83a0f7343dbc04cdafab4ba4cbe7b3d1a38ea2cf6a63db04f3f5d23fd8ad2226

Analysis

max time kernel
150s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 11:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
Size

207KB
MD5

8227145fd2cb70f9e2b1284a1e764b40
SHA1

6a97aab07daa122dbae0469b64cdc027a1d94c7b
SHA256

83a0f7343dbc04cdafab4ba4cbe7b3d1a38ea2cf6a63db04f3f5d23fd8ad2226
SHA512

9abdbcae616d1661f603ef52590033c2634a5b47297ca9d22bab9cd989a4d1ddc1c9b97c016bcaedc59527b01b96a02de618ea107324f32d9878a5d9e45a17f5
SSDEEP

6144:lWHsWT9gLQWr0ldD2bb4HT1t60fWf0QlIgK8/nnEv:lK9TEQWrcdD2bb4HT1FfWf0QlIhcnEv

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found

Renames multiple (70) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	qgEkkUEc.exe

Executes dropped EXE 2 IoCs

pid	Process
4884	qgEkkUEc.exe
2804	yQEQAYcY.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qgEkkUEc.exe = "C:\\Users\\Admin\\ZiAIAMoA\\qgEkkUEc.exe"	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yQEQAYcY.exe = "C:\\ProgramData\\wiIgAwEU\\yQEQAYcY.exe"	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qgEkkUEc.exe = "C:\\Users\\Admin\\ZiAIAMoA\\qgEkkUEc.exe"	qgEkkUEc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yQEQAYcY.exe = "C:\\ProgramData\\wiIgAwEU\\yQEQAYcY.exe"	yQEQAYcY.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell32.dll.exe	qgEkkUEc.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	qgEkkUEc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
2888	reg.exe
792	reg.exe
5032	reg.exe
536	reg.exe
1204	reg.exe
2580	reg.exe
3600	reg.exe
1248	reg.exe
5048	reg.exe
5112	reg.exe
2676	reg.exe
3528	reg.exe
1452	reg.exe
4656	Process not Found
424	reg.exe
2476	reg.exe
2068	reg.exe
5104	reg.exe
4016	reg.exe
1488	reg.exe
4488	reg.exe
1460	Process not Found
2880	Process not Found
2156	reg.exe
3956	reg.exe
3400	reg.exe
3328	reg.exe
1448	reg.exe
4276	Process not Found
2448	reg.exe
1840	reg.exe
3864	reg.exe
2564	reg.exe
4036	reg.exe
916	reg.exe
2912	reg.exe
4584	reg.exe
3452	reg.exe
60	reg.exe
4908	reg.exe
3428	reg.exe
4460	reg.exe
3408	reg.exe
4460	reg.exe
1968	reg.exe
4952	reg.exe
4980	reg.exe
1424	reg.exe
1860	reg.exe
432	reg.exe
5104	reg.exe
2368	reg.exe
2060	reg.exe
1684	reg.exe
992	reg.exe
2408	reg.exe
788	reg.exe
4968	reg.exe
2772	reg.exe
1032	reg.exe
3248	Process not Found
3700	reg.exe
4880	reg.exe
3188	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4980	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
4980	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
4980	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
4980	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
3672	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
3672	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
3672	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
3672	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
396	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
396	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
396	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
396	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
4328	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
4328	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
4328	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
4328	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
4508	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
4508	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
4508	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
4508	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
880	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
880	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
880	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
880	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
4036	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
4036	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
4036	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
4036	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
712	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
712	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
712	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
712	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
4292	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
4292	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
4292	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
4292	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
1380	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
1380	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
1380	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
1380	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
4348	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
4348	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
4348	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
4348	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
2408	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
2408	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
2408	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
2408	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
3136	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
3136	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
3136	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
3136	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
4660	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
4660	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
4660	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
4660	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
2776	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
2776	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
2776	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
2776	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
1280	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
1280	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
1280	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
1280	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4884	qgEkkUEc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4884	qgEkkUEc.exe
4884	qgEkkUEc.exe
4884	qgEkkUEc.exe
4884	qgEkkUEc.exe
4884	qgEkkUEc.exe
4884	qgEkkUEc.exe
4884	qgEkkUEc.exe
4884	qgEkkUEc.exe
4884	qgEkkUEc.exe
4884	qgEkkUEc.exe
4884	qgEkkUEc.exe
4884	qgEkkUEc.exe
4884	qgEkkUEc.exe
4884	qgEkkUEc.exe
4884	qgEkkUEc.exe
4884	qgEkkUEc.exe
4884	qgEkkUEc.exe
4884	qgEkkUEc.exe
4884	qgEkkUEc.exe
4884	qgEkkUEc.exe
4884	qgEkkUEc.exe
4884	qgEkkUEc.exe
4884	qgEkkUEc.exe
4884	qgEkkUEc.exe
4884	qgEkkUEc.exe
4884	qgEkkUEc.exe
4884	qgEkkUEc.exe
4884	qgEkkUEc.exe
4884	qgEkkUEc.exe
4884	qgEkkUEc.exe
4884	qgEkkUEc.exe
4884	qgEkkUEc.exe
4884	qgEkkUEc.exe
4884	qgEkkUEc.exe
4884	qgEkkUEc.exe
4884	qgEkkUEc.exe
4884	qgEkkUEc.exe
4884	qgEkkUEc.exe
4884	qgEkkUEc.exe
4884	qgEkkUEc.exe
4884	qgEkkUEc.exe
4884	qgEkkUEc.exe
4884	qgEkkUEc.exe
4884	qgEkkUEc.exe
4884	qgEkkUEc.exe
4884	qgEkkUEc.exe
4884	qgEkkUEc.exe
4884	qgEkkUEc.exe
4884	qgEkkUEc.exe
4884	qgEkkUEc.exe
4884	qgEkkUEc.exe
4884	qgEkkUEc.exe
4884	qgEkkUEc.exe
4884	qgEkkUEc.exe
4884	qgEkkUEc.exe
4884	qgEkkUEc.exe
4884	qgEkkUEc.exe
4884	qgEkkUEc.exe
4884	qgEkkUEc.exe
4884	qgEkkUEc.exe
4884	qgEkkUEc.exe
4884	qgEkkUEc.exe
4884	qgEkkUEc.exe
4884	qgEkkUEc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4980 wrote to memory of 4884	4980	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe	84
PID 4980 wrote to memory of 4884	4980	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe	84
PID 4980 wrote to memory of 4884	4980	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe	84
PID 4980 wrote to memory of 2804	4980	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe	85
PID 4980 wrote to memory of 2804	4980	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe	85
PID 4980 wrote to memory of 2804	4980	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe	85
PID 4980 wrote to memory of 4908	4980	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe	86
PID 4980 wrote to memory of 4908	4980	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe	86
PID 4980 wrote to memory of 4908	4980	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe	86
PID 4908 wrote to memory of 3672	4908	cmd.exe	88
PID 4908 wrote to memory of 3672	4908	cmd.exe	88
PID 4908 wrote to memory of 3672	4908	cmd.exe	88
PID 4980 wrote to memory of 1188	4980	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe	89
PID 4980 wrote to memory of 1188	4980	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe	89
PID 4980 wrote to memory of 1188	4980	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe	89
PID 4980 wrote to memory of 788	4980	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe	90
PID 4980 wrote to memory of 788	4980	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe	90
PID 4980 wrote to memory of 788	4980	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe	90
PID 4980 wrote to memory of 2580	4980	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe	91
PID 4980 wrote to memory of 2580	4980	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe	91
PID 4980 wrote to memory of 2580	4980	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe	91
PID 4980 wrote to memory of 3528	4980	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe	92
PID 4980 wrote to memory of 3528	4980	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe	92
PID 4980 wrote to memory of 3528	4980	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe	92
PID 3528 wrote to memory of 4064	3528	cmd.exe	97
PID 3528 wrote to memory of 4064	3528	cmd.exe	97
PID 3528 wrote to memory of 4064	3528	cmd.exe	97
PID 3672 wrote to memory of 2512	3672	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe	98
PID 3672 wrote to memory of 2512	3672	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe	98
PID 3672 wrote to memory of 2512	3672	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe	98
PID 2512 wrote to memory of 396	2512	cmd.exe	100
PID 2512 wrote to memory of 396	2512	cmd.exe	100
PID 2512 wrote to memory of 396	2512	cmd.exe	100
PID 3672 wrote to memory of 1424	3672	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe	101
PID 3672 wrote to memory of 1424	3672	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe	101
PID 3672 wrote to memory of 1424	3672	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe	101
PID 3672 wrote to memory of 2888	3672	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe	102
PID 3672 wrote to memory of 2888	3672	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe	102
PID 3672 wrote to memory of 2888	3672	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe	102
PID 3672 wrote to memory of 3600	3672	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe	104
PID 3672 wrote to memory of 3600	3672	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe	104
PID 3672 wrote to memory of 3600	3672	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe	104
PID 3672 wrote to memory of 4520	3672	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe	105
PID 3672 wrote to memory of 4520	3672	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe	105
PID 3672 wrote to memory of 4520	3672	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe	105
PID 4520 wrote to memory of 920	4520	cmd.exe	109
PID 4520 wrote to memory of 920	4520	cmd.exe	109
PID 4520 wrote to memory of 920	4520	cmd.exe	109
PID 396 wrote to memory of 1560	396	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe	110
PID 396 wrote to memory of 1560	396	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe	110
PID 396 wrote to memory of 1560	396	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe	110
PID 1560 wrote to memory of 4328	1560	cmd.exe	112
PID 1560 wrote to memory of 4328	1560	cmd.exe	112
PID 1560 wrote to memory of 4328	1560	cmd.exe	112
PID 396 wrote to memory of 4252	396	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe	113
PID 396 wrote to memory of 4252	396	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe	113
PID 396 wrote to memory of 4252	396	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe	113
PID 396 wrote to memory of 4292	396	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe	114
PID 396 wrote to memory of 4292	396	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe	114
PID 396 wrote to memory of 4292	396	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe	114
PID 396 wrote to memory of 5100	396	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe	115
PID 396 wrote to memory of 5100	396	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe	115
PID 396 wrote to memory of 5100	396	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe	115
PID 396 wrote to memory of 2448	396	2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe	116

C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4980
- C:\Users\Admin\ZiAIAMoA\qgEkkUEc.exe
  "C:\Users\Admin\ZiAIAMoA\qgEkkUEc.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:4884
- C:\ProgramData\wiIgAwEU\yQEQAYcY.exe
  "C:\ProgramData\wiIgAwEU\yQEQAYcY.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2804
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4908
- - C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3672
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2512
    - - C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:396
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        8⤵
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        10⤵
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        12⤵
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        14⤵
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        16⤵
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        18⤵
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        20⤵
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        22⤵
        
        PID:4136
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        24⤵
        
        PID:3124
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        26⤵
        
        PID:3132
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        28⤵
        
        PID:1348
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        29⤵
        
        PID:3276
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        30⤵
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        32⤵
        
        PID:3116
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        33⤵
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        33⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        34⤵
        
        PID:4264
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        35⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        36⤵
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        37⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        38⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        39⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        40⤵
        
        PID:4792
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        41⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        41⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        42⤵
        
        PID:2408
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        43⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        44⤵
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        45⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        46⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        47⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        48⤵
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        49⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        50⤵
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        51⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        52⤵
        
        PID:3076
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        53⤵
        
        PID:740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        54⤵
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        55⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        56⤵
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        57⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        58⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        59⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        60⤵
        
        PID:3276
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        61⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        62⤵
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        63⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        64⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        65⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        66⤵
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        67⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        68⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        69⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        70⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        71⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        72⤵
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        73⤵
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        74⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        75⤵
        
        PID:208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        76⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        77⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        78⤵
        
        PID:4256
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        79⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        80⤵
        
        PID:540
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        81⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        82⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        83⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        84⤵
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        85⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        86⤵
        
        PID:632
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        87⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        88⤵
        
        PID:4788
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        89⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        90⤵
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        91⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        92⤵
        
        PID:1280
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        93⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        94⤵
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        95⤵
        
        PID:436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        96⤵
        
        PID:4976
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        97⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        98⤵
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        99⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        100⤵
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        101⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        102⤵
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        103⤵
        
        PID:512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        104⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        105⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        106⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        107⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        108⤵
        
        PID:3068
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        109⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        110⤵
        
        PID:4136
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:4264
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        111⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        112⤵
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        113⤵
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        114⤵
        
        PID:540
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        115⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        116⤵
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        117⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        118⤵
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        119⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        120⤵
        
        PID:3140
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        121⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        122⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        123⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        124⤵
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        125⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        126⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        127⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        128⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        129⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        130⤵
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        131⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        132⤵
        
        PID:792
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        133⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        134⤵
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        135⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        136⤵
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        137⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        138⤵
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        139⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        140⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        141⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        142⤵
        
        PID:1968
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        143⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        144⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        145⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        146⤵
        
        PID:3132
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        147⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        148⤵
        
        PID:3720
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        149⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        150⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        151⤵
        
        PID:716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        152⤵
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        153⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        154⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        155⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        156⤵
        
        PID:3252
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:3612
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        157⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        158⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        159⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        160⤵
        
        PID:1240
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        161⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        162⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        163⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        164⤵
        
        PID:620
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        165⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        166⤵
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        167⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        168⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        169⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        170⤵
        
        PID:3692
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        171⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        172⤵
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        173⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        174⤵
        
        PID:4724
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        175⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        176⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        177⤵
        
        PID:436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        178⤵
        
        PID:4228
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        179⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        180⤵
        
        PID:3108
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:3080
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        181⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        182⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        183⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        184⤵
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        185⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        186⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        187⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        188⤵
        
        PID:4964
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        189⤵
        
        PID:716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        190⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        191⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        192⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        193⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        194⤵
        
        PID:712
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        195⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        196⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        197⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        198⤵
        
        PID:3864
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        199⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        200⤵
        
        PID:4348
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        201⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        202⤵
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        203⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        204⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        205⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        206⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        207⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        208⤵
        
        PID:4132
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        209⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        210⤵
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        211⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        212⤵
        
        PID:5112
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        213⤵
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        213⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        214⤵
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        215⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        216⤵
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        217⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        218⤵
        
        PID:3124
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        219⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        220⤵
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        221⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        222⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        223⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        224⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        225⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        226⤵
        
        PID:5064
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        227⤵
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        227⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        228⤵
        
        PID:2536
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        229⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        229⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        230⤵
        
        PID:1348
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        231⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        232⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        233⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        234⤵
        
        PID:2880
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        235⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        235⤵
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        236⤵
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        237⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        238⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        239⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        240⤵
        
        PID:3988
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        
        PID:3180
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        241⤵
        
        PID:424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        242⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        243⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        244⤵
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        245⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        246⤵
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        247⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        248⤵
        
        PID:3880
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        249⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        250⤵
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        251⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        252⤵
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        253⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        254⤵
        
        PID:1156
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        255⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        255⤵
        
        PID:792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        256⤵
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        257⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        258⤵
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        259⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock"
        260⤵
        
        PID:2580
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        261⤵
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock
        261⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        260⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        258⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        258⤵
        
        PID:988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        258⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vQEkoYoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        258⤵
        
        PID:2364
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        259⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        259⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        256⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        256⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        256⤵
        UAC bypass
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rWskgIMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        256⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        257⤵
        
        PID:948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        254⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        254⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        254⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CsQgEogY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        254⤵
        
        PID:4660
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        255⤵
        
        PID:916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        255⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        252⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4868
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        253⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        252⤵
        
        PID:4568
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        253⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        252⤵
        UAC bypass
        Modifies registry key
        
        PID:4980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uaMsIUMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        252⤵
        
        PID:2172
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        253⤵
        
        PID:760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        253⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        250⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        250⤵
        Modifies registry key
        
        PID:3328
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        251⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        250⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SmYwgwwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        250⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        251⤵
        
        PID:856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        248⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        248⤵
        
        PID:512
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        249⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        248⤵
        UAC bypass
        
        PID:3672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BYwMkwAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        248⤵
        
        PID:2304
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        249⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        249⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        246⤵
        Modifies registry key
        
        PID:1204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        246⤵
        
        PID:2072
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        247⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        246⤵
        UAC bypass
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VuYYIYYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        246⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        247⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        244⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        244⤵
        
        PID:4748
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        245⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        244⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nMcIoAsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        244⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        245⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fUQEIkMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        242⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        243⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        
        PID:3140
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        
        PID:4880
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KsUAoYQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        240⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        241⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3452
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        239⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        Modifies registry key
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OIUkwQYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        238⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        239⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        Modifies registry key
        
        PID:4908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        Modifies registry key
        
        PID:5104
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SIYsYcsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        236⤵
        
        PID:4788
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        237⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        
        PID:436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        UAC bypass
        
        PID:4632
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        235⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jKUEowww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        234⤵
        
        PID:4724
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        235⤵
        
        PID:920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lGcAkAsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        232⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        Modifies registry key
        
        PID:4968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        UAC bypass
        
        PID:2564
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LkcskAsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        230⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        Modifies registry key
        
        PID:916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        UAC bypass
        
        PID:4080
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        229⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ewcIwgck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        228⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        Modifies registry key
        
        PID:1032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JQoQsskk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        226⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        
        PID:568
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        225⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ngowIUwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        224⤵
        
        PID:2684
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        225⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        
        PID:740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pOYssAkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        222⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        Modifies registry key
        
        PID:2580
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        221⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        Modifies registry key
        
        PID:4952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        UAC bypass
        
        PID:4304
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        221⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lCIEYUsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        220⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eqEEQEsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        218⤵
        
        PID:920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        
        PID:804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AicMMAUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        216⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        UAC bypass
        
        PID:4376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eQcIcoQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        214⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1564
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        213⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        UAC bypass
        
        PID:848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DyAIsEcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        212⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:3396
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        211⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        Modifies registry key
        
        PID:3528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pMAIsUkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        210⤵
        
        PID:432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        
        PID:60
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        UAC bypass
        
        PID:712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\naAgAAYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        208⤵
        
        PID:1344
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        Modifies registry key
        
        PID:992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BUgkswss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        206⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        UAC bypass
        
        PID:3880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wyoQEwEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        204⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        
        PID:724
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        
        PID:424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uqEowEcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        202⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        UAC bypass
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CgYccgMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        200⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        
        PID:720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        
        PID:2364
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pyEoQgIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        198⤵
        
        PID:636
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        UAC bypass
        
        PID:1216
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vCgIskAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        196⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        UAC bypass
        
        PID:1428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FwgosEwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        194⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:60
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        
        PID:3180
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jMMoIggg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        192⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        UAC bypass
        
        PID:4688
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QaUIQEMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        190⤵
        
        PID:3188
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        Modifies visibility of file extensions in Explorer
        
        PID:532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        UAC bypass
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GAMkAoQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        188⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        Modifies registry key
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AakEUsAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        186⤵
        
        PID:936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        Modifies registry key
        
        PID:2772
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:2932
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JEMQoEUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        184⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        UAC bypass
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\duMogcYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        182⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        UAC bypass
        
        PID:4816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XYQgYwIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        180⤵
        
        PID:60
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        
        PID:2000
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yIAwEgIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        178⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        UAC bypass
        
        PID:3792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sMUscMQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        176⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        
        PID:424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gCUkEQsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        174⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IGQMcoAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        172⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        UAC bypass
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jOEMIUAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        170⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:5100
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BCQAQEwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        168⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TQEwMcks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        166⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        
        PID:2720
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yOoocAIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        164⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        UAC bypass
        
        PID:2304
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UOQYQkkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        162⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        Modifies registry key
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        Modifies registry key
        
        PID:60
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        
        PID:4176
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iMsQMwMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        160⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        
        PID:2564
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XSIUEMIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        158⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BMIIEEsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        156⤵
        
        PID:4868
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        Modifies registry key
        
        PID:4036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        UAC bypass
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hKAYMkks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        154⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        UAC bypass
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eEkkYoIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        152⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cMAQgwsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        150⤵
        
        PID:552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        UAC bypass
        
        PID:1344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AyoooUUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        148⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        Modifies registry key
        
        PID:5112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        
        PID:1584
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IkwwIIsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        146⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        
        PID:60
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        Modifies registry key
        
        PID:5104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        
        PID:804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FYEUwgwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        144⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        UAC bypass
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XUQUcYok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        142⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        Modifies registry key
        
        PID:2564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        UAC bypass
        
        PID:4888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZGEcIgkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        140⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies registry key
        
        PID:3188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:1624
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TYAssows.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        138⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:4704
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YawwAEIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        136⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        Modifies registry key
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gCEogAIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        134⤵
        
        PID:1508
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        Modifies registry key
        
        PID:536
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KmAkkwoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        132⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        
        PID:3600
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\huUAsoAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        130⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        Modifies registry key
        
        PID:4460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PAwAkQMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        128⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        Modifies registry key
        
        PID:4488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        
        PID:3296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bsUYAAwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        126⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PUEkAcwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        124⤵
        
        PID:224
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        
        PID:724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        
        PID:3116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wwwsYUkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        122⤵
        
        PID:432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        
        PID:2000
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MWMwIoMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        120⤵
        
        PID:804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:4984
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        
        PID:3612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OaoggQgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        118⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zqAcwUwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        116⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        
        PID:4016
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        Modifies registry key
        
        PID:424
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tycUYAsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        114⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        Modifies registry key
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RwkMUUgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        112⤵
        
        PID:4940
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        
        PID:232
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VsgsggwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        110⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\usQskEcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        108⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        Modifies registry key
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UYAogMEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        106⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XEocIIwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        104⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:1656
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JkYEEssk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        102⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        Modifies registry key
        
        PID:792
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tQYkUQEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        100⤵
        
        PID:432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bqoIoMQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        98⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        
        PID:2152
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OwkAgkQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        96⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        
        PID:4008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sOsgAgQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        94⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        Modifies registry key
        
        PID:1860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        
        PID:992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yMUQMQoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        92⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:4484
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BmYYQsYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        90⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BQUsAIgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        88⤵
        
        PID:1452
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        Modifies registry key
        
        PID:4880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jksUokQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        86⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pKcMEosg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        84⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        
        PID:1792
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        Modifies registry key
        
        PID:1488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EksEQcMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        82⤵
        
        PID:3020
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\egcAAEwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        80⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:3136
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:4228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OAoAswsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        78⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies registry key
        
        PID:3864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        Modifies registry key
        
        PID:3408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NmIsAgAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        76⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2528
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:740
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        
        PID:2060
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HYYYMUkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        74⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies registry key
        
        PID:4460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:2652
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        73⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        Modifies registry key
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pmsQkUQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        72⤵
        
        PID:4652
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        73⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        
        PID:220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CWYAIoQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        70⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:4292
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OEsgcssQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        68⤵
        
        PID:4484
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        Modifies registry key
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OMUooIAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        66⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        Modifies registry key
        
        PID:3956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JccIYMQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        64⤵
        
        PID:2400
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:2468
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lSkUocEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        62⤵
        
        PID:208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies registry key
        
        PID:2676
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        Modifies registry key
        
        PID:3700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        
        PID:992
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PmIkkEoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        60⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        
        PID:1080
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mYggAocE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        58⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        Modifies registry key
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OiQgUsUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        56⤵
        
        PID:744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:5096
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        55⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WKAokgcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        54⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JGAMkkIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        52⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:536
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZgUwcosc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        50⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        Modifies registry key
        
        PID:3428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        Modifies registry key
        
        PID:4016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pIAswkUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        48⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4456
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FeIAwMAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        46⤵
        
        PID:636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        
        PID:4676
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        Modifies registry key
        
        PID:1840
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mkgAoQIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        44⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IukAIEwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        42⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        
        PID:2440
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        41⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wMgEEocc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        40⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:4640
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        39⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qGYUgAkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        38⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zOkYIAkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        36⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        Modifies registry key
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FQcUUYUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        34⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DCkwIYos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        32⤵
        
        PID:936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        
        PID:432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XEAsYAss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        30⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:1460
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        29⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:3880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OyUUkcEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        28⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        Modifies registry key
        
        PID:1248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:4636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wqkwUwkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        26⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:4352
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        25⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        
        PID:740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kKUQYwMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        24⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        Modifies registry key
        
        PID:2156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gMcoMcsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        22⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lwUUMoso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        20⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XugAcoYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        18⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PgEEskIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        16⤵
        
        PID:720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        
        PID:740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FIAwkAcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        14⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kKkUgUcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        12⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UisYwIkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        10⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QyMIIcAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        8⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:2728
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:4252
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:4292
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:5100
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QuggYEMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
        6⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:4672
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies registry key
      PID:1424
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:2888
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:3600
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vaMgYwcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4520
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:920
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1188
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:788
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:2580
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PcoQooQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3528
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4064

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv Q1cnKV1feEixJ5GIR8GUpQ.0.1
1⤵
PID:1376

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:3660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\User Account Pictures\user-192.png.exe

Filesize
194KB

MD5
387282880996f3b49056672e90a7da7c

SHA1
bb3ab7975e4d7d45bbfe3e0d3a7df49cb6405bb5

SHA256
c5daff95b3d90a4323201ba5928c8b3989ef02588e949f46d32ede22ce691974

SHA512
312e1b7b10faab5b6baf6ff3068474ec05c33c648ebadb9508409af04545ab84168df26271532e01f6c91b200a703551b908399b700ca7932cc9537846a88b98

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
633KB

MD5
d93deae1f244e698d4787cf74e18b7e3

SHA1
fde2a4b616fc2acb69cab2a7e77e1464f5a03886

SHA256
27d43d5812bc2c4f7b34a1687df59dcf6401657810fb5c3873e0b63ad7a92104

SHA512
de45bd139e22e0a483cb01ab07e9e82e1d20d54451394a5a41e652876a5a4ac64f4cf6f3d727d2d300ecfe4ab92eba3a945f666fd19f9cea262eb83e640c3374

Download Submit
C:\ProgramData\wiIgAwEU\yQEQAYcY.exe

Filesize
200KB

MD5
3c39114afc68df58cb4d72e7dc9e1b46

SHA1
6fd7ab18eca43817a3040a22c408a7c7bec2ed39

SHA256
f7e4fafd4442fe0d5432d5c23be040942477577c56a7aac1af29c6213b20ba01

SHA512
89842703f2b18996be1fb97059eeec8d61963c45a9ad4a54d560e0d45459d61fca32f79818cf68f6fd6b8ed0875f37c6d9b920e0e0ce30584bb0cc6a2ee1e337

Download Submit
C:\ProgramData\wiIgAwEU\yQEQAYcY.inf

Filesize
4B

MD5
c1f5a44c0f8855f6dc774b426ed2d842

SHA1
590d4cb8487f446b9735eb2ce7b9b6e547268d18

SHA256
4d7976ebcdf862675155ecae893ff83ecde207a3752d80aed9fb7c33e00fcec1

SHA512
9880db7c2d0a1b0b650095bc0479ce80bdb0ca0b647611369f0946d6d27331a9eb4508d7f99e36da4ea130a47185ce7cebf9f349cdbe1d8f232b5e097b016f09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\128.png.exe

Filesize
190KB

MD5
41b94af60d7dc7cccef51b442adf47cc

SHA1
84c837ced84e88e317cc476c7bc0c2a3a6f77d9b

SHA256
9bb2dbe4b34da05dc3328a17cb401c31f4e4f499ce4c3dff8a1d40796a1ad399

SHA512
41e8421ecc1ae640b467bf1f3350d20e92821651da34819ebc10924661abfb1a0a14127f9234073ef083b88a4ba4bcc8c065f1bca2f8d24ded162c87d8cdca49

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\64.png.exe

Filesize
187KB

MD5
640eafe7222f6e6b952b53c1e145dfac

SHA1
000caad071e70f584bf4cdee993c15a1fea602be

SHA256
80e575858e5ead4a9071d2d9f586a78177e5e8f004f44e71e55af5a241b7ce2f

SHA512
ab8cc04b0cfd0c445e7bd43c757e8bb3b66db07feffcd525a49afe7bb7e8207e168968b0e31b5c1d7afeefaf1d7ea8f97988bc9eab0ffb71c89c409a7dc3187d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\256.png.exe

Filesize
204KB

MD5
189cb0a58d8217b59d2acb9fa5a0e9e8

SHA1
690342e20293df4f1472c3b922df73f2b0bcb0cc

SHA256
ffc8e943ae00812b1ebe79e3b321657e32879dafd706d34e2e647a627e69c9ee

SHA512
1e888bf0a3fd28a800c593b3feee85dfba3b4c95f047efbb9e1f53796ffe7303769b5ce1fc44f9a40369859d1efafbb73fa1c47b9a1f463e66bd9350989e84e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\128.png.exe

Filesize
183KB

MD5
f4cd913e0bddca72bca3885bcd0bb80f

SHA1
31be8a7cd6471122a16aa1fe8b441c930a4135c5

SHA256
6e16b6315bf99fa046283f17f58e88818a1d22a3710df1f55da6ca399723d103

SHA512
6810a91ecb9278a5203f5451467d126d6f41b79acb1eb07ce662e31698b60fc0ace84281ee14f2cd983d370280c4ae8fce2a689fe9dbcd8ccc299fb92a85963f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorWhite.png.exe

Filesize
203KB

MD5
1f7124a1323a12a8ca94b83a6ef1de32

SHA1
af6401382e95449c5ad70620b6e5ff22406644e8

SHA256
57451f9860c742c3a760c033fb91c61e1d912b6f9758f4aa3e00c9aea5c25971

SHA512
e40d1f12dc85270499bcb71d288e3f1e1bd2c9e58d9a3ae17fc21c6098608f0ca671458a7a515805babba16b12c60eb675293548cffbbb8bda185207779b9122

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMScanExclusionToast.png.exe

Filesize
191KB

MD5
979bbc13e1a858bd2304c7a0c82e6a88

SHA1
2686f48aca88dce58e0d13e31cc832bbc1d3d3e2

SHA256
13ed5547c602a98afd173e62aac1d30250af79fc73fc28129a2685d1c6f315ba

SHA512
d31d3f112178969d1a69c81479bb8a6dbf2a595bde5b19d1502a14cdc2ad7193d1fdb1661b8fd787306ab539907aeb2d80c06ef93c4b44d2987dda4cab41276e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png.exe

Filesize
183KB

MD5
4f1b50d3445378f571cbc4a10d04b1da

SHA1
d4a9eb96981f122dee57460e59a18cac8f76fe4e

SHA256
6be3d762083fac7c87d211ead4ddc7f615544afe359b7ca64c8186f03477bba8

SHA512
daa73098ed7fa3fd60aadb1031155f6ec2d88c934583075eec684d119128ac3461bde37722004215af599d245b3c5a310003b5950017edc20dcbadaabc7fd62e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-05-10_8227145fd2cb70f9e2b1284a1e764b40_virlock

Filesize
6KB

MD5
6df7065f01a6050fe6a0fc315cc1198e

SHA1
7b01a12035d29cde184590b08441c61c507a947e

SHA256
67a4ceda66f3abe6e0d18b08351d09c00e29f6a2ae3e55ad5e721218d6e45137

SHA512
6b42f9485501a09460acf5fd75f61ec0f92ed0f29a7cf26c11b9a13dabbb730f5f88f6a3e0a2f1bb20f984f8d0320bdc33e589100efb40c4fdea36f16a98db29

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIUW.exe

Filesize
202KB

MD5
68df48059fa3c9b7aa7a7e31986b7391

SHA1
301e3c4e1ae9ac883e0feb9f250d404e50cad7bf

SHA256
b39f0f2e85e7b0b3265e52e472b92ea1bcf530079b041cca6a00291b7940a4b9

SHA512
63806aeb232c1c501b515bdd37f62530f09f792b39304e64782804337560517da12c7935dca488d0bd696fe449975adae530c7acb3dfba1df13d04fe2ef7e86e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQci.exe

Filesize
2.3MB

MD5
1cb98bd1bdcfc4d8dbe8a9cfedf6c564

SHA1
73ba6be1f91e8b64290bc3eb9a2eb6b36fd74f8f

SHA256
84af1df4157f67caebf347feee6ee7b21d3a6a128adb7057afa4790c5b36f8d8

SHA512
be0927bfb3181cb28d69cd648ed2f52adae06f3082cef7632a01042462510186053dbdb40f7f0872dc2b0f2d30976414b4fea320303f74c66122f5601bb278ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\AYgu.exe

Filesize
1019KB

MD5
451a5d0b07e005495ed2b222f4c8925c

SHA1
265080ff985d3a023f07816438d2b786f45e75db

SHA256
d55f74f6fa8298ae31f4327762f800f71931f3fcaa5bedc04f2a3d38482e3346

SHA512
a50ca2827f43cb760275ca2cef860c953e884433abb02fbb546f531c856546d087556e166abd43344ff441dd2049123b04419b894ea2d50ff7dae474078c3ea7

Download Submit
C:\Users\Admin\AppData\Local\Temp\AoAy.exe

Filesize
197KB

MD5
8f2bee502f85140193889da9ae844fd9

SHA1
5d5cdf484cca80ef4edb43f4a53ed8f1d7a3dea1

SHA256
7f2792918e59b6819c0ba9f3966584351f7bf7f97ef0622201359c3c10316e28

SHA512
1f1b1674e2bca683d4cfb8f07c97638ece57c9669fa0050b90ea26e13763088f3a47ab87b931906add7443e63105b80626ad8f4000a4d9f713e9004eb8678586

Download Submit
C:\Users\Admin\AppData\Local\Temp\Aooi.exe

Filesize
220KB

MD5
4a538a59f111a762abd437b8042ae9c4

SHA1
a9f3e1b6a410728498b0bf72c8985d1143b437d2

SHA256
d712662b498a9d76ae88a8c8657963587faf8811361fc2007efa3a1d01a0d952

SHA512
8499fcf078b71e4b666c45ec2903148984249d5d1a07e2ddc22fb26fcf3195e4f5fba23b110b3b85873a29c3ae9ac7ac5f9a6bbf1c1f144c8fcddec68177d66f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAcm.exe

Filesize
187KB

MD5
13a1ce0f1d7dd2396a1a4e64f47b2a2b

SHA1
5fe6fc71009af684274d762a0ff02aeddc66a112

SHA256
93b03c261be835abf19402c7be586bd2182694bdc6345ed40972f7d254526f9d

SHA512
65f2e18214b6f1a1883ed83f391b97c581ce3c87bf754dfdbef256644fa1ad4b5370e2ed4a889bc9ad010a4301be7dda8a450e795b7bfda54fda49d411631edc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CgcU.exe

Filesize
199KB

MD5
31f582c8620c80cf1b593f3bb64ee58d

SHA1
018089f17b8b43127e82d519671a1d5071047122

SHA256
81c53554a35c38bbd9d3722dcff4e9dfab8cafa8ce7a32580fec8452e25303d4

SHA512
9ea740fb91851a38e7cd16632d5d75a518e445963783668607019310316c108e114ec507499c6a9e95f605860b3f56ced8b730349c3876236bd1e87b52cf381d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ckcy.exe

Filesize
210KB

MD5
dc1473bff57b4e3c669a3ea716ed4382

SHA1
9121d87adcb32268da2e3792639cd67f34193f57

SHA256
0b1faefaf03c087510743c5f5c034a42be3ff052742d56dec98ec5de55bc02f4

SHA512
c1f59041a340915eecf59362023221e0b4920f1bc12034c0ff76980cb664102bcc8dfbdc2b206a92876dd0def3668dcf8ad518e815d83d587f93d66dec26fa07

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMAU.exe

Filesize
794KB

MD5
25c21523d0f080d59894fd59cee6a2c9

SHA1
99ca6d7f1ae77dc1849ec28480941c884e8a3899

SHA256
bf05318a08cb1dffc64e6f1aa72e1b5c6f082984ec50364d137b3b78ef47897d

SHA512
ed6fa8649779fa91dafd67d1af8c4433a8aa67a50fea14c60824bff9cee350399e079998609108c61d1f49a6f125b243145fc0433b3b6e288903c3a9076b05bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUYS.exe

Filesize
195KB

MD5
186bd685c4748271e2f1faf7a4dee96f

SHA1
49ad20eec16150e494035a571155dacdc14350ac

SHA256
dea0cf7d229610b55f13fc23005d9c399b54e12b153b486ab1bc99a743f72c6b

SHA512
c338c53d753f6b7ff3f678c4bcbf76249d823e1e7ad9b7c86f1c30d54d8edb632a9ce4570a60dc511430ca8a6212d8919abcd4bc6743ebd072e52cc38c0f1869

Download Submit
C:\Users\Admin\AppData\Local\Temp\EcAI.exe

Filesize
656KB

MD5
42ac64b0ff56e3009af3b333c66724ac

SHA1
728cc65be4d160024a62e65725c1218fb81b54cf

SHA256
1d5c24ab68a907e2ce8616a6332260650902d1a6af2c45a670ea9b2ca3db9732

SHA512
b3f663917b86f0ea1efb0898294f788301a138ceb118d493b14c7a8e8857018ffcbb4f55feeb8590ff01ce045a4115c066f8a810917f11e91dca252cb271a78f

Download Submit
C:\Users\Admin\AppData\Local\Temp\EcMC.exe

Filesize
219KB

MD5
5f204afc3a878448685bb28061de0960

SHA1
b03d48d9153d634c8811175228bf8e77f35573d7

SHA256
6702aaaf04da829e05fef6320cc189d10cd9ec61ca5a83fc2a9071e2272481e1

SHA512
9fa669f61ed55cfcee7a2eab504ce13256fd6fe3298ac79b24dbdfa645ecc2a126aa57f86256c71b8dc7c6fb81e22c65925e6be610e57e3663141fdc186dc717

Download Submit
C:\Users\Admin\AppData\Local\Temp\Egka.exe

Filesize
190KB

MD5
f29608b0e55e1e69ce260c5dfd780ce2

SHA1
92eb93aeb1e0c0d24d359b5502d7708050493e66

SHA256
0cf78baecf8f959d5c9f1e8935b9f890a837e7d34b82f2e493b2b4e35479c271

SHA512
1d80af1295b9116248c5271674c1587948a41edf3ed472e23466ecf330754f1ee2eb0e94e5f59f802678855e1a2fefe993ff77a6afeb94b615b3b182aa6874e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ekci.exe

Filesize
201KB

MD5
8627a76fe8e7cae0d39f90b16f6f8739

SHA1
d0a60a67a7ea7db3900d549f2c161f36991ff830

SHA256
b73be7daee552b87de58555084167bfe8fe91456eea5361d2b8dd0088b210966

SHA512
cb4202d554520976eae1fc02ee0e740cd5684c700806d077cfb71e3dec65c709026f1450b4ec193ea4c0cfaf18b37ca2e7bb0df5f4aa6dc572ed2fc6d737f9f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\GoES.exe

Filesize
186KB

MD5
bb45eb845b0d46ab4c88f3bf0a27afdb

SHA1
b187752c26f17dd25b36dc0b5c589d1ea0ccb2de

SHA256
b208f4d43d378bbd16d69bc50c95ed5791f25918ed71b38c0689d56cd46e3a4b

SHA512
e4174291d764c9599fb0cd7ac097279fa5caa752f3c19593249ad26f376472a1aa9b4d34308465cb99b5548bf0dc34f1df64c7d38d7112729d26ee85b90aa709

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIgI.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMIM.exe

Filesize
1.0MB

MD5
6862948b5db31e2845eb15d28e43ad81

SHA1
4f9c74b767a989679b5134af32ccaf71aa1bac9e

SHA256
6abc60331b0a83f0978ec2390a14f22c61c8d7e8814fe234ae2d3b30152b812a

SHA512
cbeb7b048da75d89d10ce2c58ad76c3d7cfd9a18428c51eece80efe25b50de69d7428806319c36f557c810865b7e8626605d525193c7c420f19b300862144e6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Icgm.exe

Filesize
192KB

MD5
09758271ce072c696e601961dc9c91a1

SHA1
f6cb7b96c772ef2bf212b2df578a4f692bb731cf

SHA256
c044ea08ddc803f3f5dc428b287a83e82dc56f587d8a4964a8723a92cc938992

SHA512
56998c8a6ce256857841575133cd89acf0610bdff83d5fb3c92776a4e6021cde33e28958c50ed39f25a6f08c36232bbc3a72035d55629ee28e281ecb804307c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IwEE.exe

Filesize
184KB

MD5
80f4ddd8d52be780ca5d522ceebfd2c6

SHA1
f29796144ecb6856021be4f5e828a2943759906c

SHA256
bcf941594df45040ec7acbabbfaae5d8a9a996c0bdc77ec93392c32ae2933683

SHA512
36c7311396860aa248b6fedef3669563780579408d9e622b7ac2f376c21803383e3f4d7bb045fbd41b94eec70993e87a4bb0caaf458c2b7bbd1ad531fddd137e

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUQW.exe

Filesize
202KB

MD5
61e274b31f56c770448b98d93e80afd6

SHA1
64f9073ff3f0428807220c849c95a78dba8670b8

SHA256
3dbe3656f07d1a159c0bc3dc1c65b22631199490e70e20288773c4dfa79dec27

SHA512
810f9485f9b0840916a3aae43ac9ab90c285408e6d1fbc0061decc09ae030762058fc19ed523315af3383f9e5ca39336224d45a7b8297cebb059803075e8238e

Download Submit
C:\Users\Admin\AppData\Local\Temp\KYQw.exe

Filesize
184KB

MD5
8cac43d55d117755e7d4a4aec69cb6de

SHA1
2af72c48b5fc046dd7525eebcc06e5c2a9e58882

SHA256
657834556780ab6e80a7f5eab9901ee31d535c796cda6ca82dbdc3c35faec345

SHA512
71b59db5ebb30ca538a9631fe9244279ab3566e0218fc300f8e9b39c33a17a400b5c45449535100264361135cee2a72a46fbb47208405c97404b3d64589c9bd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\KcIi.exe

Filesize
839KB

MD5
a4dd815ef53bf62da2beeda58c242fad

SHA1
d80b969b709345e3d3bcad54c87f321b2e3c161a

SHA256
2ad84a2b4ce97c8af7b6004f4d62f28289266f76a7cc9be0ca47dece64c2b2d4

SHA512
d8973747ec3ddb0e0887151a766e33f3261d1f311f48e64a63ddd0e93425fed4a7d1438287375097e05ee09da24172a4ae0f4df9329283d31492892eb0387abd

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAUa.exe

Filesize
205KB

MD5
2037a4ee886141d3b8c77a39ae900606

SHA1
5cd810ce29552541cecd86fcb23822a185576978

SHA256
595853672ffacd6a19e529b18633e11b0065b9692fe0923ea4e69d1773185133

SHA512
6f37d9252552835fdd0dd9881fbd3c6a6c07c9583b78da375b193203a228904ccd447882abc4572710279beb2c6c34fb22cb7fd94e49d695ebd67241504994ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mcku.exe

Filesize
5.9MB

MD5
2baa62d9d2a0aeb365b5b05e1c95aeba

SHA1
c5cf7df65db814eba353fa5037e0dbc9d9691b3d

SHA256
9e0550dc0ca659dbce0ec68478c2deddb1ab0c7312d351e9f16c71d544b2ac74

SHA512
c785cfe512cb7149c18e056fb8cac50df04d411f0cfa7fc5f5741a84a929d9bd9f6638acae7be30fc8680344dc65baff3da85195ced4c3f0ce6e9aa2b3b42990

Download Submit
C:\Users\Admin\AppData\Local\Temp\Moos.exe

Filesize
185KB

MD5
6823c57dbb13a6ee022a3969a5069666

SHA1
11c5338b7a8ec173e4a49c35d44deea8f79fdedd

SHA256
982c34803ff5f18027152b28766e186c536ba704eec11e0be4770729d85f9880

SHA512
dfbe08d4d822675aba9b51e16344cc9951b5c672b9b3fc2b6bcbf01bc9e2299e17628d050058852876838e57470cc933ae638d2c6bc1bfcd6e4d18ffeb5ef870

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mssa.exe

Filesize
240KB

MD5
5577ab3c33b0dc160c34057895ba7a6c

SHA1
630fd6c2931c38e642ede4c37872d689c2b612fa

SHA256
272291eed7a53e3b3813e20d11ea0fb68b248cf069cf01f40dd9cde560757c0b

SHA512
d2b607fe456917c550a5414c510d9c662f32abfeb85f040ff90bf6ae164f74792fd9c0c20c755eb81a8d5fcd3a2de24fa1a4e9bfa9760619d1273f5d006c2d99

Download Submit
C:\Users\Admin\AppData\Local\Temp\Oowu.exe

Filesize
1.4MB

MD5
cbbaacd4aba88ace6ad1130cf1104a66

SHA1
cc1fb5c119d0b1e5014607f1188bd5f6e113b20e

SHA256
320b31eabc213612ac62906fb4df8d1f4ac0a626dd5f20ab5564bd3d2af8d260

SHA512
def1026bbdb5de8102b96bbea3830e7120338c2e1034ed0a33be6db669baa664cdd25b689672377c69c816ef0842350017f111eef1ed9a454bc2e1e81985d94b

Download Submit
C:\Users\Admin\AppData\Local\Temp\PcoQooQc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\QMcC.exe

Filesize
205KB

MD5
7c8e72386596e695e53dc50ba40a769c

SHA1
5c396dd47162c44cd4dcdb5c9fc073edf747c39c

SHA256
fa42578bbb2237e81e1034093b3fa8d050f565a88aa5ab36a2d39f8c1e3e9e33

SHA512
25614513fec636519710965eadfb9b5099fca844c572002260aa8f2efa6de7b11dc51bc1387f75aa77779e66ad3a8df151340e986afa02aca857e7c4926d9ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\QkUa.exe

Filesize
642KB

MD5
c1933f4f73de8657d9694c0b94a3113a

SHA1
5a0cb895f880512b28f335e647de3d474770cee1

SHA256
a9a2c05fb420ce9554d6c9d5405238ac7d8ee399e8b4b3bac0998a9b6db91098

SHA512
959cd174a46ca404c0f953acdc7cb90fefdd4d56283b894c83e2da3639ebe65bf6399800174a9e1161d08e8c5845e2c06785fb2625fdf78ec1a4ad1cc4e08ee8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qski.exe

Filesize
204KB

MD5
8acbd1eb3ed9fe7a21f6a20a16a9a713

SHA1
ae85cb0b8e39c5f013e958fc50f8d4886c638b0e

SHA256
8476438a4d82096158554ff395b34feea8be57fa2e82033f1c797f85b96377b0

SHA512
cb3f05dcd97ef0aa2eccab6d32ab0e7ded2f46417e1b53006bce5c02173884f9f86d4eda8c0142d50ecd2541fade8073fe1c83cee647e4bcfddb82fc71ca55cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\SEQI.exe

Filesize
212KB

MD5
5ad9b896391bc39eaf6ebfeebc19a56d

SHA1
aa583ed4d8707d75795e47aabc68b301d371885b

SHA256
ad2c2fccc359404c156ae632c037d69304b7cafb2a90382d2b54ab8ec9fdbcfa

SHA512
8a9a57c93566422b5e8dace0b39025d9d0d6c3e12be32a89d6cabe28b23b6806327ee34c0b21053f1831eb340c45a8ad0263ad0960aa1961d6ccd68b3a77bcb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIAa.exe

Filesize
433KB

MD5
751802b43daf6e9a51c51316f759f2ee

SHA1
9809e51361d6bb7af52a98ac33b41df15cdbf49e

SHA256
a7ed805788605c1a1cc57fd813a391cc54497daadca5780d676aba7779801e62

SHA512
28fe2af4692b87697472e3bd32b6365d63eab635fcba74dc3b6b0db9c0693f55017f89490495541bbc2596ea793ed3481e61ea262c9828e30abcd9ce802df8b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUkS.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\SwkO.exe

Filesize
803KB

MD5
a3900a7b153cb52e53b4c258025ed778

SHA1
e07e32ed99b5fb281f24ed9690170d4e5ad2960d

SHA256
61f99feacfcc32b31a77027ee24f86157e855644eb045bf1284115d457fe7ab9

SHA512
6ba0b09a4a0c2e5a4067dbc3bacb0405352a37741e77240e4e6f0d1b0371f4cac2f69884e18ee8a3d58ea4bd9a78814a25bfc5abd7a7e990b9030c118ece3a7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ucoy.exe

Filesize
803KB

MD5
262571909a0fa7b8629a675001868d62

SHA1
a18a1350e472c0d66678fc85a8d0eb79a7477e2f

SHA256
86f816ce6d89081f29079c3cba4fdfbae804c52b55ea85d8191887980dd42c82

SHA512
76cac0ee77b849a3be972b85fc4560cea1eec038d8d5520e74d43142f197b15a823ef8bf5e6e34289b82c35c4b7d2cc1593b8db75bdb41c4d99d3e0c00f1bcdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\WQQs.exe

Filesize
185KB

MD5
56dc6aa0e890a75b940ffdf3a584fa3d

SHA1
7bdb23f7a82e859eb64abeb5703607283946f18e

SHA256
69bb39b0955bb1f849e175262e16c554ad2bceb93c471421bbeb74b79bf37a10

SHA512
026518c2270b543aa19dc28ec2543c9b4bcf99e931ee02ca1a72542305d43865e691ecc1cd4996822a42ab8e8c7239d9070c3b8797605a31da2c0fdc2ef394aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\WQwo.exe

Filesize
5.9MB

MD5
90191313872fa6d3abcf187ee957bec8

SHA1
48e459a60e0f98de5162dca82fad29b4e3a1fa0a

SHA256
1f15b9c335417e94d6f51324a31191e350bd39abae13fe3e975e9edb2d254852

SHA512
c09b5a5dd004e02ea61061c64542c8afbd3f865cbbd15acc254e9b933df0648713218c630be339bdc0c69eec9ca12859cfd0bfc97eda3badd7f4561fb884f901

Download Submit
C:\Users\Admin\AppData\Local\Temp\YIwu.exe

Filesize
828KB

MD5
6852adda520527b3bcaea3254922a703

SHA1
1f258cc666aba13a7a0cfccc157a07dd795b9155

SHA256
1221a4b8ffae39422dd7e4c37f97f6f06abdb1e21332e05efc750300d1c0b344

SHA512
21d5de36889edacfa2ebe1c9787c5a10ab4eaa0419b9aac557d466c0c58b1f6703480a3d448d00af9b7afe4b98da4b48e08429a84314c8f9ff4c50df0bb0eaec

Download Submit
C:\Users\Admin\AppData\Local\Temp\YcwA.exe

Filesize
194KB

MD5
b017a191dcd8a78bac50de743b531cb7

SHA1
e86774a349dec93c26de5403ba03e35455173036

SHA256
348212e063c33ed8d208c700d033862efe2e045e12c77b13a4fced9e3fd440c5

SHA512
8a07e7bb272065e4c1dbbda49c85cb345591cb9c113c30bae06b17bbe04202d05496d4fd10fbce8375745ca4891c9054ae24c29c6976c6ed1794a96cbd3e320e

Download Submit
C:\Users\Admin\AppData\Local\Temp\YkAC.exe

Filesize
569KB

MD5
edd6fedb02a76ddb8dce4778987b509b

SHA1
1b5b23256244be7038a1fd8f0ef4591c6ce3b89f

SHA256
93cd6a2004d39576fd26a36220c788a69ee2eaf9d1674368bee5b31a8421ccba

SHA512
224d16bac63a721f3b1bf185ffc240207a817ae3acf9949fac9a1117ace568bc2bafe6cb31de849bc877ed2e7902da7f49862e3339cffb3d3231eaa07dff09e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\YkYW.exe

Filesize
321KB

MD5
20c780fe8ba3b3094a0ee19a672badca

SHA1
b2f9345bf9e898c00e4693fcf130ade8d45a0fc0

SHA256
6236f7f7e4a03b5d21d71702ff8fc3454e247b3aebe14eead9bf1b9c21f748eb

SHA512
98e7b6bf7ce662bc1c01d958b284ddc505ef9a7d63dc56535f257b661a1f9a76f4ae9326a8ab561eb9c738498de33249ad311816a3099921dd5818cd285d746e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ywok.exe

Filesize
187KB

MD5
6895bc40156f932545521705b4190769

SHA1
7567efe180c3c1fe4ac7325e5058ef8483bf5444

SHA256
7cb945bbd1721b73af187c37e19fdde9079b08b62895f0f066c652d63fea74e8

SHA512
4411d0dcda7840f137c58cd0b0396475668eaa8802017f8e23dbd8e73d663dcfa29655291970bb2ce0f0cef667a27b446a3420b3a1dee62d759aabb74cd046fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\YwsE.exe

Filesize
309KB

MD5
f5ea3b1e37a1a43c309640b90304d4da

SHA1
8952c6d32b9b5eebd28270548693c45d21a33ac5

SHA256
479db0356d2f9021650466abaa4226d2f1d32ee8c910630a6b807af17235de67

SHA512
e1e5e4ecdf1b7c67cb34b3c04f1e2edd4f9c03e8bd8f902cbf7f4c58a8a9e0d94ad1c368859af366a5572e8e04c41c31f8cfe7838dc6d8ea52d5f6491859a283

Download Submit
C:\Users\Admin\AppData\Local\Temp\aIIY.exe

Filesize
218KB

MD5
2c65d124c424738c6e95e6b989500940

SHA1
d3710a52adc996d5ac77c318b27a8066c93a194b

SHA256
f7bcddbe396e2961206d8b34d120f2503622a709cb15c10b24d68df7a98a57b5

SHA512
9de741982904f6619665f16cdc33673592799d3feee396e16c75163964d70169d8e13eeb33f6458445f06b1af0e47dc50fff4b5719af89edbd6892f4187726c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMUc.exe

Filesize
188KB

MD5
fe7a192365af992ed8c503741642dd39

SHA1
3f90226174e2187ad52c1bcf2c8804e3cbf637a0

SHA256
a185cc1be5550537dc9833540890868ec997bc358dce6cc2b12fab1001de692e

SHA512
cc7011736cca14dedf2b43ab300df0b60a8b17dbf59871876ff8ff69bbab11101ddf32fdf5bb2fa4dcdaa7e2dbc84645fed19fc74e24de4e096ce7805a304fe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQEY.exe

Filesize
202KB

MD5
cd43b2ea663eda511eb23272af688a42

SHA1
5688571c0ba9fbb6332e236f83bae35de66da505

SHA256
68eca4faac28694696632e5e9c03d3ee5c650714cf91622449dfc2e9c508bfe8

SHA512
61fd9d782c2e6bfab6e2561551e57b140dadb8793b0a9ebc28811dc1ea6eef48a106ace372c6474e49cb6762c80f5a8be1b548d61532b5bcd8923d9869e4d7c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\aYUQ.exe

Filesize
185KB

MD5
b29c1fcb274867324947d54c5a78568b

SHA1
8ffffc5c13f0e35ec77828891f1517f8daea6c92

SHA256
68d68a61876863f78bff0323b9bce0dd8690423572fe1649010cc474e8041368

SHA512
d1dd2f2cf9b8a78572cf0e1b61ab4ebf926af0b8e0c0e30a004d13addfb1d0dd679c26d2c44c18b09c41afb3410e98b174bf8cba9ac32995c6a49c89d013ac8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\akAI.exe

Filesize
193KB

MD5
c8b0a3849ec7dcc94006c7c9eac0e2a9

SHA1
be8c4f4453890294ff35209a18205c8b2b6260f2

SHA256
c91536f44fa65bf3c896febc5bc2a1d92ce37c64dd9fd4046540b0573a50c2b2

SHA512
6a3bdd4f99373200deca11691e642f2485f5246a5379e97ae711e826a2a25accef83399f4bd081892ebf50503430e6226f353a5fcb18a51e1ce593ce79fb3f95

Download Submit
C:\Users\Admin\AppData\Local\Temp\cMIW.exe

Filesize
225KB

MD5
c8b27df29d2608e150fde30b90a1b284

SHA1
89c9cc75bcb56cf6f307128be0d11765c7af1f78

SHA256
687ef9b99ea15cdce88ba6649d92872038899e853d963fefbd5395193ed57c94

SHA512
33f9b62433a06a57a396991c9d9e8b4ac0dfa59f1dd36614b2f7cc852a0b0ba38693ac084ee33c9af4ed7635925c3413a668f902b11c7fe6e16885d29f8c2933

Download Submit
C:\Users\Admin\AppData\Local\Temp\cMoc.exe

Filesize
191KB

MD5
5ccd67d9a5a1772048980fa33d0211f2

SHA1
9ae0a090cb90c7c292dfb0513ce01088142e7f52

SHA256
a69cabca84418b9916d297c00aecce27c50ccf456ba9b4d8ab54eab3f2a4d908

SHA512
ad90e955a4bc8c5532ac3d8366f8e2dd7a41f9c8c5b0424df8a58de8921e36d03bd5c1d5e6a5b4e2c216ad4649b672af476bb62d5113f26824a7b1621955dbd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQsg.exe

Filesize
5.9MB

MD5
cf743eb2b75cd6e5880cab9534960bef

SHA1
023435bb21949be22e31128d85b6c464d94ae6b9

SHA256
f08d6970e569d5f242eeea2fa3302244f5ffa396973a4a1bfc061ddb290b47e5

SHA512
98bbd9c084a2085ddcbb285121607191573655fd07df7e0ec12c78c03bf66a3b6d0a32736091f1a7dd34c37139ed963d19f79b14a9a9d485744e1cc1d80b809a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgYg.exe

Filesize
222KB

MD5
b719d70c2b61be06c51f97db20d07b63

SHA1
1a818fc51f96770fdeddb9f59d4520514d7d3dbe

SHA256
ebf580bde01c0447c7f6700bae967f2bbf1a2c66efefa3b1758f409c72294d2b

SHA512
43d38bbf87bbf595ea4e9a6a05ed38425614e761ac6f0264d1762c1391fef40513351989297b5cd4a0cdbbd1ac55809c423a1d2d93972b562440660b8fd2b99e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cssy.exe

Filesize
198KB

MD5
9481fe4a23712c84d62e9cf31712a25d

SHA1
f9d4fdb7fb6c8d2a5fe6ed2dfb61623041d950e9

SHA256
91b21575f898d17a082c27e0bd183c3abe3a17df0f0d2d39431d8b0c483304f3

SHA512
eac0b4fd54343c7850625ed9eb8cc36c41af97f76d677c1b9da04281cd9970fbe29f6cce577da63f9c629a1991b2197a7e9f1d8850de632878cacb64376fe026

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gEUM.exe

Filesize
231KB

MD5
5ec928ad923f8ded0d93e1e8fb7fb7ef

SHA1
a404fe4fcb79c4ec41d66bb3c9979344999183d7

SHA256
02bd5311cade4e5255a86b47ca09d1caa262b6dcb14fa66be2d463d21d0311ab

SHA512
863c47ed0a1cd123a8b152c12ba872faaf5e6a6930017925ba8af6ddbd776db188e6f9c55c08017af7ee0a320c4495be293e294cef214cf122430898bded47c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ggUc.exe

Filesize
191KB

MD5
af60959d8a5d61d0823f34dc73b7d34e

SHA1
71c785a5c2f7ea23ce8a633cb0c65b752c8afde2

SHA256
7febadd67644f3e686cab3b579b869d9e8db9c532638a32321a594b9d7cc3bfe

SHA512
41f1ed5bdf6635574b62601af5c969512a7886a4a96f21d44048bc1065f7fe3d330c763a401e3bc0d3a160d5cbd4fd1a047629881820ffd17539052ba53b7b3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkks.exe

Filesize
200KB

MD5
c0897f5a2639605348e80ecd44f3ed54

SHA1
22dcd12994541df7389270da10e8c8b5418b4807

SHA256
492aa1d7334f275b8e770ff45fa9f42b6301d885453a64b17cb483aa5cde3c68

SHA512
16b831418634c0dcdd5f744ea5fac7c627949652ccd33251103c0c25e4d9714a11c7a62847a20c8d802b51ee504f1bf81f1cde19db1780f3939e923afdb138f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwIs.exe

Filesize
209KB

MD5
3d9077966f7cea91aae2e3b889cad8ca

SHA1
355b1033f98c3b925dcf187bfe2b39c466f53e78

SHA256
6bd81f57ca44cb992c07bcf2bcfd39ee8eafbc4dcdea2876f40f183adc9c9562

SHA512
7eb064ab98acf98622035822175f9525a35586196a3e44a0645020c591174a841e86fc2a3f281b39a9808ff4bc7cb64307191ab4f2ebf13f0a9c97d91fcf1bfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAAK.exe

Filesize
5.9MB

MD5
95846fdf002fd195b9efcd1db365cc78

SHA1
598aa016cd17be018391c28389aa88d70d678e3a

SHA256
8da3e5195442ed55491010fe900a4fa6a39f268004a3a7d7272f63ba20111048

SHA512
912781bc1705364103d559a38e647f16dcbbd4389ee19cc823930810d23eda2bb8e009472348802d3100b9a00dc3849063bb56ac018c1978990fc9d1d42d4d73

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIcW.exe

Filesize
772KB

MD5
159eeb46ebadb12b47462192a750564e

SHA1
84ec93d2d0c838827c047a51745ade35285ba4a8

SHA256
b823caec956c97c9e0c23922bd6422ba98c011d5b9f088ab1af23a177f15f8c5

SHA512
f7d93bb8d25270eb184d44937f617b19abd612c3c24dee99e50d4b470185fd62f2978e7c5c5b8f03109c6e7cfa4fc2e258e1d797ac0f6c25f8ddd2dea3e5b667

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQQS.exe

Filesize
197KB

MD5
950007d0386e92690b8dacbe0146da06

SHA1
089e71ea67f2607c0a9a7c74fbbde12054e199f1

SHA256
8b0001fb178c9dbffc174967a021d4ec50f4785cd9a1b0c03d9823a85c3f1d0b

SHA512
cd19077a84a5f307533bbdc83454e1139ba6228e9e53dddc4fa00a49ecc4c2d80a3705bed30761431c4dd0f5319bcc96bb600797c2027f69f1dffd7026316bb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\kUka.exe

Filesize
189KB

MD5
f63ccfd1cd6224f0af69f4f7bec6b834

SHA1
3569052e47bcb59b12692bed5f4813d273bea1cb

SHA256
6095cc9e10db019328eec0f29c6d44d80c251b1c8b19b7f326e0c4261e847d07

SHA512
2c19ed878a1767c4fc55f7cd9160bda5192176867c78bbe7cdb0a8df26e7816c41a05134051f6fcdc3ea7c691caccb4c2771c36697e06d0d6707ad4f312a4f35

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcIg.exe

Filesize
198KB

MD5
5e2adfe36cb5f19ceabd1290e8e53dcc

SHA1
3f1fd077101dff9ad8d88c594ea1c24c899f0bca

SHA256
d3e7f8adb9f79e689bbfbceb8dc132918f5b95a2863379e6f24bdbda032739c6

SHA512
d046e5c7c0dd34604880934bf81fa439795bad0aa041c1a8bb4c1773a26d12a001bcceb6d03c14fd0d4a63423c5aa5618fcd4e7f9600307ee3d4b45bdef7fb96

Download Submit
C:\Users\Admin\AppData\Local\Temp\mAMQ.exe

Filesize
245KB

MD5
6f419ffcd06074254d87b3611c4ee33c

SHA1
66b0751b16d234f74495b667cd0f30889103b483

SHA256
990f60aa353b3ba4c053d12882690997bcffc7509bb2574796725ccb8e8b9da1

SHA512
efb209492dc2d2c5a681603f14d317ded788ad577aa626e22b6a34afc51a86d7e3697a920e92b04b2aebd8d6a0f6f318997c2ee471b832dc16050894eb0fa95e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mAgO.exe

Filesize
203KB

MD5
39c596db24dae44afc27535c87f079a0

SHA1
0a721fa792194cc7dc2270d664cf69e122ed1f77

SHA256
4d3836d6473caa487ac58f6219c1802007bd4750f73cc9b2161a8316f153168c

SHA512
e79d12d7b273497403c4c984cdd48af545676e1b0565a2763265493d2d06f177998798cd3f11d68cad38eb2f46e381818641be11689229a934fd2d0d236a3342

Download Submit
C:\Users\Admin\AppData\Local\Temp\mEMA.exe

Filesize
5.9MB

MD5
00fdb0eddb51a82b974fa43ef152de09

SHA1
354e1b6236e0fb45a3cca5d2860a294fecf0e078

SHA256
6851c63814a6e870f080225df328ee00fe39386a7107efdd84bbc25b53ef759c

SHA512
ed8244816e4a0ba2b2e0236994533606c6ee58e3032c2d323fa0843305f538f8e4f53a44d0078a4df651abcdb3a9464fa5350b7e6135007717de2cf6eaa70e0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMMS.exe

Filesize
192KB

MD5
70049a36b34234530296b15ac2bb3637

SHA1
fbac5b05ab872f57b97720c1a40ae9926333703b

SHA256
fd3507b3e616aacb3128497b3c87540850ce0923650f0cb7ff2f4e2c1ed3a188

SHA512
f0131dc1b6efa57edec382614af13a461e6e1bb03ee3cfcb73aa56a4fb8c0515e3717974b24efa1f3d7f7382f81c25554f021ed4e7ef26a912eb89323b7d8a20

Download Submit
C:\Users\Admin\AppData\Local\Temp\moQE.exe

Filesize
777KB

MD5
3d7b932f7329865303d8876d44be6f09

SHA1
5f2709597b5d850bb2c4764a5fe3ca6c978b89c2

SHA256
9be64dfd80c4c8a5129694b63d3c7e703fc845392a706ebf080fa47eb8ef6393

SHA512
b948019d2f642bdc7ff8646729b785c51c40e909a3e31133beb1b985f15d566c37bf9057925bb308c1371a3d3b8365e182921eafe6bb0289c5e380c671a3a161

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwoQ.exe

Filesize
188KB

MD5
d946f487af272e0d2fdfc7bba0e51773

SHA1
7573d031a0cb15d2997fe75f060f98e9bb22da7e

SHA256
2b502851d1308b769947ef794e109de328a9a3fa4e9098a9dc76f018dd6c48cf

SHA512
43d8f6a1763436efb567accfa9226f087f7521c2a38cde9720f6b8d16c7a415166b3eae88df9d14b30c5368b416f8ba21d3be5d33637f213b9d01be1f74efc84

Download Submit
C:\Users\Admin\AppData\Local\Temp\oAIK.exe

Filesize
202KB

MD5
a58cd4c514b1e981341634ac600749aa

SHA1
386aa360f414bf25a011eb87fc6ef30b995f0e37

SHA256
129c18d9df4ba166c7089408bb64bf807ab2ea4630c5d0017b0b72a807b89e30

SHA512
4dd3c9fd1a954c29107feeee41f914e0d12af3076d690c45d2c79881da0d96a645cc75465ad9c7b4d1162cbcbd1e9d7663abf18182d3bb8a8b67b8dccbc60eef

Download Submit
C:\Users\Admin\AppData\Local\Temp\oIgU.exe

Filesize
192KB

MD5
ac6c74e694cb66f0969839b066fa41db

SHA1
50634a7cd723a9cbba89993b6f7d27ba1f003bd7

SHA256
89801e9e2da49607b3bfffba171d229865ffbda840876dbf29a076fc832a264b

SHA512
6bf80c40f02a584c4ca93908458530c903b73a893e17a2bc155bdc79be189ab417a416c5396cf9732d367226c8f49d77a660410a9fa4c93349a7f5b7bd1c1859

Download Submit
C:\Users\Admin\AppData\Local\Temp\oQcq.exe

Filesize
212KB

MD5
b6f47fc567364fe69029aae0b8713c8f

SHA1
6733c5e6bb512acd1ccd2f89b898e7bedd9dd34e

SHA256
36310aa69d68f58e332583eef2d7da7ad48de7e68937104a8d522699ac77a23e

SHA512
6652d013c2d3c97b39fe4fc3cdfa77b2feaf0e4b3c4f1a565ff132810f36091d09152bee70f0ab33cdcbddd31a8e3a1ce7c5d3805e9f7e2b0d9855180298d513

Download Submit
C:\Users\Admin\AppData\Local\Temp\okwg.exe

Filesize
183KB

MD5
79af569e0ca977e0f68d2e812631a73b

SHA1
3473fc2a4e15ff43b03615d0c9e1b25f12a83277

SHA256
4a91245f078a762cc1011f00e29ee7949702c8598b64dd6d5252c0c1835ab0cd

SHA512
a7ab68f5d5befa11ee3fe999eb0371a30b39a0c92001b8cab5376918d0d5e56eb3adbec5c11a9b84e3705591ca82fdb9f60432ce65580ff525803d17caa4ff98

Download Submit
C:\Users\Admin\AppData\Local\Temp\osAW.exe

Filesize
189KB

MD5
1910556b3d5616fba9f2cbc01c462906

SHA1
f24f32aad9f42b02ab5ec6df21ec11ba9585ecbb

SHA256
d1e98613bf4278b0593c9861e12c7c1a04717d06c18d571b052466ea2a98da55

SHA512
83e0776825ced9fdb5a40f7346c8f4debddbd383838b9d91377d569c0925e17ec6b84d7ddcc71f2cf200685c2cab6450666fc7eea28b4a570588b59e164289fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEEY.exe

Filesize
203KB

MD5
611b6cdc0665ba37996fe79c75ba8b91

SHA1
e19fe62001d9359d11b3799d05ec883cccfb2087

SHA256
c62ac804921b1dd8821366cff0d9a4a15964f2dcbeb34bcd1f01b9e97f60f446

SHA512
35c0d256ec4bdb2a4fc3ed0c468bdadbc77f3f9e05e9c1c3f98af611bd7b4289afe2c23fc9abe6b3d56054ee4c62e7181ff95da0468e86ea6e96e9d7c196739f

Download Submit
C:\Users\Admin\AppData\Local\Temp\qIEY.exe

Filesize
207KB

MD5
658cd7e682993c817c4d7ad13a2109af

SHA1
4ec3384fdf63b391ad23834e4cda899c5c996b5e

SHA256
38cc0a65b0ffa322bde141a6b6d25892db6e1a4bcb5fe2ab1cb4ab05142f1849

SHA512
78b7d5d1e7153d4290b760fc7ba21bfc254a249da6d31aee65900a7ed45dc9b3d57cce5fcc18bdd65137bdd3ecadd6d66dca78082bf0e8e49994b8e27d3f015a

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMYs.exe

Filesize
194KB

MD5
ba3d6d9571d5fa3c0d49055a379c8ae5

SHA1
b29e64b210c7ad4c828ee74dabca71a7c00c1d53

SHA256
e0a6729058eae56ba53d25f8f9099300f75bd4159f85fa74077fbc4fa3594c28

SHA512
c295f358e4b685e3112529a662949ea7b104c04a8a86a5dce989b7c2706a8cd138c1324bbc8f3a1e39eba7ca10127db686ca49e14cd4f02001d8943d1b52f96e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUIS.exe

Filesize
234KB

MD5
1a98946e1ffb54521b83f098789e0293

SHA1
483db857ce56a67bdfa45b56805f4613089d6552

SHA256
c7738b62f2ec633c5eb663aa4c6a45450c5970558caacbfb507097cb40d295ae

SHA512
2d07bd78404b8ee6cac86cb3daf3719f9a6e8c432e87496668e5fcdafdbfea43ebf5fd5f6f0196f4d3e310e0141acc2c511677a3ca1d409757037055d4d82d83

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgQG.exe

Filesize
1.8MB

MD5
60a9e9cdfa45db8dc9eabb0ca7ef33d0

SHA1
40ef87258f688efd2f38fdd32081164c867f4766

SHA256
d526e2ac4846f7dddaba34f92f41eceaf747fb8bf9620314c64980d69dc2c954

SHA512
6141d72dc68965d191a8038d5ea5fdb6cc640e068dc080ab00f6180de4ebd3ed760cd80b864ae445cf79776d43155ca84cf3af7d934e43c44e448c096ec5951e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgkO.exe

Filesize
192KB

MD5
19b071de8a85058f77a88bd00807d67d

SHA1
f309ccc2254315188605cea1525331b82b0b4164

SHA256
3b0658c2ef3a89c878c00de3c680d362dd088bc2a356c6960467c9223cb6afc4

SHA512
d97b503a2773621751939cc6f7ac62a1b765edd72e402fa07a301c75116bb65e2089829634f7187a792bd6fdff3d535e4ca7981ad0cb8713569fd936df62750a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sAQw.ico

Filesize
4KB

MD5
d07076334c046eb9c4fdf5ec067b2f99

SHA1
5d411403fed6aec47f892c4eaa1bafcde56c4ea9

SHA256
a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86

SHA512
2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\sUwC.exe

Filesize
204KB

MD5
de3718add79eb62f1e4ff2225724c946

SHA1
b1b44681d4737f7937a80056aca21a9c767358ad

SHA256
f309b549ddbe33949dc8d0f49c162847d0b5f2c8d6890200176280702d2f1a88

SHA512
35fe2a516df0d3d86e0f3f50ee73c19879f20d6add5b68b741a51cba73d99b573d7e9e9bbebe126d9e6a4bac3e726e8415f9ca0392783a6211f8665aa25bbc23

Download Submit
C:\Users\Admin\AppData\Local\Temp\sYwS.exe

Filesize
843KB

MD5
4659f942eae7a66924fc9420a4778898

SHA1
c8c26d84d2e77b9b0073a3480ab95927c1c817a9

SHA256
6c3ad024db7aa3f3a53f6c43934f15efc8bfb491b9282c02c6236360dca806b1

SHA512
4e95133b928ded3fd56d557659d25354a8ac4bb64d52de9f8967614180f16418774d9b31846416bbda162860a71b066d2c93a77aeee8dcd46e71ff360ca32429

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIYC.exe

Filesize
198KB

MD5
650af79d664c36b311875f4baf268485

SHA1
3bc7706c711c8f415369b7d6648cdafbf7ea9955

SHA256
37b1aaf1f1f2a41b8686d847d87b366a87681edf9cd5b7897d30928fa95556c8

SHA512
c59bf51b4c40ce5402551505f25478a9ceeb1ccdb7be1c4cbc1f88d0ffae627dfe6cf1b6f29b2e8748469dfb47ae85747b9c5291480ad67b25400a7992e86af8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucMK.exe

Filesize
192KB

MD5
ad770743422dc370a67d8262429a4275

SHA1
7d26fca65bedaeb0396db8061f2d07c2c77066ee

SHA256
ca90cdd10f12d3c61f7bcaae3ea7ac1382585f1aa1df2909ac401586d4d45a11

SHA512
9f6140d31fd9f35be55a538f4f298be3cad3dfdbf5909164dca0e3efd44d0cb46a5326b08815a10bb4789d3538d36480086f28d17b69e9b75560f7b2854dd9ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukMO.exe

Filesize
198KB

MD5
44161e470b886487f127b17eb95ab712

SHA1
18b3d13e0566e6cfcd16513e13446ebb1c83ec4b

SHA256
abdefa4811f596090dd68f0816052b2b91afd94a6b39fd17e316341b27da5005

SHA512
b90c387d9036c60e5ba4bd2ac0152fce3bd8bd80202ca898aa6f73938ae31ff594a27e8f3702956c41a1f5766ec9bed3dc933acaaeb0c257b29c07fea9612728

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukkm.exe

Filesize
5.9MB

MD5
18d7b3104b99905817ee9d6bc5e5f7f6

SHA1
13fc0ba0bf11601a5fcc505efb60403b1173ab17

SHA256
cd97c724b764f7664dc84a9b993e73be449a9e585b406566eb16821fb4f4b07a

SHA512
f11c92c1e301f019336eb55df5497bbd3215e19c028c0597501f4323d9f8fa189a995f6d9b7bc66d15343528ecae960d5867034f06fcfc059eb1c2892c92e4c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\uowu.exe

Filesize
270KB

MD5
abea690c79e383b887a9726b2201ee38

SHA1
ae09c33a98c3c050c41111a59121a460e5f16201

SHA256
c8cd36f0c9a50b4c04ec2ffcc80acc1263cf04abdbdd1b4f1ccf765da30e3d49

SHA512
272b8fb94f3ad9873f0423f6d351fb97a943ebd4425de5cef388166a04ae758fd36a8bbd8388993fc0d0d80fc3656f476a1196805437c95813f895edea4b3bc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\wQEW.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\wcks.exe

Filesize
321KB

MD5
d8bf9ea44f081fb772d174259e984655

SHA1
3506d51f1828d5415f0841fc4ca7248d80e04ed8

SHA256
aa668980cd3fd178bbeb660b22959091164e2cdcf62f1649055fd3742cf0210f

SHA512
d743545fcc55fd90b8acd6c3a4c519a4444c612da72a1032907994c29c436a12c0dfe06bc036df9b3178aac54fe0d7166b45a4ad3858522e18a8acc2ccb094ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQQA.exe

Filesize
323KB

MD5
a2b6a2690de164f2d36e10fd76fde571

SHA1
f451c947149055484749014fb8868d933fd96348

SHA256
97c82e5761ee2d5d1c73c0f1fdbefe831bf0fb2a54bda1722ab272a35eae2238

SHA512
781234c9ed53bce59846a1a2faa4840e2f95aa528a7bc5b480d42206ba470464ed9099d66f097347d48744dedc1d24615cdeed6840b32ae629445053a403379b

Download Submit
C:\Users\Admin\AppData\Local\Temp\yYoe.exe

Filesize
654KB

MD5
a81d37cbb038ec3bef24187260068000

SHA1
e34ea2360ae2e5d5eeccf0c626e81599764103f5

SHA256
9d13cfae623e4f325056e33fd436ea2f907883a20833ee9582761789a9070b9e

SHA512
6ad9a48866394ef36f2f2545699db92e9c1fac8b647312fbcff2b9c68f6da7c683fea6db9e1520f4b9f08c1ba789c355e882f9a2e2a1cd3a4157166a99eae577

Download Submit
C:\Users\Admin\AppData\Local\Temp\yYso.exe

Filesize
206KB

MD5
6076001f5992bf4e3f74c2eca1a8639c

SHA1
bea6e26c7237bec394dc893e585d6a3b91105d1e

SHA256
04824ce517ace4388d50ad79ebb70e92a57f1b435c8597353c23dd49e5b552e5

SHA512
c286427794ac606abc13378df40ee4a8d0a5f1c779936fc780a0e1ee0fc8ef6145d602fc737e4beb45fb646bda5e468c7a4662fcc6c5ee333417329537b5dead

Download Submit
C:\Users\Admin\AppData\Local\Temp\ysYk.exe

Filesize
624KB

MD5
38a90081f71a55f34a8621707db36423

SHA1
b2a96c8eb8e8fc12cd21c47e18d41966b7ac3c85

SHA256
0ee5b8e07db1bbc20b88aad1e35a8eb76439283e621f54e8bf0e217080b87d3a

SHA512
a26ab20a7820249865987e1c78aa74b54f18db74c9fe3372471e30b5a8f3721c3e0d7ffbc3d4e8570a0013a9a0964af189a3e0cafa53f73bf5d30406cdda68d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywYm.exe

Filesize
186KB

MD5
f8757c568d3b8dd55716eced7412d589

SHA1
5abda8d5ffef75778d6fbc07476ca40ce7296a3d

SHA256
ffdb6a1b8a3d5a8649ab14d019299aaa1eebf85d73f80ba8a1da90830d1f127f

SHA512
0b21190964793043abca9d98b2b28ac512cd90c139cb459d2b2e1d58bc6608495d76d00c1d09adcccfa327b21e628b7ce3a64a9c225026235b8ad860e16729eb

Download Submit
C:\Users\Admin\ZiAIAMoA\qgEkkUEc.exe

Filesize
180KB

MD5
2a9938f5d984a2aaa81cfad748bca25b

SHA1
a8572b21ebef44ce6df2b9efbf403e8494b69ee9

SHA256
ff72c2e99c7afb5585dbea203323f7b710676d8d878819761016312672163780

SHA512
d5ecb7d13a0124f0cbe55a2a68cc6b8e599cc9ff0250ad0fa98098bee9b65a3a4fe3f47b910eef87a8e92701dd5c839b5b62d80f033797abcc2b8dd17dc62be3

Download Submit
memory/208-422-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/216-588-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/396-412-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/396-46-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/396-30-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/436-514-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/512-540-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/512-551-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/712-108-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/712-92-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/740-323-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/740-315-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/880-84-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/880-66-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1056-278-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1280-190-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1280-206-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1284-361-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1284-369-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1380-133-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1380-118-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1524-587-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1668-252-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1668-268-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1748-377-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1920-579-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2144-432-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2144-440-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2228-287-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2228-275-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2300-451-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2300-441-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2332-479-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2332-469-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2408-157-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2408-141-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2512-459-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2540-506-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2776-194-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2776-178-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2804-15-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2920-396-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3048-553-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3048-560-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3096-386-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3096-378-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3136-168-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3136-154-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3272-220-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3272-202-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3328-515-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3328-314-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3328-523-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3328-306-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3396-342-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3396-350-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3456-286-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3456-295-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3564-531-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3564-331-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3672-34-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3672-16-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3964-488-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3964-496-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3984-404-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4000-256-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4000-240-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4004-359-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4036-96-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4036-80-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4280-487-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4292-341-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4292-105-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4292-122-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4328-58-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4328-42-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4348-145-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4428-229-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4428-244-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4500-460-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4500-468-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4508-54-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4508-72-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4656-561-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4656-216-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4656-571-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4656-232-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4660-182-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4724-431-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4724-423-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4808-305-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4884-7-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4980-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4980-20-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5060-532-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5060-543-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download