b432ec36548aa443a78c44c443b8a39fc66080c05418e057a276f637459a3aca356e3e73b6d8a4da99f8950c6116c4698099a16e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ocIi.ico

Filesize
4KB

MD5
a35ccd5e8ca502cf8197c1a4d25fdce0

SHA1
a5d177f7dbffbfb75187637ae65d83e201b61b2d

SHA256
135efe6cdc9df0beb185988bd2d639db8a293dd89dcb7fc900e5ac839629c715

SHA512
b877f896dbb40a4c972c81170d8807a8a0c1af597301f5f84c47a430eceebaa9426c882e854cc33a26b06f7a4ce7d86edf0bcfbc3682b4f4aa6ea8e4691f3636

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogku.exe

Filesize
1.3MB

MD5
3aaa63465134a1725116332d0ca7c031

SHA1
f1ff40b0aabd6394a6b4cddfe74a28b79f4df32f

SHA256
a88959638e4b952ee53e7b394e7fa9f3cbebd9ec9afe5724c605c62f1ff8102d

SHA512
09d0c90fb29401cb2b001da213e1e79a9d6a992c3551f379481c8459bebeb5b991b4f3a5b9d1f73c43c4936b943cc3ed1bb2dd23094a67bdd0a91f1ec289ed6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\oksa.exe

Filesize
120KB

MD5
0a6daa807cf387839b95efec1ddd9a3a

SHA1
e40189bfa0c4d78c981eb3623b59c48fb2e2bfd5

SHA256
40fa784f8b9c78a574ae72a70d91e9c7b074994dc116d54398c208ef115ec931

SHA512
ed94ccdcf9ca802208f74e34b16431dfb38e82212995b89254db379346e8032a6c4195e57fa2d7042c31441e13df33cdfad6f752ed628b6d6370ffb335b2e2d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\oowC.exe

Filesize
348KB

MD5
0fdbc07e1296cade2c0dd3b36d1bdf37

SHA1
dd5f555f90704b27195d430094458174326f8f4d

SHA256
e41ec57e2fd35d22439534270d40edea54292c580971937cb80409daa0ef306a

SHA512
5c7f7f84e2f852b71af8d5021e83df082c7c7d2efae2841c015a1ba71c6cb383c70bd6f1fd4e92d8441483057dd98020384a0cdf924ed6714f513ae48d24d736

Download Submit
C:\Users\Admin\AppData\Local\Temp\osgi.exe

Filesize
111KB

MD5
d99571d95df73d52745f6679d065602a

SHA1
8d652dc56c321403144f9d331a4c5488d0279706

SHA256
fc92d06ca7b8242ad4c0f1ecfc259cac2a99d7e9d5cfa3a37c661920ee4b24cb

SHA512
4acf1fe00c48324265b7e2aaaf9f0e6ceb904ad57523c54bdd1d79ba46010eef4c7a497ab3ba1f0b20a41682895935a040f3568856c83a12390d84fa17ba7d26

Download Submit
C:\Users\Admin\AppData\Local\Temp\osoI.exe

Filesize
155KB

MD5
49de3bf31c95f72d3784e2d272c618a8

SHA1
9226d06e08d782ef6eba25d85d9d7dc1c2f67ac0

SHA256
ba004c38dafd621e0260d573e6c828aabba16000101bca7a94e7aa54328757fa

SHA512
25019e376a6bb89b31627c687a3994a6c3c26abeda291da62b6967b0ba4d987a22bccc9878311d082f7de04f59457e7dd388d54dbdf305b617e84aff3e28b754

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEEM.exe

Filesize
117KB

MD5
d3fb8fe6f0c8fa8bc15e40d8d29e1434

SHA1
88f7b9db2e50ce2fb44d3d24b8164c6599b9dc94

SHA256
5e7e084800201cbb39d9ef3fe380ae3eecd60d63cc8795ba85e21d947b3583b1

SHA512
14f6b5b597923def573f69f7409a85c30a1ad697a2baaf0c8dae8b5cecdfb5046b35566489d5bb23ae4a5719565157bfb9843e7f188302ab23b8d69952b027bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\qIsm.exe

Filesize
112KB

MD5
369ff6d1948596f0d177e987a8a8e76f

SHA1
82f54e52285aa89f982b15c575df707586fc679f

SHA256
b60ee98bc1a9c43733020c35e2a5adbce3551d81724d059b15aac6eae9d5b621

SHA512
7bc70893065d629a55f40b5f5258766699291ac2e4be384476b924d0dfa82bcf6ef66fe5d8e094075945d7cfce5b39232108ac4fab6e0128d9820de2bd2645a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\sYUu.exe

Filesize
565KB

MD5
b536f78d097aae709d39a3c4f4f22aff

SHA1
75899d09ab9091f8a98891bc53c44936d2222f4c

SHA256
8c58c4df62ab3d5ee7c57195beb2cb9adcc14d3567e17aebbb375aaf9247b0ea

SHA512
eea00854283e3dbceebb18a7619f14e1d880e8047b2ea7af376f5a8930d08499bed5bb055d746c9b306fba851d5c7bd0d5b86cace8fbdc4020ea85b61101656f

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEAi.exe

Filesize
138KB

MD5
0edbe8f15765adb87070c3aa455b729e

SHA1
bcd5e39767ba6aaef13b721cba69e467b9bfc826

SHA256
981e78ac844ab43818c7fde05ecea61410ddd88e788dace83e2a58e97ef5d06a

SHA512
869b886a8f7edd12e6538694befeb40002d33a71810a1979d5124f7d3e0d599f927c2af5ebad364bbd1271e4c428a121447d01e8ce06ddac0fbb1bb62826232c

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMMC.exe

Filesize
126KB

MD5
d8278925afc5850992146d7fef9002d4

SHA1
891887bc2598c1f5a973b45df2280dc1cfa7fe20

SHA256
47833d0bce5cd4fdf84a399522662ab7306114785b269743b6cda4eb65c7dc0d

SHA512
e5335a4a58ee5ec833e4c9b4ced817d9659279d1b995a020b49cf8f429bbc142629d0d7ae466b269e57f656cc2d4aa97444eedcc9621008cc38b87556c530aa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwsS.exe

Filesize
111KB

MD5
7d18fb3ab82b7e0e26495dba7fb56887

SHA1
09facf8d7069ef7cb13ce1fc31d640dd9b3faa77

SHA256
71759b0675e1ffc3a73b4f3fafe30bf1e0511e83d4cd70a93b7c8075468abd39

SHA512
8e1652a570be68a3b3cd1cfa357abc1e8fd011143e9a87472e869e02b9c87748bdd485239a752f733853b1df0910458177e95c1be94860f7d6708180a41c3899

Download Submit
C:\Users\Admin\AppData\Local\Temp\wEQg.exe

Filesize
238KB

MD5
1c57dac0d208695c63154bafef932fe1

SHA1
de3d2f5f0b954350f15f2056fef3b7d66bc5b2d5

SHA256
659ba1b6493d6a9affe968c8c6cb4dbc94cc045d1d9d4b154cc95cc7317f4f0a

SHA512
658be37a51525a194cea607d7216e5af1afb43a40c107626c8a3af9fd27ebdead472dfd790dc8e4912106b0fbd05e20cc3658659e12ee9598a457dfab1006f32

Download Submit
C:\Users\Admin\AppData\Local\Temp\wEcE.exe

Filesize
110KB

MD5
03daedf6529aab72ad17bd3fbc33c312

SHA1
8f27f16939e83535969ae6492fda4d3de13a94ab

SHA256
5f6bfe16fa48011b183c1e804ceefb356ce55b7dc84c6eb2662394583ea73841

SHA512
cd0ce7b23d5af573a434dd9c0c2b9d609fc05f49fd06120e430dbdfa46811d08456eb97e8c88e63892fdb1eba173e7337d6265013e7f05f5acddf0723526f4a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\wEco.exe

Filesize
744KB

MD5
d5c8740db5cb0f39e07941cfb2902e2f

SHA1
c7ec2d264937402ade8b9b23cc2fdea87a8f01d0

SHA256
4ba9322d4ff8df1e30813cdbfb9005def3b8cab5efd7710f626eb8a2c7c7f95e

SHA512
b93ddce798b2344437d6844397e15a42cce0d8160fd06cb408209b7d10f8a3840d7a181576a66f17af5443e76f45f25fe1cb98b984fd7da7dcae409488e29795

Download Submit
C:\Users\Admin\AppData\Local\Temp\wMoo.exe

Filesize
110KB

MD5
7d73f7801a4b1384e72e01dd034f739e

SHA1
9e1685078f723ee614afc1b09e3955de4bd30184

SHA256
adf1f80307ae3ad4b0576174fe63389d344450e484062576c60f64d0898d385f

SHA512
54281bff80454583bbc2386beb092a87a2620c0a13c21a92dd7b0b9fdfa382de584d88d3c12294383a66f025c95a9ce020314f579e0a270fe2f392423a3cde3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wQwK.exe

Filesize
118KB

MD5
5e15792978abee2d0d85f98c729ffbfe

SHA1
976675fbe8c6ce7ab5b802f7b8fd8f54ad28f307

SHA256
6183b225fd60fa57c255f584d848bd63f67f1a4189b93196c5d5de43889d62bf

SHA512
0b687f8d94612ab543f8c2d919bcb6602e14a2922e33035115e28d8e52974862c0d83336094e48251ff3da9bd35a8e692e4c1fa85e75da3d017c31edbb48df9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYUk.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\yIIW.exe

Filesize
302KB

MD5
611b7f86a52fb4069d4d80ed85522df5

SHA1
fb3b1e02bf88fa2f74e1d0ab694ad1430cef4cdd

SHA256
ee33848c35b1c9cd39f646ca719342bbd351e4081290360fa0e7819b593413cc

SHA512
bdae12fa9334f3936f70d8a33a181982135dd6c17811c227d5ea580c9a88ce13adff1ab7371274c9b7135030b03fc50e9a7fe508d5a5a8af8d70c5530f23df11

Download Submit
C:\Users\Admin\AppData\Local\Temp\yIgU.exe

Filesize
117KB

MD5
8dcc63f8f653b1a1a61444e0e8b9ecf9

SHA1
cb5d5c9b5799e6849d72aa77a91cf843dac13f27

SHA256
267d9d8ad0403121481498e4ae53347892b1d360fa5293c2770fff498d17341b

SHA512
5d96e10aba51e6a245cf2d04f1dd1817900411c61217da12821064109c4d2357c15c574874300761cd0d31a205a90d22be81234b37a311a8768be32265d146ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\yIkI.exe

Filesize
114KB

MD5
3c8d178206671628e5c32cf4741d5368

SHA1
e3287057f1fc75c447a48d6cac6677882d314bef

SHA256
1cfcd7fccdf80140deab00b81c7bdc07c2d9afbb2bbd8266fc7dbdd69640d71b

SHA512
05c9d2b49518a814eba3e8294660b93a3768dfeed9e9215dcf51a89e5864141be2297245852abd7a39f78dda4eeb9048dad1017d9aded307f9011ab8b7a8c689

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUYy.exe

Filesize
118KB

MD5
83358fc88ba6dfddfe9f9783c0ac7123

SHA1
81d210820790409cc6f8f3cad4457f16f6c12d4c

SHA256
f0fe428178495fdf5c591b07f030a11823da183786ad4f20a555852e9c7ad998

SHA512
14768434b9efb5859b4a9777b42da4096327fe6df4837820e4a8fbcec20bd2c80bcfbaf6fdecc9f105ec09fb4475cc9a1aac818c1745a98b20bcff85d713abf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ygkS.exe

Filesize
134KB

MD5
164e1d68ca3ce55fbe3d1a972b7f8a95

SHA1
99657d181bbbb63caa0d8ce988105222e83a1fd6

SHA256
fe0de6e94ecc39170ff0c146234e7583c0d2957f2550941c3b97ad9f12f8641f

SHA512
dfd48403f3af0e00d5c45a241099393fc7f7e58a9c3d95fa15e9cf2cc5e29ca7248b447abd225e5741f00357c4e35469dc3c18302228ac1b8b7740d3fc141972

Download Submit
C:\Users\Admin\AppData\Local\Temp\yoQU.exe

Filesize
112KB

MD5
ecf5267a3fac3b8adf476c1191d28198

SHA1
1c6e212b95f6da93b38f66eb8b98a6d6893cb5d6

SHA256
c6f492b11c064d8ed716e1a485141d0b9c7a16e4677ab81127d7fc9f5bc6cefd

SHA512
9fb95c073ba739be15f7a8c04fbbeaca24081e9e96e7ceb967ec2c3b872ef4c8c1b1846ef8d46e16c70e27feda50c1d843d537a417113ca06030a6947dc079f4

Download Submit
C:\Users\Admin\aSIAUQME\vUwIksUs.exe

Filesize
109KB

MD5
82ae399e9f49e76b067d7fd62df321d5

SHA1
c4f8837a3b7d8dfda8bfedd1b0e3c856bca59b52

SHA256
173043a16a4f53834c98303029f98a57b2bcaf2a5ade07385a688b232ae4928c

SHA512
eb029f393d4dba1f273884a859f4a375bbfacde1f4b21f073cc75ebfd2af1c2267035fa2132e16fd642c0d46a351c5f00dba70551484f46d26f5ca007bf8bead

Download Submit
memory/208-365-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/208-378-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/596-325-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/812-352-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/812-245-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/812-339-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/812-229-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/960-528-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/964-149-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1136-395-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1136-387-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1256-472-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1256-91-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1256-484-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1256-75-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1452-493-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1452-485-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1496-374-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1496-386-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1576-103-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1576-115-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1608-400-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1608-412-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1632-185-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1632-173-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1680-256-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1680-265-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1824-193-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1824-209-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1888-436-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1888-449-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1936-510-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2092-463-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2092-476-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2308-5-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2368-282-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2448-145-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2448-161-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2548-102-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2548-90-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2560-182-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2560-197-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2892-330-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2892-343-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3012-273-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3080-369-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3124-79-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3124-63-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3132-421-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3132-413-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3144-172-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3144-160-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3280-316-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3320-360-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3320-348-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3428-300-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3428-291-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3528-457-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3528-448-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3672-67-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3672-51-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3840-296-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3840-308-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4152-518-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4260-430-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4260-423-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4300-22-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4300-32-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4412-279-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4412-290-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4476-233-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4476-218-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4488-502-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4488-494-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4496-440-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4496-432-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4548-0-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4548-19-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4712-241-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4712-257-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4716-137-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4796-404-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4840-43-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4840-28-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4888-206-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4888-221-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4896-111-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4896-126-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4912-14-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4924-321-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4924-334-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4972-519-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4972-527-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4976-458-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4976-467-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4984-55-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download