d8a28b2bb503def54e8df385900178c4171a9001572d13404eb686374f03b53d

Analysis

max time kernel
150s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16/05/2024, 17:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
Size

186KB
MD5

0eb102ecb51f8e10435254be3bf01205
SHA1

870d51046c2fb58036f64b8098f33bd3bee2f376
SHA256

d8a28b2bb503def54e8df385900178c4171a9001572d13404eb686374f03b53d
SHA512

82b3ff82abe178b2b7595044fbc7858a638f2d9ca4238e767ba1bf1fcc76c612b63a37976638b8f7d983eda9f3995cd698ca1d2bb7f287ef820e28189a556f3c
SSDEEP

3072:QEo6yybsJfVGZJFHK0hdpgydymuSKF2jCxqFLB4uWS:jo6RbsJNaXK0hdVdwl8OcLsS

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (89) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Blocklisted process makes network request 4 IoCs

flow	pid	Process
41	3628	Process not Found
44	3628	Process not Found
48	3628	Process not Found
49	3628	Process not Found

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	IKIoAcQc.exe

Executes dropped EXE 2 IoCs

pid	Process
3020	HqgQsocY.exe
5076	IKIoAcQc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HqgQsocY.exe = "C:\\Users\\Admin\\eEEUAocQ\\HqgQsocY.exe"	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\IKIoAcQc.exe = "C:\\ProgramData\\pkcUwQAA\\IKIoAcQc.exe"	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\IKIoAcQc.exe = "C:\\ProgramData\\pkcUwQAA\\IKIoAcQc.exe"	IKIoAcQc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HqgQsocY.exe = "C:\\Users\\Admin\\eEEUAocQ\\HqgQsocY.exe"	HqgQsocY.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
4332	reg.exe
3252	reg.exe
4400	reg.exe
2184	reg.exe
4692	reg.exe
2996	reg.exe
1596	reg.exe
4952	reg.exe
228	reg.exe
4452	Process not Found
4660	Process not Found
3136	reg.exe
1448	reg.exe
3136	reg.exe
4844	reg.exe
2208	Process not Found
1228	reg.exe
3772	reg.exe
2088	reg.exe
2524	Process not Found
2976	Process not Found
1424	reg.exe
3808	reg.exe
3516	reg.exe
4716	reg.exe
1572	reg.exe
944	reg.exe
1824	reg.exe
2328	reg.exe
2184	reg.exe
1404	reg.exe
5020	Process not Found
2172	Process not Found
4952	reg.exe
1296	reg.exe
2096	reg.exe
2192	reg.exe
2768	reg.exe
3252	reg.exe
3548	reg.exe
1064	reg.exe
1832	Process not Found
1824	reg.exe
3144	reg.exe
3952	Process not Found
3364	reg.exe
3484	Process not Found
3620	reg.exe
4076	reg.exe
2768	reg.exe
4684	reg.exe
2456	reg.exe
4684	reg.exe
4028	reg.exe
3548	reg.exe
2284	reg.exe
3432	reg.exe
3940	reg.exe
4892	reg.exe
4928	reg.exe
436	reg.exe
3364	reg.exe
2484	Process not Found
4844	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1012	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
1012	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
1012	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
1012	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
1296	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
1296	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
1296	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
1296	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
5068	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
5068	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
5068	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
5068	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
3384	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
3384	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
3384	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
3384	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
3960	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
3960	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
3960	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
3960	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
2632	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
2632	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
2632	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
2632	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
5112	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
5112	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
5112	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
5112	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
1536	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
1536	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
1536	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
1536	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
3712	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
3712	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
3712	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
3712	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
2632	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
2632	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
2632	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
2632	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
2140	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
2140	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
2140	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
2140	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
1308	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
1308	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
1308	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
1308	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
3408	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
3408	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
3408	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
3408	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
3896	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
3896	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
3896	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
3896	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
4716	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
4716	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
4716	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
4716	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
4568	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
4568	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
4568	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
4568	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5076	IKIoAcQc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5076	IKIoAcQc.exe
5076	IKIoAcQc.exe
5076	IKIoAcQc.exe
5076	IKIoAcQc.exe
5076	IKIoAcQc.exe
5076	IKIoAcQc.exe
5076	IKIoAcQc.exe
5076	IKIoAcQc.exe
5076	IKIoAcQc.exe
5076	IKIoAcQc.exe
5076	IKIoAcQc.exe
5076	IKIoAcQc.exe
5076	IKIoAcQc.exe
5076	IKIoAcQc.exe
5076	IKIoAcQc.exe
5076	IKIoAcQc.exe
5076	IKIoAcQc.exe
5076	IKIoAcQc.exe
5076	IKIoAcQc.exe
5076	IKIoAcQc.exe
5076	IKIoAcQc.exe
5076	IKIoAcQc.exe
5076	IKIoAcQc.exe
5076	IKIoAcQc.exe
5076	IKIoAcQc.exe
5076	IKIoAcQc.exe
5076	IKIoAcQc.exe
5076	IKIoAcQc.exe
5076	IKIoAcQc.exe
5076	IKIoAcQc.exe
5076	IKIoAcQc.exe
5076	IKIoAcQc.exe
5076	IKIoAcQc.exe
5076	IKIoAcQc.exe
5076	IKIoAcQc.exe
5076	IKIoAcQc.exe
5076	IKIoAcQc.exe
5076	IKIoAcQc.exe
5076	IKIoAcQc.exe
5076	IKIoAcQc.exe
5076	IKIoAcQc.exe
5076	IKIoAcQc.exe
5076	IKIoAcQc.exe
5076	IKIoAcQc.exe
5076	IKIoAcQc.exe
5076	IKIoAcQc.exe
5076	IKIoAcQc.exe
5076	IKIoAcQc.exe
5076	IKIoAcQc.exe
5076	IKIoAcQc.exe
5076	IKIoAcQc.exe
5076	IKIoAcQc.exe
5076	IKIoAcQc.exe
5076	IKIoAcQc.exe
5076	IKIoAcQc.exe
5076	IKIoAcQc.exe
5076	IKIoAcQc.exe
5076	IKIoAcQc.exe
5076	IKIoAcQc.exe
5076	IKIoAcQc.exe
5076	IKIoAcQc.exe
5076	IKIoAcQc.exe
5076	IKIoAcQc.exe
5076	IKIoAcQc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1012 wrote to memory of 3020	1012	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe	90
PID 1012 wrote to memory of 3020	1012	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe	90
PID 1012 wrote to memory of 3020	1012	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe	90
PID 1012 wrote to memory of 5076	1012	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe	91
PID 1012 wrote to memory of 5076	1012	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe	91
PID 1012 wrote to memory of 5076	1012	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe	91
PID 1012 wrote to memory of 552	1012	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe	92
PID 1012 wrote to memory of 552	1012	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe	92
PID 1012 wrote to memory of 552	1012	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe	92
PID 1012 wrote to memory of 1320	1012	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe	94
PID 1012 wrote to memory of 1320	1012	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe	94
PID 1012 wrote to memory of 1320	1012	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe	94
PID 1012 wrote to memory of 1000	1012	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe	95
PID 1012 wrote to memory of 1000	1012	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe	95
PID 1012 wrote to memory of 1000	1012	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe	95
PID 1012 wrote to memory of 664	1012	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe	96
PID 1012 wrote to memory of 664	1012	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe	96
PID 1012 wrote to memory of 664	1012	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe	96
PID 1012 wrote to memory of 4232	1012	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe	97
PID 1012 wrote to memory of 4232	1012	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe	97
PID 1012 wrote to memory of 4232	1012	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe	97
PID 552 wrote to memory of 1296	552	cmd.exe	102
PID 552 wrote to memory of 1296	552	cmd.exe	102
PID 552 wrote to memory of 1296	552	cmd.exe	102
PID 4232 wrote to memory of 5000	4232	cmd.exe	103
PID 4232 wrote to memory of 5000	4232	cmd.exe	103
PID 4232 wrote to memory of 5000	4232	cmd.exe	103
PID 1296 wrote to memory of 3380	1296	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe	104
PID 1296 wrote to memory of 3380	1296	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe	104
PID 1296 wrote to memory of 3380	1296	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe	104
PID 1296 wrote to memory of 2524	1296	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe	106
PID 1296 wrote to memory of 2524	1296	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe	106
PID 1296 wrote to memory of 2524	1296	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe	106
PID 1296 wrote to memory of 448	1296	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe	107
PID 1296 wrote to memory of 448	1296	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe	107
PID 1296 wrote to memory of 448	1296	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe	107
PID 1296 wrote to memory of 1436	1296	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe	108
PID 1296 wrote to memory of 1436	1296	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe	108
PID 1296 wrote to memory of 1436	1296	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe	108
PID 1296 wrote to memory of 4508	1296	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe	109
PID 1296 wrote to memory of 4508	1296	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe	109
PID 1296 wrote to memory of 4508	1296	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe	109
PID 3380 wrote to memory of 5068	3380	cmd.exe	114
PID 3380 wrote to memory of 5068	3380	cmd.exe	114
PID 3380 wrote to memory of 5068	3380	cmd.exe	114
PID 4508 wrote to memory of 2156	4508	cmd.exe	115
PID 4508 wrote to memory of 2156	4508	cmd.exe	115
PID 4508 wrote to memory of 2156	4508	cmd.exe	115
PID 5068 wrote to memory of 1840	5068	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe	117
PID 5068 wrote to memory of 1840	5068	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe	117
PID 5068 wrote to memory of 1840	5068	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe	117
PID 1840 wrote to memory of 3384	1840	cmd.exe	120
PID 1840 wrote to memory of 3384	1840	cmd.exe	120
PID 1840 wrote to memory of 3384	1840	cmd.exe	120
PID 5068 wrote to memory of 1060	5068	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe	121
PID 5068 wrote to memory of 1060	5068	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe	121
PID 5068 wrote to memory of 1060	5068	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe	121
PID 5068 wrote to memory of 4088	5068	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe	122
PID 5068 wrote to memory of 4088	5068	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe	122
PID 5068 wrote to memory of 4088	5068	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe	122
PID 5068 wrote to memory of 2564	5068	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe	123
PID 5068 wrote to memory of 2564	5068	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe	123
PID 5068 wrote to memory of 2564	5068	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe	123
PID 5068 wrote to memory of 4816	5068	2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe	124

C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1012
- C:\Users\Admin\eEEUAocQ\HqgQsocY.exe
  "C:\Users\Admin\eEEUAocQ\HqgQsocY.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3020
- C:\ProgramData\pkcUwQAA\IKIoAcQc.exe
  "C:\ProgramData\pkcUwQAA\IKIoAcQc.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:5076
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:552
- - C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1296
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3380
    - - C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:5068
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        8⤵
        
        PID:4540
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        10⤵
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        12⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        14⤵
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        16⤵
        
        PID:3788
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        18⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        20⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        22⤵
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        24⤵
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        26⤵
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        28⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        30⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        32⤵
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        33⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        34⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        35⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        36⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        37⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        38⤵
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        39⤵
        
        PID:608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        40⤵
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        41⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        42⤵
        
        PID:3896
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        43⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        44⤵
        
        PID:408
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        45⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        46⤵
        
        PID:664
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        47⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        48⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        49⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        50⤵
        
        PID:3952
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        51⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        52⤵
        
        PID:3216
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        53⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        54⤵
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        55⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        56⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        57⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        58⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        59⤵
        
        PID:944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        60⤵
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        61⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        62⤵
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        63⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        64⤵
        
        PID:2440
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        65⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        66⤵
        
        PID:3808
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        67⤵
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        68⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        69⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        70⤵
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        71⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        72⤵
        
        PID:2208
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        73⤵
        
        PID:3728
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        73⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        74⤵
        
        PID:2132
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        75⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        76⤵
        
        PID:1436
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        77⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        78⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        79⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        80⤵
        
        PID:1356
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        81⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        82⤵
        
        PID:2912
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        83⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        84⤵
        
        PID:3728
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        85⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        86⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        87⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        88⤵
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        89⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        90⤵
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        91⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        92⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        93⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        94⤵
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        95⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        96⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        97⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        98⤵
        
        PID:448
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        99⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        99⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        100⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        101⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        102⤵
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        103⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        104⤵
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        105⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        106⤵
        
        PID:920
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        107⤵
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        107⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        108⤵
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        109⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        110⤵
        
        PID:3620
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        111⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        112⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        113⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        114⤵
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        115⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        116⤵
        
        PID:5068
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        117⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        118⤵
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        119⤵
        
        PID:956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        120⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        121⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        122⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        123⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        124⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        125⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        126⤵
        
        PID:1704
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        127⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        128⤵
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        129⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        130⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        131⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        132⤵
        
        PID:1248
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        133⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        134⤵
        
        PID:2640
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        135⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        136⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        137⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        138⤵
        
        PID:3468
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        
        PID:3620
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        139⤵
        
        PID:208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        140⤵
        
        PID:5100
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        141⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        142⤵
        
        PID:4736
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        143⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        144⤵
        
        PID:3272
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        145⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        146⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        147⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        148⤵
        
        PID:3316
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        149⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        150⤵
        
        PID:4588
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        151⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        152⤵
        
        PID:3216
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        153⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        154⤵
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        155⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        156⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        157⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        158⤵
        
        PID:2388
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        159⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        160⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        161⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        162⤵
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        163⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        164⤵
        
        PID:2168
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        165⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        166⤵
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        167⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        168⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        169⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        170⤵
        
        PID:2956
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        171⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        172⤵
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        173⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        174⤵
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        175⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        176⤵
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        177⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        178⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        179⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        180⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        181⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        182⤵
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        183⤵
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        184⤵
        
        PID:4076
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        185⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        186⤵
        
        PID:3808
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        187⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        188⤵
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        189⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        190⤵
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        191⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        192⤵
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        193⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        194⤵
        
        PID:3940
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        195⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        196⤵
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        197⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        198⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        199⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        200⤵
        
        PID:3108
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        201⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        202⤵
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        203⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        204⤵
        
        PID:2040
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        205⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        206⤵
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        207⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        208⤵
        
        PID:228
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        209⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        210⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        211⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        212⤵
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        213⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        214⤵
        
        PID:3808
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        215⤵
        
        PID:552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        216⤵
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        217⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        218⤵
        
        PID:3668
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        219⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        220⤵
        
        PID:3236
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        221⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        221⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        222⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        223⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        224⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        225⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        226⤵
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        227⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        228⤵
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        229⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        230⤵
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        231⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        232⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        233⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        234⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        235⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        236⤵
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        237⤵
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        238⤵
        
        PID:3108
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        239⤵
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        239⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        240⤵
        
        PID:3896
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        241⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        242⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        243⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock"
        244⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock
        245⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        244⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        244⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        244⤵
        UAC bypass
        
        PID:2972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4892
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        243⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        
        PID:2252
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        243⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IYwccIMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        242⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        243⤵
        
        PID:436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        
        PID:4332
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        
        PID:956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IcYMkAsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        240⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        241⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        Modifies registry key
        
        PID:228
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        239⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        UAC bypass
        Modifies registry key
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RIQQEMUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        238⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        239⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3700
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        UAC bypass
        
        PID:3952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DgIYUkIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        236⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        237⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        
        PID:552
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        235⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        Modifies registry key
        
        PID:4400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        UAC bypass
        
        PID:732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jMcQIMcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        234⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        Modifies visibility of file extensions in Explorer
        
        PID:448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yYEcsUwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        232⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        
        PID:3684
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        
        PID:1816
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SMIYIwEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        230⤵
        
        PID:4288
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        Modifies registry key
        
        PID:3364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        UAC bypass
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YGAYksoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        228⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:228
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        227⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        UAC bypass
        
        PID:3548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yGQEEwMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        226⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        Modifies registry key
        
        PID:2088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vkkMocwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        224⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        UAC bypass
        
        PID:4100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JyAccQEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        222⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zMAAEkQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        220⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3792
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        
        PID:2964
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        UAC bypass
        
        PID:1356
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yYcQUccM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        218⤵
        
        PID:944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        UAC bypass
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sMogEYos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        216⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:956
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        215⤵
        
        PID:208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        UAC bypass
        Modifies registry key
        
        PID:3252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AwAIsUoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        214⤵
        
        PID:2660
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        215⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ksgoMQos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        212⤵
        
        PID:732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        
        PID:552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        UAC bypass
        
        PID:1084
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        211⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DsMIYcQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        210⤵
        
        PID:1436
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        211⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        Modifies registry key
        
        PID:2768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pyIAYUoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        208⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:5024
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        UAC bypass
        
        PID:552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rgQskEUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        206⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        
        PID:2192
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        Modifies registry key
        
        PID:2768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        UAC bypass
        
        PID:4680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ueEgYwUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        204⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        
        PID:944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cGkIwsEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        202⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        UAC bypass
        
        PID:4508
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cYAAsEUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        200⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        
        PID:956
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        UAC bypass
        
        PID:2324
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oEEUgccQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        198⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        Modifies registry key
        
        PID:4952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:3252
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        
        PID:756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\niEMIgIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        196⤵
        
        PID:944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FaoMYQoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        194⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        Modifies visibility of file extensions in Explorer
        
        PID:756
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tgggoYks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        192⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3552
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        UAC bypass
        
        PID:1356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UkoMAsEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        190⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        
        PID:3444
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        Modifies registry key
        
        PID:4684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        UAC bypass
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YIkwYgYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        188⤵
        
        PID:4952
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        Modifies registry key
        
        PID:2184
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        Modifies registry key
        
        PID:4332
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AaoswYso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        186⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        Modifies registry key
        
        PID:1404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SaUEEQsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        184⤵
        
        PID:4928
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        Modifies registry key
        
        PID:436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:796
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        Modifies registry key
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vgMoMgAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        182⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:3808
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        Modifies registry key
        
        PID:3144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BqAYUgsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        180⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        
        PID:208
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:4332
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        UAC bypass
        
        PID:4684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JUMYsEcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        178⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YEIQEQUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        176⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2440
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        Modifies registry key
        
        PID:2456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        
        PID:1860
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uysYUsoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        174⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        
        PID:4896
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uoYosYIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        172⤵
        
        PID:4864
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        UAC bypass
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NQcQUUEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        170⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        Modifies registry key
        
        PID:3940
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        UAC bypass
        
        PID:1156
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fIkUsIQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        168⤵
        
        PID:1448
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bGsswYgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        166⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        Modifies registry key
        
        PID:3136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dGoYEYAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        164⤵
        
        PID:2956
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4068
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:4684
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SwUsokgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        162⤵
        
        PID:1296
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SWAgUwIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        160⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        Modifies registry key
        
        PID:1448
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        UAC bypass
        
        PID:4692
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\woksUMAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        158⤵
        
        PID:1848
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        Modifies registry key
        
        PID:3136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        Modifies registry key
        
        PID:4928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PoEAgIss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        156⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:4680
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        UAC bypass
        
        PID:3684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hkQkQsYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        154⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        
        PID:1572
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PEYsQIso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        152⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        UAC bypass
        
        PID:4896
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GwUMQQgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        150⤵
        
        PID:4952
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        UAC bypass
        Modifies registry key
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\akQYsMwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        148⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        Modifies registry key
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        
        PID:4400
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\caoIAooc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        146⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:2920
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        
        PID:1396
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hsYwQUEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        144⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2384
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        UAC bypass
        
        PID:3628
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bMAcgcIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        142⤵
        
        PID:1816
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        Modifies registry key
        
        PID:3772
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        UAC bypass
        
        PID:3484
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dugEQogA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        140⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2792
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        Modifies registry key
        
        PID:3548
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jkQwAwQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        138⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        
        PID:4440
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EAgwgsMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        136⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        
        PID:4660
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sGYEIYYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        134⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2156
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:4492
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WagQgEMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        132⤵
        
        PID:2792
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        
        PID:608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2920
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        
        PID:4568
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jOUoAEAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        130⤵
        
        PID:1356
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        
        PID:4540
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lycIAcIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        128⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zEoskwos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        126⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kAwQYIIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        124⤵
        
        PID:2688
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        
        PID:1424
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        
        PID:436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gWAgUUcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        122⤵
        
        PID:1308
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:4788
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        
        PID:3236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eGoEQUoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        120⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        
        PID:2156
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SiQcQQIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        118⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:3604
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        
        PID:1528
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pIAAEQEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        116⤵
        
        PID:2904
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2552
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        Modifies registry key
        
        PID:4076
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        Modifies registry key
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tOMAYAwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        114⤵
        
        PID:2484
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:3896
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jAIYscwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        112⤵
        
        PID:3948
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DkokEwEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        110⤵
        
        PID:4588
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        
        PID:3316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EuAUcsIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        108⤵
        
        PID:608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        Modifies registry key
        
        PID:2996
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        107⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OosoMEko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        106⤵
        
        PID:2328
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        107⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:2920
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        Modifies registry key
        
        PID:4684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UegsIgkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        104⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        
        PID:436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YqYAsAEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        102⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jwcUsUcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        100⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4232
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        99⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        Modifies registry key
        
        PID:3516
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        99⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fQYwUkAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        98⤵
        
        PID:608
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        99⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        
        PID:2192
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vcgYggsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        96⤵
        
        PID:732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:220
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        
        PID:1572
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UCQAcEYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        94⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        
        PID:436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:4304
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        Modifies registry key
        
        PID:3252
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KQgIUgQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        92⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        
        PID:2252
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:1644
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QGYgwYsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        90⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        Modifies registry key
        
        PID:3620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sCYMUIgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        88⤵
        
        PID:3628
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LCkogIgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        86⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:1308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pqAEMQIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        84⤵
        
        PID:4820
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        85⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:3436
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        Modifies registry key
        
        PID:1228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LOgscEok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        82⤵
        
        PID:3108
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        
        PID:3144
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        Modifies registry key
        
        PID:2328
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EEYYUMQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        80⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        
        PID:4324
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AsEYsswg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        78⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OooccgMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        76⤵
        
        PID:4788
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        
        PID:796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:2264
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KIwUcEMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        74⤵
        
        PID:4076
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LMcMcwgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        72⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:4728
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:3620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PiMkMQYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        70⤵
        
        PID:4592
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        
        PID:3628
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rogkEUsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        68⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iOQcYwEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        66⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        
        PID:4268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yQwgsUYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        64⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:4244
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qqQoogQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        62⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2456
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:1604
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        Modifies registry key
        
        PID:3808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EugwgsIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        60⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        Modifies registry key
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zMIYIUok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        58⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:3252
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nSQMgkUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        56⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BicYAMQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        54⤵
        
        PID:2156
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        55⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:4416
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QyscgAUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        52⤵
        
        PID:3728
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3272
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:1888
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        Modifies registry key
        
        PID:944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eEgEsUUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        50⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5100
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        49⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:1444
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        49⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\caMAwsMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        48⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        
        PID:2324
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        Modifies registry key
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:3668
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OKIQkQQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        46⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:4372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UwwAkYEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        44⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        
        PID:944
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        
        PID:920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zOEkgUEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        42⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies registry key
        
        PID:4028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        Modifies registry key
        
        PID:3548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DwQkIAog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        40⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        
        PID:920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:3772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TIAUggIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        38⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZUEUoIwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        36⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:3516
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        35⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:3172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MWYsAscI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        34⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        
        PID:4556
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        33⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:2640
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        33⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KyEUEYAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        32⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:4636
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YikwEUEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        30⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WeUAIIkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        28⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:1320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lSkwYcYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        26⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        
        PID:2904
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        25⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\naoQcEMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        24⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dqAkIMYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        22⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        
        PID:3516
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        21⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZakwgYQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        20⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CsIksYoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        18⤵
        
        PID:920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mEUMYUcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        16⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        Modifies registry key
        
        PID:4952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uYEUEkkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        14⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies registry key
        
        PID:4844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        Modifies registry key
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UYYEIcUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        12⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HAEMIwoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        10⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TcAMoMoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        8⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:5040
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:1060
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:4088
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:2564
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PKgMgYsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
        6⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:3056
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:2524
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:448
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:1436
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ooQAUIMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4508
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:2156
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1320
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1000
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:664
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gGssQEkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4232
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:5000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:1536

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:4636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1308,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=4020 /prefetch:8
1⤵
PID:1272

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:2640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:1576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\User Account Pictures\user.png.exe

Filesize
194KB

MD5
210395b6912d510e25d17df010ad78f6

SHA1
b9184def35cc0fed2d059cbffc93255a935aeb65

SHA256
dd5d555508bf190d08270d13e2a40f5c21cfb2fa3a521ea82ff3b5f28265b796

SHA512
acc47a8eca782f45453f218f39a16b21710b8fc2c314497fffd8b4afc1f46240b18796af144c1276e95d65ca0baa654dcba337910606c56e6af9e2e8ce45cb5a

Download Submit
C:\ProgramData\pkcUwQAA\IKIoAcQc.exe

Filesize
192KB

MD5
a4e03ebfb9d5aeb2a573f72d876258d9

SHA1
f46057a9e124377d5a7b269934082a5acc629105

SHA256
149c5399c38ffcd83463aa374ebff2d8acf23ffb619da0ace8ce19be087b8e4f

SHA512
1e95fa3bfe98ca49ba76e14aee652898edbf1492048deebdf28a0e9e061b1974ecb79ec758f73659a08e0a1c5b937dda6ebea0fbe0e464e0f4b7cc9b2a717ed6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\48.png.exe

Filesize
194KB

MD5
1740136ac6e9fcf9322743c431e8f0dc

SHA1
194f7e56da97460904b67343aa2cb0c7c149c7da

SHA256
4258a8dc763b3d70c00c3b3f98317241b7caab91bbb0b03c7f08ae3f8700c537

SHA512
6f5ef9e04685ee36c89c08d715a7b73fc3c7555af53cb4668d3bfd00b5cd804a055b31a6a7cec19dc15eabf08bba62577f3c85d60be12e2e4931f0c4c752d8ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\96.png.exe

Filesize
198KB

MD5
3d471e3331871a957ad8808f75ed1356

SHA1
8bf79d54a09fd94cce1f546df84eb7454ccd8aa4

SHA256
92d2befb1344b64f2c5bd9b42fc32b36b37c75930727eed4c8018a960fd15907

SHA512
09ac1c4b8a15aa349333af0ad0a28f0d7bce63213e41232e6a0a0473b7813330b53cefea612c3b6516223604bb4b561efe2e8016c7fa724d7d3cf3eca24c65cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\256.png.exe

Filesize
199KB

MD5
2bc4b21afd1cb252f4874b99ca54b91a

SHA1
28dbe941547f1d3769e4019761bb0ba103d4cff4

SHA256
87e838439f944ac671f756c8bd610ca3128059d69a2a8f90e9818ab1dc69426e

SHA512
7c595c3d489dbc1b2da55db7d221d9956adf42967850c8011e0e680a3e073b5a4ad0d3e6f81ed20ac4c691ab952624abc3a96d1454e0bc663970040179b90c61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.76.2_0\128.png.exe

Filesize
192KB

MD5
ab87c1a595b58e4c05e4006cc95c055f

SHA1
1c143c43fe906164ae3e1a7a2bc1aa34a1524ae2

SHA256
afe8d7dc4d6cca09ff95384e2f156cd24f5c869c658e55a3ebd54707f7476918

SHA512
646f3dd1ce06c1d2a86f49bfe5ce7c224564eda400aa961cb13783d4a954f6144b8973cb356889e8b404d3f5701f7cf714d05bda64dea5c97e454474cac03b59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.gif.exe

Filesize
562KB

MD5
3842789bc30596267f84ae9b8f144839

SHA1
e4b7bc09aca76b7ab337a899ac841a685d1254a1

SHA256
cb5cfcf4aefb891c019e6bf48236d6f6d55052576b9f7f31fd2b4666502a9227

SHA512
57a4cf229593213783845c701de408af91374cf2d4991470f6f839f136f61f480517e067cf81bfea2853a23691fe124526f626bee2502015f7c1895f147e02e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.png.exe

Filesize
191KB

MD5
284caa31fe2917c8f83eed4df9ab113e

SHA1
c6866ea8e81465a03d81ee4dd2858041ba3e44b8

SHA256
13bb1caf08d943954d2cb2eb436ee4d26d848e82999efe63fd90cf93dd7ca713

SHA512
af389e02ab758e8c211220a983e3ba77444b9f13a704dfca293577e2cab6f552c8b2a2496ab77a99492c6128a2955d80795c1f02a9f730716b22ff49a52d887a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-400.png.exe

Filesize
200KB

MD5
2da816b4e0559dc0de4e83c2ecc7c63e

SHA1
b59e496d785b8043c4ac7761ba8d1fc1f8ac4458

SHA256
c7463448e50d52cd2b39510e7431e53de99b3b0cd7bd36b9757e9df0fd18f0f4

SHA512
23166f527d221d589ee63d7fea7e50617ae06d147168f8310d11eb7d777e096741df4d87d3d46103094be4132bd7045bfd0033a55ffdc0c0cf99ed634e2cac24

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\squaretile.png.exe

Filesize
200KB

MD5
4753a9d2c9fd32fba0c37c356dd75f3b

SHA1
40c220ffa550bc39de8ee00399866d0c99738d91

SHA256
d637b1ad601d10946956915a7d9dd8bdaf04120561d0503d80daf5b4c483f5e1

SHA512
fa98c87ded10cce5b2a82de4a56a8fa328ae92cb95e34bdb27e91d348f9724271a17e447d5139d39458607b87953d90812a37944ec396516821837c27496021b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-05-16_0eb102ecb51f8e10435254be3bf01205_virlock

Filesize
6KB

MD5
bdf926b971c6dacb62c5c764b548f850

SHA1
daf9c28f324a1b0d9886021ad63d84b468cbac20

SHA256
8dd31725432fd800dc2ff4a95567e2d8c8391385686ad0fe88bc480864e8ddda

SHA512
cd7b29d5edb69d0c5642a2c6a7632509503956be80aaf8750f505673bd2c3e5200718412a2f43c8071ed032a35f78480db17d17138de19470e0606567db3f3d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMsc.exe

Filesize
832KB

MD5
4c36d8c9573b1db36ce22e403eb7ce5c

SHA1
c0086f15d00c9038979d66c01c7daafda102951b

SHA256
3ab684adc353c4040fe176c9dbcd9777975312fa6fb25951f8931c65614e295e

SHA512
102696a0f49b676bb0bb2ed4bbcc532504780a0b2f71d77e52ee29cef1f726fac204af1277ae86a5ead85d9e812340b5e5cbd7b18a882c930a6024c71542be02

Download Submit
C:\Users\Admin\AppData\Local\Temp\AsUS.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\Assm.exe

Filesize
202KB

MD5
372eedad0cec7b4a42be4a0883e26506

SHA1
2782d86ef18a83b6fad8814badc071b58f3675af

SHA256
bec79d140ca7be0416d5206ed92bb499962d769c4be408b6b3ea15ba76316d22

SHA512
44822b6db92ccfa7069ba3248a682a2896451c97d2b3d4ae5c4a4a5f2cb56937ef32ca505319cf93b862aeebe2e0cb552c1f0255267052077745efa946f09df0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Awoq.exe

Filesize
554KB

MD5
14a0c97a12d61d8e38778a92a14c1c5c

SHA1
f49a47282e07d6cd36a31c09f44c01fadb5541d1

SHA256
d099e69bfb68496c9c99f533a11318b72b64429366a2880c9ae5a55781c027ec

SHA512
2f2ff5b55588a4d1ab5d13324608c79da34dfa4d58d83b7f37b23c1f7acc3f558df73f0466f8d478620fc5d4db12e280e1ecf158aac8d0a69403b42e6b4fc697

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAYO.exe

Filesize
203KB

MD5
bc55de5b41c59648af66373d82788f86

SHA1
b09df52bb38ab450554c2c667b7aaf35c0995d99

SHA256
63ba67c332682f20f8e8bb38e32dee07985453c6e37c3d0c89633d8c5fead1ab

SHA512
e51a6e3c9da5bbc626ee6f8974bdffd81ca449fceb7070f307ed21dbb66bc22677df7130095f12c2b02bf9f46517cd378fa2095c0fc7463756f0acb6456fe448

Download Submit
C:\Users\Admin\AppData\Local\Temp\CEMW.exe

Filesize
684KB

MD5
6bb2bd495701549e0e5bf72607747e0e

SHA1
9b384606992f3eee5ea89839df4f8057642862dc

SHA256
3da17112c09fcac4ff88658e942cc5f072364cdf0e1906df374b0e33c176080d

SHA512
f3d8ac34db65fdd6e9c2c5eae9a3fc4395f78315cc824dfb5a545d73d75bea0ca144154238154e0c11b3cfa6e24083fd79115e86255f47ac7531eed7cb73e96c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CEou.exe

Filesize
221KB

MD5
e0c01cd2d695574c78a9855263d2708f

SHA1
9ab24abfeec9f789e79d3bc4891dc6ab4949d254

SHA256
3a1ab0fb9f387d0d28d6f93a8fcde5aca7502d0975f994bfe4532921c349820a

SHA512
0ae0db1d42c4353e762ae121a02fa944af025c73e918a65366c2f481f1cf9f15ebffebd4ed322a948a931820f9620fd4c7fcaf7f6cd02d7a7a5be8961afdaf6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMQw.exe

Filesize
199KB

MD5
930db6a2a0d31dca412322d9c4f6b782

SHA1
fd72eacecdc4029eb5fda3f924fc4dbef57f03b2

SHA256
326f82918d4dcc8e4f512e02739413af23d31eedffffccf860f6ab4e0957127c

SHA512
e3bd6473fd8ca72dc5983c74e8cd852220606921380a8c41eccde7515dc24d2af9a7c8185deec6081c380d6d7a86cb4ef63d6304a8e1424ee10cedfef2c7c756

Download Submit
C:\Users\Admin\AppData\Local\Temp\CkYA.exe

Filesize
196KB

MD5
5c176af21344966e4175e3ee14f72d88

SHA1
1394fe3e218c12b103a622abbaf4be46ef889814

SHA256
49bbc7a78422ec8c6594cff43bc0065cc8c80b700da0904130cc05219e258ad4

SHA512
b1d575ef0a13a2ed2582140429be4df29198cea7f921d195940054a1af6f66e28de59ba3eb8b4339e4975b618a57d53876b68dc25367d69248c937afcacedcee

Download Submit
C:\Users\Admin\AppData\Local\Temp\EIMo.exe

Filesize
603KB

MD5
b2b8cbc4b78eb1700d532ba0a014e69a

SHA1
bf632c5103ddbf0eefd6ba0c14b2836c0d073199

SHA256
547c8a18c8d721e2ac2d75e52dd40ffbd4176fd10abfca4af74ddb7b3b7d8283

SHA512
814e4131b7409c4be1fc1c3259a942598d878868bcb247e75b4845ffc3fee0a56fe4d1e4438c6fc7a19fd6092eee011b1a0b73b79e3a998a3f33da6a879911a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Egww.exe

Filesize
189KB

MD5
236b7922fca4470b4cbefed4a8809eef

SHA1
04e9995e5cab0849e739b76939536b1d8dcb9e3d

SHA256
380f5433b86fe49cc6995c641834f4b9936cb09b8d5331decec0b0bf3f7d8839

SHA512
e59a0a32193f94e480e17aa99023bc94f9ab8f6f44c8a731736421dc9295eb5fd17db6136680b94928ee9ce9005e8f537969324874f6d527eacdf4eceb376aab

Download Submit
C:\Users\Admin\AppData\Local\Temp\EkYY.exe

Filesize
390KB

MD5
1e5cb967a606386c8382d29ecab11f12

SHA1
abefaddd77e0ebe2fb80f49a683574787e3cc03c

SHA256
bd5ffd40fa7d165c3e7232d15dee2d8ae1fc170477a28d00a63aaed22930a86b

SHA512
58a3a499822f1ac213d2c1a2c00886e2bb1e188e04602aee9af97d88d7be803613c188f11c4925e55d9af24309a6511f834a39fa984c730b50da090ec5a20005

Download Submit
C:\Users\Admin\AppData\Local\Temp\GAMe.exe

Filesize
199KB

MD5
39adba4e34f1b12c18d1802ec1287e9c

SHA1
a9abbf4adfc48ed897406bb4618a445d732ae399

SHA256
965dd91915451c0a4ef0ca719de12356886ccb2a06639e3fb797e30e2171564a

SHA512
ce80f0545c919a69990f9a59fe432ce1bed0ad0284b62c0d9aebfa235d2e61b8294efce7a183152f2035948fc5e10aa26a39cf31511aa26de688111b261f3f32

Download Submit
C:\Users\Admin\AppData\Local\Temp\GcQu.exe

Filesize
196KB

MD5
31964098fb90d77f57d9d6e18240911b

SHA1
618344772ed3f8b088f7a2cdda1e86327cd1cae5

SHA256
d8fdf7486f4bf2ad025bbd1de02dd3bb84deb221fdadd0888301959e11a47b48

SHA512
c8b6aca1760f2b4806e08ea19c0e6fa4ef675b1045c5b6e1749020b89e4faf6c3272b9fd28f749fb78df18e09a5826fba8f6a1704a9106a5d3e97b652ee47793

Download Submit
C:\Users\Admin\AppData\Local\Temp\IQIe.exe

Filesize
186KB

MD5
1af0e81e95025553b9b4a51d2cb49d34

SHA1
2bc89098632afc1983528c4acab2ac229cba9163

SHA256
6bd5c9f0bc3a070f5c9667a854dd41b50237ab4b39dd79f905437bb2cdfb08b0

SHA512
b304f9f95e1344ee1031273cfef2064c9a2ab22cd5f94046077cd0633ca3e89addd66622a8ea4888ff9228d3d2a61ba1248fedda3c2068aa6d19f070e8790a5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Igwo.exe

Filesize
816KB

MD5
7ec8ade3dbef2cb20c68a73aff0634a1

SHA1
31f515608a4984898d655356d1118cd56184f54d

SHA256
511cc063d366ea9a026ffa81948fca29d84a3cfc43170f9a631fd36a0b44ab53

SHA512
df36dc7b8189797c66f2f1a026f8e0dddf7655a90e8fe5b0759cb06633baa9adc6b54678793fd7b7211755856e556bfe80a313c7c3d11a971c1b6e85e5a7b5d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAoM.exe

Filesize
797KB

MD5
a58f3aa2ec18f410df549f353f273cca

SHA1
2b359e65e32f29aeabfb0e445e1de3c7d462dbb4

SHA256
c0a4bb6a08d68cb2e078cb9b0e08127cd312c3fcbb35fbd855e0ce13a2ffb6ae

SHA512
0549e7fdaf8b2c2591efb697143454a65de46d4103ca311492423655f7c264a5b49ed3029f87ab73e88f2ee7394f91c9637ae53fe4c94def0e69e542e525c3ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEwm.exe

Filesize
206KB

MD5
a2be669de767cad05e15fbc0f2274f52

SHA1
473bb1b8f10042c06cd2ce8152200483bce618ef

SHA256
f2c817d2edadb7c59a161e1383a80b1f5a7e806681480cd50e80169c992e6c66

SHA512
f1c9ea166cf5bebf60206b724f653860704050aed5f96dd995eef921b6ba2f767aaf39d79599cec5f2a45fae20580c91e0636daff13ce05758674b1fbe888fca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kosg.exe

Filesize
773KB

MD5
e6dfe4490c5e4d81747c920e9643ac87

SHA1
db594f639b4642c474bcbfab409440f08abbf32a

SHA256
7b1b7b8ffa1d4b609677b1a8d76f58f9468ae34d826ac156b2c2862c078f139f

SHA512
bb8cb9edfd5db2b62d4b9f2b7ae3670fcce6e09298baf8a72c822540be3e6610258f268f31476218f8320a7a9718343a42ab4aa5295c889e6d594043a968c59f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEQy.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMII.exe

Filesize
607KB

MD5
c0394843016b4d50f261c2fea29145c3

SHA1
6b8da3b8b43f8e6b4cde4b763c5b07b423d16410

SHA256
735b3371f6fe23809303cfb3500558cdcb9ff79968797fa636bf540cf7b79928

SHA512
33ba13135ef855e689629949b4ff2870e4c1bd9490d5f47b18874438728c10168a3d316df9c061af24fab2a45ca5f5169124c666609265ebcbe247ec1b1be7cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMQW.exe

Filesize
186KB

MD5
79d0f115a9fb503588345e7542fc85bf

SHA1
4064e592e3925c75ad21b7999456b0d585242691

SHA256
f5042b0e6c66a0d3799d66845a397d8fb7e32e4919971ca197dfb1fe920e9b98

SHA512
97fdea775371f57872939861048d33d29da8e4bbbad6e9dc795f0b237272bf13102868d764559664f65c914e49eaa40edbb9916492b74f2f0946f8285c1ac65c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MQAa.exe

Filesize
186KB

MD5
03a04e380dbc7a4499f78291e5bf2ad2

SHA1
6b4a27ed3e7610d0e4077364a2efbfadd692f1f2

SHA256
4a653120b4d48110560dd75a8e3104ab3bd83376d923321bfae14bbacbfaa8eb

SHA512
04a48693dc7a691231a165d21d3639b9f68274f3de790c1d0312fa1e03080c19f035b95603866809a933d4c3af47713cd9a465fe3f550420704f748631b5fabf

Download Submit
C:\Users\Admin\AppData\Local\Temp\MQEi.exe

Filesize
794KB

MD5
7aed8b79d8bc4a6085904ea37e03da5d

SHA1
82ae222669e276e7b3247853d2e12cb932f86a6d

SHA256
e87f56d22ab3778e50c6b45094b897e8d7c163fa1a0a460ff51b81a61857f7d0

SHA512
eb10190cf405996bb2dcbd05cb5a20c1408d4f9ccc14d056fdf9c4db6270abce826c5613181135b2e358ce68c2c40e27e3898d6e9fc55b51929f19bebc57f02c

Download Submit
C:\Users\Admin\AppData\Local\Temp\McIo.exe

Filesize
582KB

MD5
29028b07dedac398e7a91d6b9b182758

SHA1
db6c592caad6ff9b722a19a330067e7a281f7eba

SHA256
9c871f313cd42ae6e13ebffaa182fa697795c6d46a1bbf677a0c31ee4b744bb7

SHA512
ed050512bf539131216bafd2d990d71c46328922d2384b02ecb56b4f2eccf32b437443509d20490117bc8bdcc4f167816a215467c7262bfafb07b8d475f0f6a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MgEi.exe

Filesize
639KB

MD5
0216fd87f7ce4b962defe0e7de6d182a

SHA1
115595405d31d142e2e83980c9410e50e138ba49

SHA256
716b936cd88f50e590e0da690072268907c8e850677e3d7cfdf2672383e5433c

SHA512
546d9b8ffd8a73aacd43bbd705175573fc1a6b7d6664ba832407de1133979472e5ca4e628bdc03a8b42bce358e44341f7317ffa17aa9c7362890694225202b37

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mock.exe

Filesize
219KB

MD5
a603a81a351540d13fcedfdcd7710099

SHA1
8699bbdc994ad51b9603a19dfa8081ad884755fd

SHA256
eccf627e36fc56141ac8ed381910a4137e5f91f7a973f1b45af22b4dc13ae6f0

SHA512
5156dd10797cc3090b8332574b4cdcaf21e43ff60db19fb2a6daaa78e0ca4d3b1ee04752ca64ce0775ae245f42031d8552f2b2053f8eaee27ca322a97cb40b1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MwUo.exe

Filesize
779KB

MD5
3fd13df6496559de5bdcc8b7f5c5152c

SHA1
8c58310bd3cdd47afd8cadbba9fc4c4ec1eb94eb

SHA256
2fab0751651306e89991c16fa63b0908d2897c0c641561391190bd9484d77c13

SHA512
9f43f021ab2d20ea7fa4c9eb26c696419904b1d9137f9c94e2594bc55707ecc27e7ebd7d2ca60baadfed2775a0b4cd9cb0be457c5fc450e6d8ec0fed66a79612

Download Submit
C:\Users\Admin\AppData\Local\Temp\OAQm.exe

Filesize
193KB

MD5
c1d85b9abcf1221ce2c47bbe6dc3481a

SHA1
f48dfda5e53183d2e4190f044ee23a676a2f07bf

SHA256
a39dee1c0bb7eb34c4a8accf5c9e82f7bc18ce1509263f4fefbf70a34e355e7b

SHA512
7f62353cfb723911c8ebb170ec81831ba7621eeec034165277031aca1bb761e40993df8cc40fec0b7df9280ad7a94b10ff5c1d8805c91a101fed83fcb828875d

Download Submit
C:\Users\Admin\AppData\Local\Temp\OAUO.exe

Filesize
187KB

MD5
7fd7da649721ecfe83487a12fe274650

SHA1
85648edde56bd61ce3cb84353c9e6e319b0fe772

SHA256
9d971747bd0d74eed69eaa5b6e01c8d7554c91d74b0ba20bacd7357b86156010

SHA512
580dc4e643ac092bf90460c250cee21f88f35395a6a2bcb693a1a234d6baf3f7743c27feb203aaa6da837ab4f50e784c54df63c58bf47bc5dc8e57f1c69c3fdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEkq.exe

Filesize
191KB

MD5
e4dc9c92954f07938d4c4fd9fc9d60b9

SHA1
a704ce24b68f6d607b4ed550506da3693cb7c425

SHA256
68a972bfae2843ae62c88adc47b02470a16b1dddff64363991c21e486b55b848

SHA512
354ca43f5e0412f09216d764ae565cd147e0f5253cd12ba74976c5f0b098695cbc1b8f4adb6028f54da406b2636f9ee4f1b46fc9ece8233f8d04d5d6083fbdf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\OIkk.exe

Filesize
195KB

MD5
7d9c7822db22f4be34816efcec54ba3b

SHA1
1f0c4903537c30f4165e9b5ebf96a6f009a5f156

SHA256
e1cbe3c7ce6fed3f10eab72cddb87931053d30866a91d98fb38840e575f9d46b

SHA512
72aab759f3ced6da6c52f8f634541697b4abf11e276b325ae27a251e7fee98f6ea684b4d4131ddab1cff0ec268d19a2c3c4c15d88a334b400e58e843352ef054

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUsw.exe

Filesize
188KB

MD5
81c44e41bab4994fd098cffd43cf7eed

SHA1
65faa5b48023aa9e3a214581f72766f257b6e715

SHA256
dcb4bc005369d1ab06007a45d2747b5b5442ca35b68296b89d5e9a8ab2e5b36b

SHA512
7a6bf5f8f207d86aca67c84258146def9d0884d94c87b740039e6a20ae5d68d6fb428e6644376d8f42ae8cd37ec678913af8e464cd2c8572dbba24be5cb890c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\OogG.exe

Filesize
197KB

MD5
0d7bcc50a6377d93ee73b48751dfc8ff

SHA1
e2fc88be5017ba63db8a6b12751695a09638d289

SHA256
36d21c0225a89fd9eec3f021d6e1a783bf973344ca50154ddd9fd2ea801cdd6c

SHA512
faec57910af456c342ce73ebfc0b95a7b71cfe4f5f7b2cab14c4817355ac33a553b293707c0a49f6c13810356f373f862409ec6ea90d5f831e3d92cdbb793005

Download Submit
C:\Users\Admin\AppData\Local\Temp\OokS.exe

Filesize
209KB

MD5
7d580bae78cda06a95c9a7dcd8bc6b85

SHA1
c01288d69091785cb4a8066c9087891a10b4a716

SHA256
bff9a16cf46cff7bcfa7343bede9d1b507d82a3a264e2e845fc057ff6fcb7a95

SHA512
535fd1d3d8340f19c77d664d0ad078db942dddb3f3b4e32eba81e63a83df5b43fb709a5313b9ba1e773a49e05ecbd0540cbe9be6624e6a904add4c5dbdb5dca7

Download Submit
C:\Users\Admin\AppData\Local\Temp\QAgO.exe

Filesize
672KB

MD5
d0f5d03f4900ac5e46c506471439488c

SHA1
6bccabb833f3c5e92038e4f5c19f245424e190bb

SHA256
b06d22e6d5ddaa32d050a30683ab16431aa573ea1dcb9c24895404599eb2d96a

SHA512
8f6bf1d1bb7cf3c4a49f76d0ae4dd92a706ff061d5e921491346e462a62c89ce1f9480516e81058fc8225c7c0c1047c72dd114d6b6e821c8bbb277a008341562

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIsS.exe

Filesize
224KB

MD5
653711583cfd78cf2bdb3382f928e7e5

SHA1
0e4ee60cf76f7afa1d1683f2c99a12d932764a14

SHA256
beef761d599372b5284c07c5f29b8e3069f7612d93216b6590d052758d2995aa

SHA512
13faeb76d2278cfee50bcf072faf2fff2a432c81c76f25ea85bbbb2a3fc33c2828838838544e1a60e2440b3d670c57eb96eeac113290df3c7c5a8bb8ad3adf46

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYgO.exe

Filesize
507KB

MD5
cff6369c134873f188aa5005b256ef2c

SHA1
fbc7ee85a1e8c015cc35eab229ad2d657e28acbc

SHA256
ba5beb0da73cf0d72af4b77d9e537d2687b84d8c92f73e98a804b9ba4441c8d7

SHA512
7ddb22da181df0414b40cf612aa310b31e9ceb11bc15a14b8dcbe01fe0d1609e62e4b4d11f048e4a51db18a547feef24e11cd66cf5345c1bea4adef58fe414d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAkU.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUUY.exe

Filesize
1.8MB

MD5
9e9fda2b9cdd7cc1206479b73a6144be

SHA1
818249af89acda28eaddddefddc22dbd8c9fc358

SHA256
03bac9266706a75bf7c9a968050c6ac43d4a3f4ed560691b8da5e7924303546b

SHA512
6e0493229de058dd47df0557cc066c1cef1fffd7709173f3cf1af4e1ad8fba30641134752b7a77dc17706717fc4e55e0dd8c85a354b2d12d7b71de6455e619e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SgYu.exe

Filesize
205KB

MD5
77db0161bbee8848503c41d6d97f5e46

SHA1
b25092e58e08ea396cc4c91754bcfb9aa437d7cf

SHA256
9997b9eac686cc86f71e000ef3acc2c74e770bf88993026de0b27395f717d0d1

SHA512
4069fe434908fb8f98da93c3aa00200c588ff83d15316b90273eed2be29ef24d7ef7ac298e6b77ce32d06ca04551917d0a5577e00e2964fce2ca2e6479a76c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoEg.exe

Filesize
1000KB

MD5
567bf16c239e066cec4a0c9d7ce33380

SHA1
04a7ee9700d4b61bf5ef190b43f6d446ea6d65ba

SHA256
9fcea8b7e6245372f1074f751309f1dd2a273f562e54da8a7372cfc549e7b378

SHA512
687568da9eeb1a0bfb3a0c559949a989c80d940dc1e94df8898550268b6206d9b8e77c0ee41aea0512dac0ecf814a8f03459ef5e95397e0fbfd7ca2a55450bf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIkC.exe

Filesize
208KB

MD5
9aab1fe365744ac25cfed6bac105e7da

SHA1
cd376a68fb984b781cd814b02171a864cc081887

SHA256
c8d0cd9c227deed2f49c113bf22bcf443f8de89e52eb0e60195cc618233dc236

SHA512
44317a86f1837e78b5d43a7f755038fcdbd0ec1ca730e2483292fa7f3da96101ee700b11d8632efb674cb39e5e055fa73957ec29798800a5cba0deb77afc2c4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\UUMu.exe

Filesize
315KB

MD5
aec29dff659e6ecfaad4e8a1535e6b31

SHA1
1a482a19a7893f8d695e4926e9fb85e2cefaf355

SHA256
b0701caa5d4db88386cfc89b4c0284bea3b71003ef507a518215ae234a0d24ca

SHA512
5b69d0b8da7bd2de6bcb830dda00f3c5a5cefe4a6e7e741d86a9ec4d92e6a359dc72bddb28aca96b9346c242677c82fd5e0f93720f81586e8979066de0ea89cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\UYUK.exe

Filesize
222KB

MD5
8bf9fa0753ea5e60d6bd955a1cb97ba3

SHA1
ab9d4b1ebce0e203c57083b4d726513799a31794

SHA256
349cafaf96007c769da81243b3c7f44712b51413deae7367dee6e3330addec0b

SHA512
362ccbb74f82c5bf684033434a0b20e550eb0a291d2d7c1cfe269adbe3571039b8dbf6a3e8f092970f8abf5eded0f88b4557a46c7bfa6ac2885f80429c666823

Download Submit
C:\Users\Admin\AppData\Local\Temp\UwEA.exe

Filesize
226KB

MD5
661b93c61ee06e94509cdf3e6c7a08c5

SHA1
3213b591e6d0fa0e5aefef4f8012456150e34d48

SHA256
1364190ca30c8817926b5da885b4ffb7886df7fb9e4f55eb5dbcab2aaa4a3d92

SHA512
f3d523da2806d485b4437b1105bd95a7c12cb3914c80c6b93bb02367236844c7044b4ba2a5614b093c9335ca7d10dc3519302b620537b4436d295e6c4d9f71a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WAwS.exe

Filesize
241KB

MD5
465d39d12434887c1729472d7f1d0bad

SHA1
ffeeae715bb6111f3862d18035f67e522683beec

SHA256
94f9c38ee69b85a958fd95416b90cbedd49b2c83d451d566fbc26136e1110498

SHA512
ab9733d78bdc615ccbe3c42d9b944749c6cee819b391d5521e78f394d3d38f2e874c39df0d0089aff653338a30eab3d7f0e2465316c2d1c3d074e1ac472c6a17

Download Submit
C:\Users\Admin\AppData\Local\Temp\WUEs.exe

Filesize
184KB

MD5
e47f8103ec631b78e3b7e9ecbd72e284

SHA1
9a83037ab702f97ff730ced1d7ad825a1df31df4

SHA256
dad034c398feed2af01993b80481a0cc2b7b6cd824bbbf6903e79172b6bced2a

SHA512
ba82e0a01162e591c2c4caeb46b7eb32cd1650e27d87ac8a0ee3bccd319c48596cedb30eb4fabeee71812e17a0dfab567fa85003882d7628d8a9cd5690f3f6d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WYAy.exe

Filesize
803KB

MD5
e72e4d405809fdefb1325625ba903387

SHA1
29df97ff5e33a552dcc08422d6cfbd49b646bfda

SHA256
44864eb1080e3766939fc4bf866de320ce937d3ee2bb672c3c794aa88fa2143e

SHA512
dca0855a7b7d81c7335851b5972d16426ca02f4e5ee467811d29bae3bd60e05d7f5f6a336e4405b77e8559ffc52b1e16dc72ff498f2b2a04d3f5119cbab5a9f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\WgEu.exe

Filesize
644KB

MD5
2951b4c2454dcfcf41ce2a40d6cbea99

SHA1
54208f23c976b8e49e2bd25f4994b6d79806e82a

SHA256
65843499816806d34ea2eec833d79f4cded79c22d466f31191f729aa279c78a5

SHA512
a3b314c7f4bfd8eb133167d690f5e400b346d7619a579966d94b28911a24e8ac5071440efdfcaacd5246c66a5930a94d80504526efd206559bc9205457edd2c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\WgYQ.exe

Filesize
328KB

MD5
47d808c368930d50d98582c0c6ecb6e8

SHA1
a2d604fcfba324987c15f91c66ecd3f0f9ac1072

SHA256
6a066033d974d7e64cf862b74f7073bff71420cfb7afab0df803a35f70e6392a

SHA512
c4ec67885cf017d62c0389d540b4307b32af788bae0e7a5cfc8fc8a535d211e377524945d8b07b6e81ba1d963e1a00a52bf9e4ce9ae42335cae747a8d5fd628f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wswq.exe

Filesize
923KB

MD5
826edd4fd490cab088295667d31c793b

SHA1
a5fc25baaf7b7b4d260ae8b774ce8f75710c530f

SHA256
31ba4d6c94ce087b69843b3eaea849c66b17fc46988497328548e4b9e5d5e949

SHA512
59fdbb5bf2ec0794bf1d39468ec28b224e4c05cd00fc302a2c3fbe7423c6441e4221d5b86f6cf9b2b63316aab2a797726d03f03819f161b3e63cd00c4b265173

Download Submit
C:\Users\Admin\AppData\Local\Temp\YAIW.exe

Filesize
211KB

MD5
a481796e7bb7c19ad3ed29085699cdea

SHA1
325e121f0e416d70024ccf409c5d1cb4c6c60499

SHA256
58276581761c9e5dda67741a4643d0e140f22d46d6b210f2f1e692ad81617d00

SHA512
2d81aa0a1c521b38d21092923405fa81fc1ef84923d4534a94cd14bcde7a3bec384b6b29baea8cf3ccf6247460f6fb43e4f960db6b586769f6e85b7fa453df07

Download Submit
C:\Users\Admin\AppData\Local\Temp\YAYi.exe

Filesize
187KB

MD5
d53ee108715859e716ec82a33eeb3bcd

SHA1
a75bb8ed6efdf91d257774cb23b6bd4659fed48c

SHA256
286799309907d5d8e7ae97625a3efd3eadadd2fca8272b2e810c2eb1a4640a83

SHA512
4e9b92077bca84c7c9fd7200752c4241f629a87b4e5801443888349373f054b5d435cbc7831788f4b941f67d497f425e9da03d7badadad42d0a4f3d68617bb36

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEEI.exe

Filesize
202KB

MD5
ae5ad9472d6b9ba403b9cc94a51b105e

SHA1
bd19a3c99de89f5cfcfc92407958680a3eaeb2ff

SHA256
98a85b29a42c1d3a7dad77ea0fad71922acc2d98eeddc41183440269a8da0f48

SHA512
064e9afc804b59f6edaf9b368888b34f6e679b1e81a5f37817c841bc9b1d963762e81cdb6d463efa0fb566cd98c9f61332c4a49ff55f48dcf6e045cf88a1da68

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEkW.exe

Filesize
450KB

MD5
12936867d7b2300dba0a2ee36bbe661c

SHA1
5ba876a6445fca85566ae3d86511893c1688fa37

SHA256
c711884b54f04402f423133cc4fdb1846d2ffb46ae86f245d31813476f354fb0

SHA512
d052125434727b8cd3adedd899c377c2c675178eb1e5cac84d537227262631d7b1300122ea5a4e3c1cdded73a66796bdc6ed24106f4cce541e88c6c22de833a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\YIAc.exe

Filesize
833KB

MD5
0e80aa19878f3eb6cc519f54b408b0e8

SHA1
67d4833d7188f7e28cd6398b9c15527a72a7db62

SHA256
05d148eaa4b3734c7d2dcc6e9d52f10f3437244a601c07cf9cd84cb92d7bb6b7

SHA512
d566a4da5ff2a473d3a1c4607db5d9777d628186c56858be54ffe3ad62a0981889f1f98b5cc18880bab52ea7eaad63f15623489d2f421da61d528aaceecdbe8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YUkK.exe

Filesize
198KB

MD5
ee9829f4021458e07b266a57dfe3181d

SHA1
236442054b5e251c52d24a8f8cbcaffd5a18f041

SHA256
7150f1ea8813d7de8c35f15e9e2a7200922701cd3fabd5253992746eb119128c

SHA512
f80a13fb06f01c0e20da265b38a098563882c317a1895358a53764175254c9dc8e33c9df970994f37f0f43e3f406b3883a02673872ba0f806e99aadbc92c5f07

Download Submit
C:\Users\Admin\AppData\Local\Temp\YYEm.exe

Filesize
200KB

MD5
840e1301b0b5fe63371cf02ffc099421

SHA1
87adafe86e6a274124d940ce2dd2b48fde3a7dd2

SHA256
0412059e0192f11cff9517243966f884d67d2829820ffe68de7789249cfc5b18

SHA512
186c5ea63ae6ce8fd9c39170def28866b12f87d0b1095e4d68d4a6c1f638f321ccaed3ea64ff6ff0395504b2968567e2d0f6e89b0c6f6ab7703e63e191426638

Download Submit
C:\Users\Admin\AppData\Local\Temp\YYIy.exe

Filesize
326KB

MD5
d167469550e9e74dd4f0c070543cf5fc

SHA1
61872746542c06475b976d454b8a24d3d9c661fb

SHA256
5901c2b38ba8f0082957f20b49d2e3110c065fc8f8e368f9bf136bf620a9aa00

SHA512
fded3c41561dd54c1c21ef9ecbcd51e132d0c79c00d020f329f8ee66adeb5c626254869e882de4e552d98ceea8c31162038290a9a0523c9817d18976bd605bd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ycwc.exe

Filesize
211KB

MD5
3682a29d8f135efbf0defbb7a547d664

SHA1
fbecff5300fcc0d6506a6697dd3ab3c834f960fc

SHA256
aa0df67ae4c6569577f23a5bb9b1d84af970985d5a0fcc8d312a5682a9fdf7f6

SHA512
ff36d220e4ec59e871c3c3614eab5d41052c44adb0df827c5b7291240830c6c3ddfcaefda89bb4abf32a1601682cf1aec179c8d1ba70d4ef3424c77052c7e8ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\YgUy.exe

Filesize
197KB

MD5
3391e502d5b62e3fb3cca3794eafe4ce

SHA1
c92dd714831f6e4c95cb1a9f33ff2d55580d3dcf

SHA256
a01b5289e7dc5fabab286a3bf6b4951600d3a4e09389a40f835c68ad63744065

SHA512
e6189a394953fbceacab8799ebbc87fea616c5e971013b94b951f89304785e148710e8751c18c98b64ff971d102df3c20e4657184e278d0d738170b76837fadd

Download Submit
C:\Users\Admin\AppData\Local\Temp\YoYw.exe

Filesize
637KB

MD5
e3d69d2c27565da6c7a26e0667ed2b89

SHA1
b14564bc248f9483fdd79c1fe0e297a58eb19a41

SHA256
28a27efc848ad18c1b8fc096aced74d6c993165236c901572e2f731a13ca975d

SHA512
798802a0427bd87c061425ff8c02be06750722a1b2afe0ab1b8b89f81806f28f1473a9750ab72f661f15e9e6268d80f24f83ca0b03e169306f78fd0497534303

Download Submit
C:\Users\Admin\AppData\Local\Temp\aIso.exe

Filesize
620KB

MD5
a00c9d1059d6fa6bd3c1f2392a0908ee

SHA1
eef1d27ef81a347f5df7f5c0c7202cb3102e3637

SHA256
af526d200110cbba3b6c4f2f7a763dfc6ad980db73f58cec2c0167b09a1c2a98

SHA512
94f356c31f23e7b12a6e97a2fb4c66d09ec63a4a944b2ff2de6afea1328fc1dcb9263680a5febc8b7adc8ce3b13000399ed91add066630dd9c798029dbf7adcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\aIwO.exe

Filesize
196KB

MD5
6b9e60b9909b5f3bc1a600cad7597dbe

SHA1
0e54fa0be4487eb9a29e8b17f02eb30440b0f707

SHA256
5805f9243c0caa82ff7dc2e2c7ed8faff6479e496f4ceb753a0413c93abb7d86

SHA512
7f2d884bfdac85aa2dbcd77e135dfc5fb58de521238ad88eb26d174d0e89388f695bf24d8a6196b60ed7a3449cde83f5338f92ee848b680cc587ae682be21fdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQMA.exe

Filesize
262KB

MD5
f47bfd77739c6cd7857bf7afd9459ab7

SHA1
1edb7fb7e923cd67f5d12c2b01b9b4351033c8b9

SHA256
9a25bc01a8f6c9186a0019a0c5875a0a39f0b16a9ba8939f5fb6e7e54728e6d7

SHA512
b4174ddf0e046973e06be65d347e3be69501652daba2ff00c875c56c68c707f92416c38b9ac9ec0cc7b284a3f793fa1194b3539c5d7125aafbb0b8772c0eb051

Download Submit
C:\Users\Admin\AppData\Local\Temp\aYQg.exe

Filesize
223KB

MD5
20a17a9b13fd6b1ef7fab216f67f4ff8

SHA1
03963dc7d45222a30ebc0649a4463143e9241305

SHA256
13c98b941d138bde51c0b35668d06d9daf3b5c383da9c71bc6462edfa22d3668

SHA512
419b8a4b58594367611739672e86913179ae6b547b5efc820d3aa0d2c0d522bcdd2c5d7d65971518cec79c37f1d1d57f19032d74cacf7fd9b92b2ee8a91cddfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\aYkq.exe

Filesize
194KB

MD5
99e7f1d2b37500e5594051cedb2eeabf

SHA1
6a9e757825ba0a07cbde2164230cfe12142c6d57

SHA256
4d38a6f9c6c46ea8780275998ad974b60d3ab0cdebddf70bd08ab10c25c15303

SHA512
73e83df77d7d28f58ca227f2a48d3801fa521365bb0a9cfbf4706a0ef1547203f19e27f9e69f1b71c5f819ad3aae6532ec60b8d0e36d0ad4e2f5a0bc3a2f4923

Download Submit
C:\Users\Admin\AppData\Local\Temp\awUq.exe

Filesize
195KB

MD5
3c04eeb6990aa9d47eb68fddcda8c7ca

SHA1
92428411ea216ed917994926a75e9e3496da50db

SHA256
0ca164d907b91d06620e275d70a6ebf7dea487e3e972e9b6e63247193897fd35

SHA512
03abbcf2d1a5d4c88f3c3a8d36ee9cac56041a7166e426e76b49d28533fd9f5ce3416027e33373cbcaa1f7fc27050cc85910a46c41f7182358dbadf7b2e1f275

Download Submit
C:\Users\Admin\AppData\Local\Temp\awce.exe

Filesize
964KB

MD5
d784b97e5fa1035c92e682a092f49317

SHA1
80f50fb925a102d7f0ba54270491475d4cab1dd0

SHA256
ee7af8229fc5a8a6055529ac68128d8b2bb8c6ae4a8be0261526e6a59b0bcae6

SHA512
c28ccbaf07354d30baeb82d3720057616152673ec3d2701d636c9ebc4fb964cbc9b602b9c4dc3b7eabee4eac4423a483a1e277d8272860ee5b7f5f421f47f1ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAQe.exe

Filesize
187KB

MD5
a10fdc877848dff187a6d314992fddca

SHA1
0ad4b5c506bc20a2dabb945cc9555689032d7f79

SHA256
ceaeb513ff110657bd79b6c93561e2e22e370b5c5fbf3da2a0a375f60a027d44

SHA512
8e6059d514aea4e95c62de83b141ad1e02e48d7eae0faeab91eac691975ff463560c53184fb7d64d4b4068dfecf783b8393deedf47ed8e66142b3672cf542d43

Download Submit
C:\Users\Admin\AppData\Local\Temp\cEYy.exe

Filesize
432KB

MD5
45bf17fdbe323fbaf4bf7889c7ab68e9

SHA1
b45888d576ecd862efcd9a6791decdd28940f2fd

SHA256
65fe8c504f393ec58bc1797bb5d1e44d9d1790b4e08c436e07585f3ae4628e76

SHA512
860ac7e7587c20aafbb83d620aeb7c2476e99d39690e4a7b9941f9d2fd9914c364e3f699b12d6455683e29cad1036800943031d827fb32dadeec26da2dadfe5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckMi.exe

Filesize
200KB

MD5
df89a66871981d6f3c2b305d7d3b8e9c

SHA1
c7c974b6dcff720fd921bb15424711dd036b1776

SHA256
b22922bd1003c759ebef56c0b95ef44cea3ca7fb634bcba39264257cb958f5ca

SHA512
537447ebf61446594350876a9b367dc8d7142eb60551013e774d53b8610017174828a68208b33bb5373b167adb81f179e757f8123fd76d0ccae31acccbe08f65

Download Submit
C:\Users\Admin\AppData\Local\Temp\coQU.exe

Filesize
190KB

MD5
a8525b8176c51509ea2b0a2f55c2c710

SHA1
1ee758ef683dc0867179493da4d794800d5ab5ed

SHA256
f4caab40894d9d41ae5e33834039d50ff3bf011a673bc8f8d87716761ccc6806

SHA512
755ce59684b438629d17d1e08eeaaf93bed950a0031b651d0bb4730a5dda276a88acf4eb23cf6bc159c73443cc1ee4b0ad7b6f0f3f0ff8c0a2220fe48db24d90

Download Submit
C:\Users\Admin\AppData\Local\Temp\eUku.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\eUom.exe

Filesize
314KB

MD5
3eb92ff046243e7947dd62a60cc7eb75

SHA1
fc4c904508bed23d8cf81f452b23feaa1807789f

SHA256
a08f2956781c957e9651eaa6456804fcd81b5e425415ef70d26f6edbb1bf8058

SHA512
0f09cbdc29305f86da8a0b093bb0b3a927c78b50548dbf227261360d52c132c0f3bbe337fcbeeb3fce5a376ec033c2bc74ecdb423dc2c66654ee551da18c3d05

Download Submit
C:\Users\Admin\AppData\Local\Temp\eggW.exe

Filesize
222KB

MD5
dd28db2c935a0e942e68e71bd4d2fb78

SHA1
f392f0265db9a56722b36107c3a04c39715129f1

SHA256
688deda5168c589c6436ea9b848f671b1a80e968f6cf6d57f405952eeb67e57e

SHA512
944d95f3edf677605d43589107967dfed81b3af8125a94e49fbef50ee6c6ca42b3215b8fa64ab3572dc4609448c4fe592a01f6ea01585be8662fda5bd226adda

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekEM.exe

Filesize
2.5MB

MD5
1df91e2c0839af586910ea360ae7a85d

SHA1
d5389979c327429bb7649a0b90617e0eb807261e

SHA256
44239db566542ffbd08ca8898e8287b673f1daae527f45a612600e0d44517d90

SHA512
afa156e9bb7c434489e231d7cfaa0d9e07cf00e41f949c91022eacb62179df88474aa9415f403520ddce4af40fcb86b56d829001a8251cb6c88535ab6c549b95

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gGssQEkk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcUm.exe

Filesize
220KB

MD5
1d93d6da8817ec735789fc2146763ea3

SHA1
992ba43b731ba46aea6146aa86ef884194b28155

SHA256
84b5214a9a10ccdea1999495c96a95390b189d6abeea50b4389ab80856d6202d

SHA512
ead145450ef555c058e70db3c50b24b1abcfc800fb77bbd9532926c4dd97212805d03efb23227d96daa7806283160c7039ce7c31201e364c38c5f23c3d47e905

Download Submit
C:\Users\Admin\AppData\Local\Temp\gsQe.exe

Filesize
196KB

MD5
c1a8df5077fb49d6f0814e452f786e80

SHA1
e92e56b8c1047ece9b58c5bc9bf851c6c0703249

SHA256
764fe11bd69fbb05c056f43b465467f97f66ff89fb3d649ca16bb5e10fabb044

SHA512
56f761ce297c681e6165864bb8462c8fb9b6adb3359ca80bddedeb65daa67c9d7e31cfa55f14f2c2689c559280fa781777b9d6bca180538cfeed860c35c8c772

Download Submit
C:\Users\Admin\AppData\Local\Temp\gsUe.exe

Filesize
198KB

MD5
d0d14dbe2156faf1cfb8be2b4e3aa619

SHA1
3c8161c9794ba2c4c5372e5623846ca602c31418

SHA256
d61af1370360ae2f35ab4f2e0e407289e36f6c5dde1b97fcb7563e25c8df72ec

SHA512
0ef6f47abde30b3080fbeb31f6de17885fbe60a335069b513a35f3091f393ed312048fe227ce8b448a85a759dce7d9f7a0b4b3ebb18bdc51b3ed44186dc83b26

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwQU.exe

Filesize
190KB

MD5
c2e083d199787b0355c053503f41a3fd

SHA1
a612e769d9d8a881340334f3500f8a6f5f537e7d

SHA256
e68b642be8cff720314f26cef2e3d63a352fe592688235241e92bd09db3fc1c9

SHA512
01806b255a3ed570524867946b101d6a83d3f23a526588fc968e9109ac6acf100d68a701a7622afc1b84f1b831d2cc869b94a3484411ee0e1470c72dd6092e3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAYq.exe

Filesize
188KB

MD5
dbca999aa9e54cbbb570a64b9650e090

SHA1
f288278721a4fade5fc1950f5d091fdc4e6d5c6b

SHA256
6752db7d7876a583482d5ab7e8566ae617947bbd079b6926cefec67ba4691d83

SHA512
ed6f1562a524a1fc06a7c22070349e3b08007d97c2d48e84d2c909cf01466d95860aae0c22d065601f7a1cab5b18cc92c1b24697c75cecc602a8424ce205feed

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQIq.exe

Filesize
650KB

MD5
68cf5ebbbad9fd40c02d794df405a814

SHA1
a1a060de02aff1c4218e4ef6f4c6fc6bcaa56db9

SHA256
c59586367d335faf13fc3015898581579daee2b4349f4bba213beb3929ce5498

SHA512
7d26e5949a14f6f0e93f8a527d95f27a0634f3a754dadcf43b866e78f269a2e33f55a89522db9c419d26e623b260070bcf831d78ce09bba4e7c0324ff168cf7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYsG.exe

Filesize
197KB

MD5
97348615bf61ffb9e9482d9b6688dfa9

SHA1
5998fd49deeb8a7bef306cf9b611016c93a6f100

SHA256
6f5c0390a0493ed4f04d7bf65ca58285810d2e169f65d9beecfaec6af5bb17d2

SHA512
66f72a82913cdd230b304c8117aae15697a27b0d3a39b5d6a755347e147d033a9917cce142c11b739ca713d5c314c8a138d996f47bed5ae198ad6c746881c9f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ioMw.exe

Filesize
806KB

MD5
83797ed874015c800e64723611149703

SHA1
48b43151df08f9ada9a132f02519aeea2c745542

SHA256
597a95672d5f4b60caf4089a2dad083484f19b757ae908de494eb482282791ec

SHA512
35832387e0acdfb3e20f1db05ed0bf3f7807d4badd43855938cd98c73b9b619613ee09f4bd71773b29382285bfbca8097811935bfa7a054a3478896b9db0b2fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\iogc.exe

Filesize
198KB

MD5
715dae585df49cf8cce0f99e873ddb87

SHA1
eae577996240e2fc08b393ae4f5f04fc84c625ba

SHA256
a9e04d694ca4461c98e1ff8635ecf80537b6b965e5ed278f4de208502f5ea4e2

SHA512
4dfa503652e1e4ff2311fad978ba27eed4981bba2c70b1e0cdcc54724d55713b34ac4cd553aa8127a3024dbefe30cf399c7b22677270b80674fdfbe2ebbdccea

Download Submit
C:\Users\Admin\AppData\Local\Temp\iwoU.exe

Filesize
200KB

MD5
1b6930d1e6e3e67f557a975e9b6019f4

SHA1
247f1670d4a104aededb3835f0dd807d90b0f8b5

SHA256
e8adde7b5e6c197550839e00a4582502a63a4f3d10e12a18e61ac0a052b99abf

SHA512
53038b2edf058bcc8b055856f87b5813f8799649b21a989891df4db85c088e6f3ccc8c2801cb188d1277cb4d8be0caca1b0b13ef6958f757e34a40d6e6164ef3

Download Submit
C:\Users\Admin\AppData\Local\Temp\kgQK.exe

Filesize
1.4MB

MD5
48ec212b5c1a7e68ef5a81d0ef209f5e

SHA1
928c05c7edebe2d5a890c0332c804b114ebef02e

SHA256
995b0c0186940d20c285a5063166e9ef8a2efe8fec646cc73541e8953834c10a

SHA512
24778ab36682a75c099ef64246c23004ad89e9ad33967d3bc803e016de141a8db42c81677719d0f23e483ed0a5020887c0a06c7acc7d2e1726fb3fd90d3aa25a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ksEQ.exe

Filesize
644KB

MD5
686bc45809fb27c782b26ad91fbfbd7e

SHA1
4f59ab3f00c559ac2a4944a67b425b85f7a379af

SHA256
056fdf748ac991cb180ce15046db0d8a4f4f18fe17e29540beedaa01ac76150a

SHA512
b0501f7574a02430b6fa641f7363b130ae90ab95f41b68095e61ab74c4fb0a5e8624023b5b552e161604dd2e4c13f60bb98909eccc133cef167aa4fc29547b2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMUy.exe

Filesize
197KB

MD5
ff37fb3eb5ad048dc696e217240a54c8

SHA1
19b3392e06e82fc9e6c1b436fc9ab464f70188d1

SHA256
1a898f2c6c82f21c6b84fd673fa4cf3da23220ca09929a961eda380fd273bcb0

SHA512
660ba4068f7c9400bb53a986fca40efe76e337f1d2befa6380bbf3268dbde93e91de9b7bc518a855a70c6ca7e1dacb48d59f956e5c4d592e91d711ac2e0d20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgYW.exe

Filesize
583KB

MD5
151202c64942768eaab58a20ae02fb25

SHA1
02c9157b461230a825c77b8e51ff2b645b8be24f

SHA256
c37a1652b972644155b2c1216a3f5712a848fe3d5fe3a9c285f94939b0a792a2

SHA512
aecc5c93bbb401d6ac2bc9d1ee8c8e2093982df413842555f38d6f5ce6d3df893269f966595cf2a6916409e32af455e446ce24c0bd224c6c7be4a1367b9b64ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\msAs.exe

Filesize
774KB

MD5
864bca164c9e35f33ce3decf367a9d47

SHA1
8a64a3cd4857cc64c0274e0e48330c0ab70c6e06

SHA256
5e9c127258dcad67cdaacc8dcf477e2c6d610a72dbee5074a7cb9d4670f38200

SHA512
0c7d585a1592343b8b24316995e32e3c3db0e9e1d3af7d8775ebb954e08dca13021ec98a9b07c02a24502f217976e1917e8455d585dd858dcf07060ed68824a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\oAAE.ico

Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYYq.exe

Filesize
190KB

MD5
3723a4a3acfb2d70605fd5fe7b1dcec9

SHA1
9a10a37eefdd2ff525572ed7f5052d66fc8889f9

SHA256
43f0ab0d1c90033cb112eaef79167c88c207f6b911994d476efa2712115441ec

SHA512
8f38a0a94af07f11d9ac000d66d743de10fab693404a9638a5626b8c88b6a0960f9a693775aa40bf308c22b776a74699baff01911a015e9990ddd3c27c1e85e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogQC.exe

Filesize
197KB

MD5
08e0ab3095480f2b34a4288d243dae7f

SHA1
2d07f00315756addbfaf953df1096f7481e91374

SHA256
a3d54c86efc37c6f7effcdfdda36ff033f255586f4b05965b28d9d5bdfd0afac

SHA512
23862b393091213766ca4ba8be79828210d4564d055d7574e4d2fd4f6e9deeb81db37a0543e37f98aa305d819bed7b90d7eb72e0c9c4d5a1f3014907e5f24b86

Download Submit
C:\Users\Admin\AppData\Local\Temp\ooUm.exe

Filesize
195KB

MD5
f9a875f2e8858ba74581e112a0bd928e

SHA1
1cf890db85e55b122b428a5fab76dd54d012ece2

SHA256
dab7f7a8114a500eb8f5f474d65086092f6282e9020b41fa030aa440d9d63d23

SHA512
2bff181d3d7a556321d79ddb836579573bb1da64e7223a7289e46bba297f74ec5c8b30f7fbe4db11a83503b05ad933d2e53451a4c59ac331b958aea9c7749810

Download Submit
C:\Users\Admin\AppData\Local\Temp\osMO.exe

Filesize
195KB

MD5
63b932d1f816d7fe2e5d030d0eaa8bd9

SHA1
17198d1dba9f2d92a2a601d4eb00e7aa601e6548

SHA256
649737daf09ac07498fa2caf23847c6c02a3b4b029442733e804fadfbe9bd225

SHA512
b9474bd190402c87efe221cc989e66a33b6334e972f4d9c0571159d13cfa29c756ca26ae191f2da839ca437d5ff0fe252d4ffe3faf5ab737c764781544901ced

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUMa.exe

Filesize
226KB

MD5
6988301db1fe6a81f16ee38e5f812d85

SHA1
f83daf897d10e16f3a971e513cf05d9237f856ac

SHA256
a32a8ed4ac8efbd5a8fb498c8a41369576bcde7f70af2e3e8990115ae4b0cd23

SHA512
9cdaf37bf52fdd24dc66a373413ead9a0363c565c1c696893c4f5765991967fe9b736d9f797959f11bc6b5e534bacb38127be88a9c37ccc1beb9b5317b27674a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sAAc.exe

Filesize
204KB

MD5
f1b5fc1a7c37c0eb24a78bddfb5d326b

SHA1
e4243b39ba12e023b6c87c4a1ab3d8e032c7de96

SHA256
a3fb70c997c47be9c6babf2cebb70b04dbcf25eda192b5f8c8704269b0e8ae7a

SHA512
83e7b5c25002eca979ca9d5cfaca943b9926698f534b5cacd9cc0baee0c11a2e41d537a3d5464829dd5abbeeb0be86fb58c71b16e9c92dd18d01d24f7a0c16ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQII.exe

Filesize
194KB

MD5
dc59cb0a5bb461f959a6fbd8b92cdb06

SHA1
be5592cfacd9d350af512ca2eca1e90d9cc88108

SHA256
9075d3be3ed2c2129a5aa1b8e7022919f852c8a96635e00772cdb56fb39e1895

SHA512
105b7f68e90c4b204a61aa89ce4bbf6b63e99c21fa6f1d353c701d8159cf1741e74384aebd0db661834274b99e2b263e71471c0a079daa3c956459b8ccabb76c

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQca.exe

Filesize
194KB

MD5
4c96ddc3d570be5b693893541b40bd5a

SHA1
f614412e5bef3324fbfbe25cdb354310d7efb4de

SHA256
a2c95b0494f3113342c419fa3fc7e9349c4b83d86046be0e4180312342e1258b

SHA512
980963020f0cfda7ddd121c2e62039e377efa02f466e99e21151d729a382f6cf0b5c8bad04b56c9ca16d003a5f182faf792bc6e189ae728a1d6e51d16841fcb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucMs.exe

Filesize
823KB

MD5
8a9ac27d3612bba6bd80f54ec364d522

SHA1
a32cf26828f16d5d117e83d9db68801840ee2179

SHA256
d4f79f65bcb4936e6906a8347496633b16604763704ad84baee3697585bb9714

SHA512
1ec0c1c8275e343f761336910e4f70b2e6126c306c6fd8f885e6fa59328c005f24428315e7cd414b4cca976ce6e1c1fdd22b0acfb2009d2369bdc121621a8ea1

Download Submit
C:\Users\Admin\AppData\Local\Temp\uoAy.exe

Filesize
198KB

MD5
5e07ca1237d741c9f60b65c6dc86beb2

SHA1
ee3732f5cc77cae3f3bccbbd4f942c5b59c821e8

SHA256
e1cd7e9f76b43d6c2db2823056430f76367400dcdb12c8b07f72ce4682ec3b65

SHA512
374a1025de52d206a0003a35fa295daaacd3402536601a26e8d4b14efce23b16dec7d1d9754c43780f8ce8dcf0c989cc651a9ec1a616545ed307d94dc698c767

Download Submit
C:\Users\Admin\AppData\Local\Temp\wEUS.exe

Filesize
825KB

MD5
d95131656c38170ec71f1770418003e9

SHA1
fe166880e714a409ed90980cd374c03826318348

SHA256
2821270b7b31cb75f649df8f08b0b04ff60be9e0c6c876bffa708e0309820f2f

SHA512
d52a45ba94ce712c2e3cb078e79b6744836d62a349bf5851ff05343b3bae1901dd8de0fb57baf980b09ba4514c81af194dd48b1c5be97e245b272d776cb191f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\wwsI.exe

Filesize
202KB

MD5
7b71ed1c51df921a3bb1ed7a05896bea

SHA1
0fe41a033dd3949d3966784d8ae36e6c9a554420

SHA256
903666f4b82827685e160580b5593ce21ab5c7a3e31bac885ee5697858406566

SHA512
ced046211adc606a70e8a41deaef4b9e5e791b1f5d94bf8697fc07999eacb39f5373aa8467c6bfcaac9060c4e831626342f994962c30ef21b81b1ed7c8f52962

Download Submit
C:\Users\Admin\AppData\Local\Temp\yMIi.exe

Filesize
544KB

MD5
cf8b67f80cbb74b765a28b5c4b3b0af3

SHA1
671a5b411dc3ce5bc2a12508c295eec8fed74dc1

SHA256
fb7ccaab404dad910907ca4abf2d58374e753da4373853a3c56571a76055a76a

SHA512
3dfe733ee1899163d7d34163791edc2198be8fb40788e5ffb003da00456fb853f160992f4bd4b35740534d40af74bc1016cb20323daf5de611e22d8a66d6dac1

Download Submit
C:\Users\Admin\Desktop\EditSwitch.png.exe

Filesize
813KB

MD5
42bcab22aa43e1f5b1d53825df76e3df

SHA1
4db761b2047c82666057d90bcac9094340613f9a

SHA256
7c55f060d8f016e7663772c4d1da63c5876c0962c79ee7bc723718946e6bd051

SHA512
28d7476e912664b2433b628b0143f0cb569c011225b2c5ab270a3a2a4bae7988767bcc1a0ce29a69fa693e09f31c3d0651b9519f038d6434076736e2c0e42ed2

Download Submit
C:\Users\Admin\eEEUAocQ\HqgQsocY.exe

Filesize
191KB

MD5
64a627dbb7cb6e027d335de4c47c6e30

SHA1
d38e75ea07a4daf4d57182b1f31c17bcaa7a46c5

SHA256
c5609dd724953ab05bd42453502303d9eb255372ba28fb53adae3848ec1c6328

SHA512
91c3656650f39e53d0c3fa3e3a595bad5e67c5b06fe2b095f2de5a2d3ade110f69eaa1c60ebcc241407d8d20347bc44856c0ab73697edd67c87a0c7b97d02e83

Download Submit
C:\Users\Admin\eEEUAocQ\HqgQsocY.inf

Filesize
4B

MD5
4d2255ee3e53c52161cb9da37d92f4f1

SHA1
487ef7890fd0e09f96bcffc66486335f55720fc2

SHA256
24426257ae3c776206ef07f64b8c001397d26a9347212c2ed3098adc351ab963

SHA512
dfc6e6ebb623736e3bd3fde449cd2376b19ef452c289e12e1f7b8b68fc45dd0523ec6087c7c5614d202ed3585f7b055e8a92b54fcfd8824da7c1a1f2d742908d

Download Submit
memory/448-390-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/448-382-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/608-242-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/608-256-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/944-343-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/944-351-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1004-520-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1004-531-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1012-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1012-19-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1192-301-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1192-316-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1296-20-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1296-33-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1308-157-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1308-141-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1356-287-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1356-361-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1356-352-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1368-484-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1368-473-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1536-107-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1536-92-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1888-532-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1888-542-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2096-215-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2096-233-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2128-340-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2140-145-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2140-129-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2624-270-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2632-68-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2632-84-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2632-133-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2632-118-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2692-435-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2692-427-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2956-503-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2956-514-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3020-7-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3024-398-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3024-387-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3384-58-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3384-42-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3408-153-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3408-171-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3444-490-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3444-502-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3644-418-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3668-447-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3668-436-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3712-121-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3808-465-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3808-456-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3896-167-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3896-183-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3956-444-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3956-455-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3960-57-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3960-72-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4376-324-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4376-312-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4400-296-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4400-283-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4452-370-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4452-380-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4452-278-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4452-266-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4516-399-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4516-409-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4568-191-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4568-207-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4568-229-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4568-245-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4572-292-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4572-306-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4588-511-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4588-523-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4716-195-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4716-180-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4792-358-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4792-369-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4792-461-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4792-476-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4840-485-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4840-494-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4952-414-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4952-426-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5020-220-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5020-203-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5044-332-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5068-34-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5068-46-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5076-15-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5112-81-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5112-96-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download