99bd1785216647cb7ae901102b93771477fd8659027902cd769c2c5a75490645

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22/05/2024, 21:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
Size

206KB
MD5

603265859f744615bb91f46a55c837ef
SHA1

3092544ff20a4dfbc93b9f40df451b0530921e42
SHA256

99bd1785216647cb7ae901102b93771477fd8659027902cd769c2c5a75490645
SHA512

b8aca8d07f5997f5d527ab88521fa8d5ab1db52318e8b12ad08e0a8e9e111c64e7b995b29f263259eda16c82cf046335cc49be5e3d4b7f0151932f1b1d650f30
SSDEEP

3072:ZarrtQNBGldrMfEU+l9Srlru/k1Za42DeH/gF34qCfEmMuv+QUkC6BM6a/:srrtQizrY8aoHV4vJ5veMM6

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found

Renames multiple (82) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	buYYUgYg.exe

Executes dropped EXE 2 IoCs

pid	Process
1052	buYYUgYg.exe
3820	GEMooIEk.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\GEMooIEk.exe = "C:\\ProgramData\\lYkUYocs\\GEMooIEk.exe"	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\buYYUgYg.exe = "C:\\Users\\Admin\\DCgQUEcg\\buYYUgYg.exe"	buYYUgYg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\GEMooIEk.exe = "C:\\ProgramData\\lYkUYocs\\GEMooIEk.exe"	GEMooIEk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\buYYUgYg.exe = "C:\\Users\\Admin\\DCgQUEcg\\buYYUgYg.exe"	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell32.dll.exe	buYYUgYg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
2212	reg.exe
4712	reg.exe
4448	reg.exe
4656	reg.exe
4404	reg.exe
1020	reg.exe
532	Process not Found
3640	Process not Found
4936	reg.exe
5036	reg.exe
2468	reg.exe
3212	reg.exe
3016	reg.exe
868	reg.exe
1988	Process not Found
2596	reg.exe
4196	reg.exe
5040	Process not Found
4036	reg.exe
928	Process not Found
512	Process not Found
2192	reg.exe
3208	reg.exe
4352	reg.exe
3384	reg.exe
4872	reg.exe
1652	reg.exe
4920	reg.exe
4872	Process not Found
320	reg.exe
3960	reg.exe
4424	reg.exe
964	reg.exe
3900	reg.exe
2008	reg.exe
3416	Process not Found
2884	reg.exe
5040	reg.exe
4984	reg.exe
4920	reg.exe
2044	reg.exe
4048	Process not Found
5036	reg.exe
4680	reg.exe
4344	reg.exe
2760	reg.exe
4276	reg.exe
3948	Process not Found
3640	reg.exe
620	reg.exe
2984	reg.exe
1196	reg.exe
1228	reg.exe
5068	reg.exe
3628	Process not Found
1608	reg.exe
3716	reg.exe
4236	reg.exe
2156	Process not Found
4400	reg.exe
4468	reg.exe
4892	reg.exe
684	reg.exe
2380	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2928	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
2928	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
2928	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
2928	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
376	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
376	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
376	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
376	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
5080	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
5080	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
5080	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
5080	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
3172	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
3172	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
3172	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
3172	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
4712	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
4712	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
4712	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
4712	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
4572	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
4572	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
4572	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
4572	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
4292	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
4292	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
4292	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
4292	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
3664	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
3664	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
3664	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
3664	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
5020	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
5020	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
5020	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
5020	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
1636	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
1636	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
1636	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
1636	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
1176	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
1176	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
1176	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
1176	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
4292	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
4292	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
4292	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
4292	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
4404	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
4404	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
4404	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
4404	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
5068	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
5068	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
5068	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
5068	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
2896	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
2896	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
2896	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
2896	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
4624	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
4624	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
4624	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
4624	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1052	buYYUgYg.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1052	buYYUgYg.exe
1052	buYYUgYg.exe
1052	buYYUgYg.exe
1052	buYYUgYg.exe
1052	buYYUgYg.exe
1052	buYYUgYg.exe
1052	buYYUgYg.exe
1052	buYYUgYg.exe
1052	buYYUgYg.exe
1052	buYYUgYg.exe
1052	buYYUgYg.exe
1052	buYYUgYg.exe
1052	buYYUgYg.exe
1052	buYYUgYg.exe
1052	buYYUgYg.exe
1052	buYYUgYg.exe
1052	buYYUgYg.exe
1052	buYYUgYg.exe
1052	buYYUgYg.exe
1052	buYYUgYg.exe
1052	buYYUgYg.exe
1052	buYYUgYg.exe
1052	buYYUgYg.exe
1052	buYYUgYg.exe
1052	buYYUgYg.exe
1052	buYYUgYg.exe
1052	buYYUgYg.exe
1052	buYYUgYg.exe
1052	buYYUgYg.exe
1052	buYYUgYg.exe
1052	buYYUgYg.exe
1052	buYYUgYg.exe
1052	buYYUgYg.exe
1052	buYYUgYg.exe
1052	buYYUgYg.exe
1052	buYYUgYg.exe
1052	buYYUgYg.exe
1052	buYYUgYg.exe
1052	buYYUgYg.exe
1052	buYYUgYg.exe
1052	buYYUgYg.exe
1052	buYYUgYg.exe
1052	buYYUgYg.exe
1052	buYYUgYg.exe
1052	buYYUgYg.exe
1052	buYYUgYg.exe
1052	buYYUgYg.exe
1052	buYYUgYg.exe
1052	buYYUgYg.exe
1052	buYYUgYg.exe
1052	buYYUgYg.exe
1052	buYYUgYg.exe
1052	buYYUgYg.exe
1052	buYYUgYg.exe
1052	buYYUgYg.exe
1052	buYYUgYg.exe
1052	buYYUgYg.exe
1052	buYYUgYg.exe
1052	buYYUgYg.exe
1052	buYYUgYg.exe
1052	buYYUgYg.exe
1052	buYYUgYg.exe
1052	buYYUgYg.exe
1052	buYYUgYg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 1052	2928	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe	83
PID 2928 wrote to memory of 1052	2928	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe	83
PID 2928 wrote to memory of 1052	2928	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe	83
PID 2928 wrote to memory of 3820	2928	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe	84
PID 2928 wrote to memory of 3820	2928	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe	84
PID 2928 wrote to memory of 3820	2928	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe	84
PID 2928 wrote to memory of 3416	2928	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe	85
PID 2928 wrote to memory of 3416	2928	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe	85
PID 2928 wrote to memory of 3416	2928	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe	85
PID 3416 wrote to memory of 376	3416	cmd.exe	87
PID 3416 wrote to memory of 376	3416	cmd.exe	87
PID 3416 wrote to memory of 376	3416	cmd.exe	87
PID 2928 wrote to memory of 540	2928	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe	88
PID 2928 wrote to memory of 540	2928	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe	88
PID 2928 wrote to memory of 540	2928	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe	88
PID 2928 wrote to memory of 3372	2928	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe	89
PID 2928 wrote to memory of 3372	2928	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe	89
PID 2928 wrote to memory of 3372	2928	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe	89
PID 2928 wrote to memory of 5036	2928	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe	90
PID 2928 wrote to memory of 5036	2928	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe	90
PID 2928 wrote to memory of 5036	2928	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe	90
PID 2928 wrote to memory of 2424	2928	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe	91
PID 2928 wrote to memory of 2424	2928	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe	91
PID 2928 wrote to memory of 2424	2928	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe	91
PID 2424 wrote to memory of 1512	2424	cmd.exe	96
PID 2424 wrote to memory of 1512	2424	cmd.exe	96
PID 2424 wrote to memory of 1512	2424	cmd.exe	96
PID 376 wrote to memory of 4108	376	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe	97
PID 376 wrote to memory of 4108	376	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe	97
PID 376 wrote to memory of 4108	376	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe	97
PID 376 wrote to memory of 3948	376	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe	99
PID 376 wrote to memory of 3948	376	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe	99
PID 376 wrote to memory of 3948	376	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe	99
PID 376 wrote to memory of 1912	376	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe	100
PID 376 wrote to memory of 1912	376	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe	100
PID 376 wrote to memory of 1912	376	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe	100
PID 376 wrote to memory of 2900	376	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe	101
PID 376 wrote to memory of 2900	376	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe	101
PID 376 wrote to memory of 2900	376	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe	101
PID 376 wrote to memory of 4552	376	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe	102
PID 376 wrote to memory of 4552	376	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe	102
PID 376 wrote to memory of 4552	376	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe	102
PID 4108 wrote to memory of 5080	4108	cmd.exe	107
PID 4108 wrote to memory of 5080	4108	cmd.exe	107
PID 4108 wrote to memory of 5080	4108	cmd.exe	107
PID 4552 wrote to memory of 3668	4552	cmd.exe	108
PID 4552 wrote to memory of 3668	4552	cmd.exe	108
PID 4552 wrote to memory of 3668	4552	cmd.exe	108
PID 5080 wrote to memory of 4044	5080	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe	109
PID 5080 wrote to memory of 4044	5080	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe	109
PID 5080 wrote to memory of 4044	5080	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe	109
PID 4044 wrote to memory of 3172	4044	cmd.exe	111
PID 4044 wrote to memory of 3172	4044	cmd.exe	111
PID 4044 wrote to memory of 3172	4044	cmd.exe	111
PID 5080 wrote to memory of 3288	5080	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe	112
PID 5080 wrote to memory of 3288	5080	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe	112
PID 5080 wrote to memory of 3288	5080	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe	112
PID 5080 wrote to memory of 4312	5080	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe	113
PID 5080 wrote to memory of 4312	5080	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe	113
PID 5080 wrote to memory of 4312	5080	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe	113
PID 5080 wrote to memory of 4560	5080	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe	114
PID 5080 wrote to memory of 4560	5080	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe	114
PID 5080 wrote to memory of 4560	5080	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe	114
PID 5080 wrote to memory of 2120	5080	2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe	115

C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Users\Admin\DCgQUEcg\buYYUgYg.exe
  "C:\Users\Admin\DCgQUEcg\buYYUgYg.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:1052
- C:\ProgramData\lYkUYocs\GEMooIEk.exe
  "C:\ProgramData\lYkUYocs\GEMooIEk.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3820
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3416
- - C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:376
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4108
    - - C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:5080
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        8⤵
        
        PID:712
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        10⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        12⤵
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        14⤵
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        16⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        18⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        20⤵
        
        PID:376
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        22⤵
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        24⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        26⤵
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        28⤵
        
        PID:4528
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        29⤵
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        30⤵
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        32⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        33⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        34⤵
        
        PID:3716
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        35⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        36⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        37⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        38⤵
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        39⤵
        
        PID:620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        40⤵
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        41⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        42⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        43⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        44⤵
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        45⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        46⤵
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        47⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        48⤵
        
        PID:4052
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        49⤵
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        49⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        50⤵
        
        PID:2596
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        51⤵
        
        PID:820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        52⤵
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        53⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        54⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        55⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        56⤵
        
        PID:3184
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        57⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        58⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        59⤵
        
        PID:820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        60⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        61⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        62⤵
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        63⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        64⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        65⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        66⤵
        
        PID:3324
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:820
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        67⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        68⤵
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        69⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        70⤵
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        71⤵
        
        PID:736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        72⤵
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        73⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        74⤵
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        75⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        76⤵
        
        PID:3824
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        77⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        78⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        79⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        80⤵
        
        PID:3828
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        81⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        82⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        83⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        84⤵
        
        PID:428
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        85⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        86⤵
        
        PID:684
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        87⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        88⤵
        
        PID:1016
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        89⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        90⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        91⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        92⤵
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        93⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        94⤵
        
        PID:4188
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        95⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        96⤵
        
        PID:4448
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        97⤵
        
        PID:732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        98⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        99⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        100⤵
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        101⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        102⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        103⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        104⤵
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        105⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        106⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        107⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        108⤵
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        109⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        110⤵
        
        PID:3220
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        111⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        112⤵
        
        PID:380
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        113⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        114⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        115⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        116⤵
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        117⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        118⤵
        
        PID:820
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        119⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        120⤵
        
        PID:4856
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        121⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        122⤵
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        123⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        124⤵
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        125⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        126⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        127⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        128⤵
        
        PID:696
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        129⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        130⤵
        
        PID:660
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        131⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        132⤵
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        133⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        134⤵
        
        PID:820
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        135⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        136⤵
        
        PID:4264
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        137⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        138⤵
        
        PID:3048
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        
        PID:620
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        139⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        140⤵
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        141⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        142⤵
        
        PID:3760
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        143⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        144⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        145⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        146⤵
        
        PID:2984
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:660
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        147⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        148⤵
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        149⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        150⤵
        
        PID:5040
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        151⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        152⤵
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        153⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        154⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        155⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        156⤵
        
        PID:4204
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        157⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        158⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        159⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        160⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        161⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        162⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        163⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        164⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        165⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        166⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        167⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        168⤵
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        169⤵
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        170⤵
        
        PID:4380
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        171⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        172⤵
        
        PID:4196
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        173⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        174⤵
        
        PID:3200
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        175⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        176⤵
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        177⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        178⤵
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        179⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        180⤵
        
        PID:408
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        181⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        182⤵
        
        PID:5108
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        183⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        184⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        185⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        186⤵
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        187⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        188⤵
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        189⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        190⤵
        
        PID:464
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        191⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        192⤵
        
        PID:2468
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        193⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        194⤵
        
        PID:2052
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:3204
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        195⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        196⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        197⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        198⤵
        
        PID:732
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        199⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        200⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        201⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        202⤵
        
        PID:4568
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        203⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        204⤵
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        205⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        206⤵
        
        PID:3760
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        207⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        208⤵
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        209⤵
        
        PID:648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        210⤵
        
        PID:3416
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        211⤵
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        211⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        212⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        213⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        214⤵
        
        PID:4724
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        215⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        215⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        216⤵
        
        PID:648
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        217⤵
        
        PID:684
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        217⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        218⤵
        
        PID:4448
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        219⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        220⤵
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        221⤵
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        222⤵
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        223⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        224⤵
        
        PID:3268
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        225⤵
        
        PID:3152
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        225⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        226⤵
        
        PID:4984
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        227⤵
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        227⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        228⤵
        
        PID:736
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        229⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        230⤵
        
        PID:3384
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        231⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        232⤵
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        233⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        234⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        235⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        236⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        237⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        238⤵
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        239⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        240⤵
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        241⤵
        
        PID:832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        242⤵
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        243⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        244⤵
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        245⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        246⤵
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        247⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        248⤵
        
        PID:3340
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        249⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        250⤵
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        251⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        252⤵
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        253⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        254⤵
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        255⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        256⤵
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock
        257⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock"
        258⤵
        
        PID:320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        258⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        256⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        256⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        256⤵
        UAC bypass
        Modifies registry key
        
        PID:3960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YSEAQEQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        256⤵
        
        PID:4912
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        257⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        257⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        254⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        254⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        254⤵
        
        PID:696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZAUwgoUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        254⤵
        
        PID:4804
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        255⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        255⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        252⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        252⤵
        
        PID:1048
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        253⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        252⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fqMccEUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        252⤵
        
        PID:2040
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        253⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        253⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        250⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        250⤵
        
        PID:2540
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        251⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        250⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NSgYUwAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        250⤵
        
        PID:4972
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        251⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        251⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        248⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4824
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        249⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        248⤵
        
        PID:2736
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        249⤵
        
        PID:396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        248⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YkEEwgAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        248⤵
        
        PID:2884
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        249⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        249⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        246⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        246⤵
        
        PID:2004
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        247⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        246⤵
        UAC bypass
        
        PID:3288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iEIsEMEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        246⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        247⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        244⤵
        
        PID:3372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        245⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        244⤵
        
        PID:4792
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        245⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        244⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ECcgUQkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        244⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        245⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        
        PID:3840
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        243⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        
        PID:736
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        243⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rMQsoQEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        242⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        243⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        
        PID:376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JGEwEQAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        240⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        241⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        Modifies visibility of file extensions in Explorer
        
        PID:868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        
        PID:2940
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        239⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VgcQwoEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        238⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        239⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        
        PID:2468
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qaUAkEYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        236⤵
        
        PID:2620
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        237⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        
        PID:3012
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        235⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        UAC bypass
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YMcMcswg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        234⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        
        PID:732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        UAC bypass
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GOAwsMEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        232⤵
        
        PID:2400
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        233⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        
        PID:716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        
        PID:4996
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        UAC bypass
        
        PID:1020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aOQwwkQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        230⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        
        PID:696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RacwYMck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        228⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bIEscoAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        226⤵
        
        PID:3372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        227⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        UAC bypass
        Modifies registry key
        
        PID:4680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FIsQYAcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        224⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        
        PID:1892
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        223⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qYQIMQMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        222⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        
        PID:3324
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        221⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        Modifies registry key
        
        PID:4872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OAQgkwEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        220⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        
        PID:540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gqkcQMsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        218⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qWQIokYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        216⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        UAC bypass
        
        PID:4388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hMcIkEsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        214⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        
        PID:516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        
        PID:4180
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        213⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        UAC bypass
        Modifies registry key
        
        PID:2984
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        213⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FccQokUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        212⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        Modifies registry key
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        UAC bypass
        
        PID:3948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HMcIkgwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        210⤵
        
        PID:4048
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        211⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        Modifies registry key
        
        PID:2380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TccUooUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        208⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        Modifies registry key
        
        PID:4920
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        UAC bypass
        
        PID:2496
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UCoYQwYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        206⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        
        PID:1196
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        Modifies registry key
        
        PID:2192
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QCMAcYkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        204⤵
        
        PID:3572
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        
        PID:928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:4804
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        UAC bypass
        
        PID:736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wWIMEQAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        202⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        Modifies registry key
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        Modifies registry key
        
        PID:868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        UAC bypass
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pIUowoMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        200⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        UAC bypass
        
        PID:696
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xsEMAEgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        198⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        UAC bypass
        
        PID:4816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vUgsUMIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        196⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:5108
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        
        PID:1908
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dKEYEYAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        194⤵
        
        PID:3216
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        
        PID:972
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UmYEkgoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        192⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        Modifies registry key
        
        PID:5068
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        Modifies registry key
        
        PID:3384
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        UAC bypass
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qacEIssk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        190⤵
        
        PID:684
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        
        PID:320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ckMksMkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        188⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        UAC bypass
        Modifies registry key
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zWIkoggM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        186⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        Modifies registry key
        
        PID:1020
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        
        PID:516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\negwoEAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        184⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        Modifies registry key
        
        PID:3212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        
        PID:4792
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nWggIsAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        182⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:1236
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        UAC bypass
        
        PID:4264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HGIAscYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        180⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        UAC bypass
        
        PID:1684
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AgQIEsYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        178⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        
        PID:4808
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        Modifies registry key
        
        PID:2468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        
        PID:3572
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ACoowoYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        176⤵
        
        PID:1904
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        
        PID:4048
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aqcocYkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        174⤵
        
        PID:4568
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        UAC bypass
        Modifies registry key
        
        PID:4712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vUAcEMsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        172⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        
        PID:1832
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        UAC bypass
        
        PID:3584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DsoYgsEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        170⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        Modifies registry key
        
        PID:4404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rqAgkQQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        168⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        
        PID:408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ISkUsAQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        166⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:732
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        UAC bypass
        
        PID:2620
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GCwQYMoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        164⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        Modifies registry key
        
        PID:320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OcMsUoMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        162⤵
        
        PID:2892
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        
        PID:2796
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:2212
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        
        PID:1768
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KYcgQwso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        160⤵
        
        PID:408
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        
        PID:824
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        UAC bypass
        
        PID:3176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RSUwUsEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        158⤵
        
        PID:5108
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:1908
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zYIMAogQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        156⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        UAC bypass
        
        PID:1016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PywooQAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        154⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        
        PID:972
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        
        PID:732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GGooEsoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        152⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        
        PID:2564
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\agMUoAUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        150⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4424
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:3628
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        UAC bypass
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WcEAQcoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        148⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:4180
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        Modifies registry key
        
        PID:4920
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aGoQAIMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        146⤵
        
        PID:636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        Modifies registry key
        
        PID:3716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZGgQUgYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        144⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DegMAwwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        142⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        UAC bypass
        
        PID:964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lcokEMYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        140⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3108
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        
        PID:1016
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fAcEIcoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        138⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        Modifies registry key
        
        PID:3640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kcQUcogc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        136⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        Modifies registry key
        
        PID:4424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        UAC bypass
        
        PID:3760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ookUsgwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        134⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:3220
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        UAC bypass
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CEQIQQEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        132⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies registry key
        
        PID:620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        UAC bypass
        
        PID:3224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gaUEAswo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        130⤵
        
        PID:928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        
        PID:4344
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HYEggQMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        128⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies registry key
        
        PID:5040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        
        PID:3804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TiUEwMEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        126⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1832
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        Modifies registry key
        
        PID:4196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        
        PID:1016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dQMEUMgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        124⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\biQwMwIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        122⤵
        
        PID:928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IUokowgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        120⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        
        PID:5116
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UAwUcAME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        118⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        
        PID:3776
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        
        PID:1220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cSMogYkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        116⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DQgEcwEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        114⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lOUMQocM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        112⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        
        PID:2120
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:820
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VgoUYIUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        110⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        
        PID:928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cWkcooQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        108⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        Modifies registry key
        
        PID:4892
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        107⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\icQUYEUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        106⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4624
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\COwEIkUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        104⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZIEMIQIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        102⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        
        PID:660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VwYMgcgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        100⤵
        
        PID:856
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        
        PID:3664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RMgckYgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        98⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies registry key
        
        PID:964
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        
        PID:824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\daUokIUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        96⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4468
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        
        PID:4888
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AeQAAYgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        94⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GcYgsAsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        92⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        
        PID:1340
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sYcUYEws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        90⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        
        PID:3716
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kUwwMogM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        88⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jMEoYIck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        86⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        Modifies registry key
        
        PID:4276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FKMYwUAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        84⤵
        
        PID:364
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        85⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        
        PID:1216
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zeUUAwks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        82⤵
        
        PID:4740
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        
        PID:380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        Modifies registry key
        
        PID:5036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:5032
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XCYYgUgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        80⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KKMEEAIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        78⤵
        
        PID:5100
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        
        PID:820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        
        PID:3032
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KCMwoYAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        76⤵
        
        PID:928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IegoYAUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        74⤵
        
        PID:2720
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cCsMsggI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        72⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        Modifies registry key
        
        PID:1228
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hCgMwMYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        70⤵
        
        PID:4384
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:3020
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:4008
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HgYUEogc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        68⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\reYYsggE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        66⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies registry key
        
        PID:2008
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        Modifies registry key
        
        PID:3900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jmUcoYIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        64⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:3600
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OwMcMYwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        62⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:4528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aKkMAows.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        60⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MmsAMggk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        58⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        Modifies registry key
        
        PID:4036
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        Modifies registry key
        
        PID:3208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oYccsEUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        56⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies registry key
        
        PID:2212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZkMAkYUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        54⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZSQkQYEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        52⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DGkswEAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        50⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:3100
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        49⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:3192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RWkYgIMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        48⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies registry key
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qGgEAwUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        46⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        Modifies registry key
        
        PID:4656
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kwkAAMwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        44⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        Modifies registry key
        
        PID:4448
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EGUsggoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        42⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:3672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XIEEIMEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        40⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        Modifies registry key
        
        PID:2884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DQsEUkMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        38⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dwcQYAEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        36⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dqwsQgUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        34⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        
        PID:4968
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        33⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:408
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        33⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oWkAMMUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        32⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uQwYgEUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        30⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mKkkEoIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        28⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kAMsogQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        26⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        Modifies registry key
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:3264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VIkIcUck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        24⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NcQgEokg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        22⤵
        
        PID:696
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        
        PID:736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        Modifies registry key
        
        PID:2596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DEwAwcYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        20⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:1196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sWYYgkAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        18⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:4196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MEQAAAoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        16⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:4108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cIcwIcQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        14⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        Modifies registry key
        
        PID:4936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wUEkQMgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        12⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\diMUAQwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        10⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        Modifies registry key
        
        PID:4400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VIYYsQYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        8⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:2296
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:3288
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:4312
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:4560
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dmEkoIUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
        6⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:1812
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:3948
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1912
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:2900
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jccYoIQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4552
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:3668
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:540
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3372
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:5036
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EacIAcwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2424
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1512

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:3672

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:3100

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv fpuOvTPFIU+cadSM3m6Fxg.0.2
1⤵
PID:928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

Filesize
221KB

MD5
a601d5d0dfa68d74097a2ce0e2dac215

SHA1
bab734a1e44006b7c26f47c2c3129340fca387cf

SHA256
cb3726ab86d1e55563c6d0926ef9d73c450ca36d93bdfae44374d88b1d7e0f6e

SHA512
c716f56c9d620f03d072aed59d6e271d27b6f60fc3077e559aca085d7939ce8784ae5bc72f36d83bcc40bae5c2b24f0b4d53bf226453cb486a0e61e0341fe8e3

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

Filesize
325KB

MD5
73ae005798d5e4d1d345e8d2f66ea771

SHA1
cef05fd71c5e4db688038b16931bb472c6caf414

SHA256
0bf34496e0b3288710f36a81a24dd0864812d9e95fddb36aa693116c44d3720b

SHA512
d345032fbdb325b17224b17aee67404a82a517e891a7dab3f67d6375e0bdaa5303f56bbc10acf5e4e986cf8b24c5d2a14b8989a9e42215eec55ac98fec43d529

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
795KB

MD5
f82a3a49cda1b0275d201fbb10be1dff

SHA1
aaaffd0e53931b7e7573be38ea168efdb162b584

SHA256
d84c0465352b3573b477585f6443f9287e9ad7e15c70115546dd9efbf58f54bf

SHA512
b51eda019055b5273ae652d4f2f4995e1be1a3bb25d2db42bab236f3f616176afc8f8b93177232559e4bdd779773328972584f63744df4f0c3d2428cfdf1d424

Download Submit
C:\ProgramData\lYkUYocs\GEMooIEk.exe

Filesize
201KB

MD5
2049eeea87c7268422aea1b24b405666

SHA1
789f424ef6912924b1e75f560c43f75bb4b7ca12

SHA256
779d27c2ef45a94b92f65022dcce9c524a517daf74d35e61b6c05a40f6a72c13

SHA512
4d87fdc3f5c8cf7a2e897650f7f65ad59e836482e82014c9b9337cc53f4378caa6f4242ba9b72c2602b05e5bd78d33b2fada7e81c41b11ef3c4f93b0021a1c0a

Download Submit
C:\ProgramData\lYkUYocs\GEMooIEk.inf

Filesize
4B

MD5
6ce40b44629298037ff1713a7822fbeb

SHA1
514d8d9983ef5a8b42648fbc9ba1c74306319b80

SHA256
528bfb3d8592b03bb10c53cb4ea80d24fad5ee8cd329820b533d134f0c58198c

SHA512
8755fbb48cc16a8a442e748fb7c691353a86bffb666798de921313fe29a2d5272d35dfc61a4199f8603fa4e1d11cfba2b41492534499c2aa696edfd014bc2fbc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\flapper.gif.exe

Filesize
271KB

MD5
f1ea55316f713334ed5f6d23bbeea378

SHA1
acb2fb11222b26f65451fa81e2f95d0310beed76

SHA256
695fb1be29d2839953915451431264b130d342cc375948ec92e6020faf9eb544

SHA512
4cb113efbb84299381de156635822397628e60085d15c8357adce9a133dfdf7dee720c8cbd81ec727950e6d4d2a9346290aa07bd5fa75b54c4ac772a46e1f986

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\128.png.exe

Filesize
196KB

MD5
29d9697ff7e7cfe69776f1c60a149b7c

SHA1
f6ed9cae90fdbe901741bc3122918d14063cc2d0

SHA256
814352a91c521577670809e39a799fe4bcebacc50a35462bbdeb78a9b98ce213

SHA512
db85e73172a688ec35aafb392f6069610920fd75d927b2f34e6602f830405e6bfee0ae2784907bf6819478b9673184011251f7669cbc30280257a978c0ccd2e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\96.png.exe

Filesize
200KB

MD5
69ffd7af816a71c3f26bdafa56a17e46

SHA1
a8b8ccfa30c8a7f7a29766680db73310ab193444

SHA256
0fe81d14c271ba659594feccee99096b85c98f12f08b0c16ea4e4fe2f0f7a323

SHA512
11638144c76f8ebd2a9b7963407fa92dbf2a7c86c8082be48a58ab600c3c4031ecab56c91ec9e33d5ce909b85f2c335db063d926e9c73fb3719159da8915261a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\128.png.exe

Filesize
192KB

MD5
d76f2d0a56079a90d822675e04932452

SHA1
31b865c4842399aefb44955697c3a78adfddb8fc

SHA256
11263419796ad9f0f3f7eda6a422dbe5ab92d4879f3be86b5a4cb252d06ebe40

SHA512
a479bbc8507547e6bf647fdd8fc402b4c18b9a902d8eb0c07faf4be7030f36f1ed060d6e23f6b3186a825f34e19ba420304a9fedd82b9bc7981f4515c6cd324b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\256.png.exe

Filesize
200KB

MD5
bee51a52555faf856f5f619b3bfd320f

SHA1
bfe0891c4798595605f12fe5dba88ddbe0038ec2

SHA256
168da27befd6dd82f82d48064998193c16572e124cd7ae61376212850f422ba9

SHA512
56242fc56c3602caf19fd801e0dedaf65f25b717350c86824a1ab5cd5995206e409d45b64f03899cd152e65b1b14a27b921f965c3567168a1276a975aefc8098

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorBlue.png.exe

Filesize
200KB

MD5
ffe312eb5c6c4f13cb1838a6637d02f1

SHA1
ddf1088f89c36c48a6182b1168cec0632736a603

SHA256
033b20d667cb36a194ea8e9ec7e3c3a1328bdba15df9c83ca803aaf115954f3a

SHA512
49a4fb4f57a95d5eacb3f27698529be227ce7d18f43a284463824a730f48671d2231b2873fffcfd3bce0adf1b1eeb452cde20697810fb87543aae44f4c55380b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppBlue.png.exe

Filesize
203KB

MD5
a2033d4b5f0c15fb690787d47157b0e0

SHA1
a34f2a0b57696ed2242c8a98fed6b8cb28b9707e

SHA256
7820d536dd25a984a1f5ad272e673898623bb45e07a89c598d7cbee0d83c8925

SHA512
03a4d1acfa14fd16eb86ffbbab8a43f5316bb3a1ca156e75ebe096b6e685cbb9913285c58c84a2a989e16000982005259395e042b6941be03bff8b7911c28e7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-400.png.exe

Filesize
191KB

MD5
b490dd331558d3581c434cd61ae7d48f

SHA1
6449c584ea2c141f0f7e4d9233177f504e345dab

SHA256
46ede0ce02c5d58caa778c1a4ffb003d6db7b2bf47a50c276ef0585a57e0c658

SHA512
d1152a45251bfed24f59c78f1fbd4b9205c343c94b19f2d7c184716db5308d55983e5d3cec88e8634ea4c8113fbc3cf9dddac88c7927a89ed38a4d2764a15eaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-05-22_603265859f744615bb91f46a55c837ef_virlock

Filesize
6KB

MD5
76e08b93985d60b82ddb4a313733345c

SHA1
273effbac9e1dc901a3f0ee43122d2bdb383adbf

SHA256
4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89

SHA512
4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAkC.exe

Filesize
782KB

MD5
9c9bc1f35c7f39c0a92452c306ced948

SHA1
3dfbba6d7af5e3eb1cb92b60711f458fefb91f73

SHA256
e02bea583f0083f84613b3ba467a32a3a053cd8586ad47c3c57dcd4dc27c241e

SHA512
f14f9b46acd48bf383cf99777e26b8b4b3f06b6f0dc18ef0be089a77793a4e968f6d5103e157d06e8dfd434e853b355364bbc9b12f99edffc3b1077777f85449

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAoO.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\AYoO.exe

Filesize
183KB

MD5
78d44392b64779bf6db3b46939bc6c8a

SHA1
47e4a2af8c6898d9b996180095c57a3716f773e0

SHA256
3e5a84e8c359dd6640c8dc795bedc312faf98f76546adeaafc5b53072788f4f4

SHA512
19bf93d751edabbdf2b71d04cbc38cdaf84b5d3daa1ebcae453846e9c14c7a61e25afab6013fa9336818adc404580c02b7c488fe79a8857fc1926d1d3525863c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ascg.exe

Filesize
203KB

MD5
ca2fa0547dae528499359f750552430b

SHA1
89eec303cccddca834852ceb2d61628022b27e8f

SHA256
8d1abfc4928e4be866e9f1bf6cf87c8dc2d5f194eeea0db40e0d83c585c61da9

SHA512
4ef4dadfc13cb5ed5204e0b747ab1c1a49f52bf6918f692752961a3aa011e0cc4635288d20a0cad4002084f6b9d80f08a690b5407af79fc3ca3d478cb87b0c22

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQgQ.exe

Filesize
189KB

MD5
d1285b0f817e43225bea0465bdb8b65f

SHA1
99294b0f4a39f416783b11b56c430cfcc75f0156

SHA256
f8f38d87009c98d86241c364d5a8c25c819b7cada0c1a4b962a9a1cf8a6495f6

SHA512
ff71a093f730292575fb553f93042eaf7731e775550e4282327bf5980b6cdbd444e268c9989f1555f6d7e166f481d544712f256bbff1712565e0c8b30bd0150c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYEu.exe

Filesize
207KB

MD5
79d54b36c2e7d5c7d30b775ebb6e92bb

SHA1
adb86dc6c3fa46e674ef22b32064dd149bf6a9a0

SHA256
f09c94c30b7e9b991fa66d92bafac6cad64e2e2e7347e9095568430fc89d1c56

SHA512
85c04bb8a09a5acac639ce60e4e0050318b1c2c859bc74bbc6d42c76a29b454c4fd2b217716a060ef0befa88facf79542a82f4ca19e57f702bbd76e1916b4955

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYwa.exe

Filesize
194KB

MD5
ae583610409663c3c4bdb1ddd4e5b86b

SHA1
f3ee86f867fec366529b5594298ebab233819d4d

SHA256
cf41710341d6dcb2ebcb94e1b56c25982c236cfb49503ecd1104fa1b5678ac79

SHA512
2042c91df6bd8d5f89ff44b62dcc20653f03a779d9bac15693b6d55929243abfe58007a6347e1c754d7104b00ca79eaa4f72934cc1aab7359518272ac7e66f88

Download Submit
C:\Users\Admin\AppData\Local\Temp\EIce.exe

Filesize
224KB

MD5
f7fb10cba82aca625dc4f07562d19d47

SHA1
9c482ff8839f41e0435bb1fdcd8ca85d25951207

SHA256
53597df23874f4a5d356610b6915f25af2055262d9c77cfe25e2bf743199a34f

SHA512
017085a7efdf8ee289a2d98b4ec7d39dcd1391ba12c2ce01faf17ad7a083d7e3dd2546c0a426cdb81977685f75122f94eb80cdca4446dd6a5060a5c9bba25815

Download Submit
C:\Users\Admin\AppData\Local\Temp\EacIAcwA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\EgMo.exe

Filesize
194KB

MD5
8e0e9d013aad0e0acaebf43839f5e5f4

SHA1
3855ce836c0c8fb630b3cee224e112813e8d318a

SHA256
6927d7a866f4c222a96fa6a3fe675641626b0aef71c64b7a58aa264b39ef2413

SHA512
21a80cd2b6b97220fd6894817a6eb3f64181be47f7c1175308813ab8d81f6997132c6bfe09ce41caf9269eaafd76631717d8f64f208690c2b3a358f11ceb3006

Download Submit
C:\Users\Admin\AppData\Local\Temp\Egga.exe

Filesize
199KB

MD5
e8a223a76c41903e3591703f4df7756b

SHA1
4c8cd7656540d277e14d2884d5db2e7051e797e4

SHA256
24d87ea1acc8828694ca50a7e3b885d5a20c65a18ceb4f94fb706cc43df93873

SHA512
0f50f1a452d2aae6a2acdfe35d4b9a72e9b2a93e99ac8f8d71143b0e5e8332d8cc0686d42957bd788cda33dcc7cd66c851fe6e4400f7f6a01a7152a36bf7b682

Download Submit
C:\Users\Admin\AppData\Local\Temp\EoIs.exe

Filesize
192KB

MD5
32611cd3e7a1adf47f247457e34cab02

SHA1
1ee5116fe85df2d4675038ae577f9fc55dd9d8ec

SHA256
0d06d5e05fa80cf7ef114b73796df8ac228e726490f916845fdb97180afbe3d7

SHA512
58cdd22f81ab2926b8e62f71e9d063cf350e875e1d6ed507b2de252bbe10b3234073f3d4e84fb6b6093b2e46d4ed0f036a2781b0f9d11401c3552e33de11a0f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ewks.exe

Filesize
742KB

MD5
146cd4f8c373e956d905c11d841461b2

SHA1
0d5484d23110161d1063a4109077e5f037fee057

SHA256
aeb83e2feb86c131360dec49a617c9015692e630bcb6c44b9481985397837bde

SHA512
b1eeaf78f7388257f5a7920d4e06c392ec65896104bc938ce390c560c6c1ddb780099629e4c6205e927f178c58cc6825c9cdfa4214f0b6f2eb4b2212a199aa67

Download Submit
C:\Users\Admin\AppData\Local\Temp\GQUq.exe

Filesize
212KB

MD5
5f9bb10a1a6bed5fea75f7349b89128c

SHA1
085d335771bb424d03d75f859c0a67ef3b42cce0

SHA256
e67a21960c620452f237b054fc2f2ec0da8caf21b89d5f466227aebc940463ee

SHA512
8b96cb121f8bf97c882cfac112232a19a9306a23067df8672c94e811fc4033066f8508b57edecc1228caf4aebb0af7b30075b13c7657b4eb6bcedefc9eb5fec7

Download Submit
C:\Users\Admin\AppData\Local\Temp\GQoi.exe

Filesize
201KB

MD5
1dc5fda5c7f48f7319f0d6afa9e73fc6

SHA1
27d578b24fcb2ccbc30a3e1e7d82b5b58c45b4e9

SHA256
28202187c66a9858aacff4e9eca2c2c72b4de64b9401ba69c756a05171a4888e

SHA512
e1a8b8731db32c82b4d1f68b73f24e34f504a2adb7ae6cdd5fae5a97faea59c1446fd64ca78296641b8a207876ae23a97925edbca3118ec46b09f370875c9b71

Download Submit
C:\Users\Admin\AppData\Local\Temp\GgEm.ico

Filesize
4KB

MD5
383646cca62e4fe9e6ab638e6dea9b9e

SHA1
b91b3cbb9bcf486bb7dc28dc89301464659bb95b

SHA256
9a233711400b52fc399d16bb7e3937772c44d7841a24a685467e19dfa57769d5

SHA512
03b41da2751fdefdf8eaced0bbb752b320ecbc5a6dbf69b9429f92031459390fe6d6dc4665eebe3ee36f9c448a4f582ac488571a21acc6bba82436d292f36ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IAMY.exe

Filesize
1.8MB

MD5
d21ec4ee96b2197318e2785bf81a869f

SHA1
ea38a6893c8fc0b8fe32417057b5530f44698876

SHA256
82b3a8360556850ef7b852546ef7b14a5f91ac843b6b686fa1a67ab2726b8317

SHA512
43f262203ad1ec71d50ec41ad4bc3a32342f9d6b493a49fb445662bbcc34c38e6252170fcf6a7af305da02c54aede26e9d970aeac85d36493501305289377bbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IAUi.exe

Filesize
959KB

MD5
f2b771bc1d0a4511fe2c68c11340726c

SHA1
6549302b34ddee6935eac9d7ac81467369b084c8

SHA256
f1988f54995bb7afeb8ea14a9da420cca85208828239b448b145967e8ea2fb59

SHA512
85f4728969d4f62db587bfe83664f74c0b757c97ae10b83de72163397ba5f5e0bdfde3e0e2851ffb784484c90a1e44426a2d58e693c5396745821be4cdb4ed70

Download Submit
C:\Users\Admin\AppData\Local\Temp\IcAa.exe

Filesize
189KB

MD5
9857168c4234e85ba7bf93b9fa63de12

SHA1
b644e95a7138f1a0d2de21e8bbbaea52ac9dd402

SHA256
56ef075378fff83dc08fb106a96058ac9403814a710c4ae59caa2eb35d585af0

SHA512
feb0dad644c9b0cd69ada89181f978fcca116cf4a750da2b4b27a228291a5bba102b1faf0ceb6395a88f03a3acea18e52dd5b333c454f7958c5fe5e31b4ee25e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IsUk.exe

Filesize
184KB

MD5
bdde43617d9c53ad6e2b5d96298eb858

SHA1
1d3a39536dfc07dc1bd59959d5ddc41c3d3adbab

SHA256
d0756dde53c99b16b55ca8470a07a512eeb995b70387aabacdf39356799a888c

SHA512
fabffefa5fb099005450379801638aead49c6ee6ba98f9f2a46691bc500362d832a4c4586c82ccfc41004198444ac45db5efd51201279307f52c3932771412ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMkK.exe

Filesize
205KB

MD5
38b9db7dfe8117f80087f8587e710c40

SHA1
40c417880dace375682aa9ce29739cde73696993

SHA256
0c51e0b02b31d4d43f71f1f23295711ed4aaa0c1f7eb1ccf2c1fcc9f22cfefc7

SHA512
2dbbca2a63d742dbe122893787c75f63105cef7c6f97e27d82163adef85530dd46d474d6c319194e70c25990c91595d377ae5cce08377476c84349d8368f5025

Download Submit
C:\Users\Admin\AppData\Local\Temp\MQsg.exe

Filesize
539KB

MD5
c8acb450f3dfa217373a87a10b048c4f

SHA1
8acba2221d0255d534bfa03aeaced5f9c4d4503a

SHA256
4f1d4c02b9aee0468c207f00b9193f1d44e78e63a982156c825560644b31f423

SHA512
ffa3d8934cee2da7115d891249006326f35a8f7f4ac95162c9ae2cf40e32186dead7f2a96450e2dad877749ae966e5860618cf4da80712c87d4195ccc3f7e2c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MoIk.exe

Filesize
196KB

MD5
03b550db04a6a5deb59973889bafc8f4

SHA1
003b26d0e87ea992a8c849e065a60312469e503b

SHA256
56b3fe1b58622eadcc7f3cdbcb07c60409e09f24d52394a1d58e538d8fbdb532

SHA512
bc2fbe95fd813cf8696a6eed65e6640fe42c2e5cede1dbe8417be5916750a79afd47ef121ab39b70db6ffb73c96f3aeaa216bf8a5cc855f2b4faa7301462a588

Download Submit
C:\Users\Admin\AppData\Local\Temp\OAIa.exe

Filesize
784KB

MD5
23a8fdb6bb98e88a97083e89adc580fe

SHA1
790e0eed16fec45158ef979b64d6bf1494c99e8f

SHA256
a252e361bc31b65aeeb44ecc4a6d04753c1405671b1ee8666d45bc48d3140234

SHA512
9a0df479bfcde30fb0e90fc1128c0dd06077a6f537bcb15809b437e870165ac031023a824ad3816b9ea878eb87da8907ce6ed962038eca9b748ae3686c7c3ccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\OIAQ.exe

Filesize
186KB

MD5
c586e1836e676ef8415da3b0840b0649

SHA1
3cbce579e77ef7f5319715a1336bca3d085466de

SHA256
e43048a4506ec679683389e9ebb650d52f9cd85ad03910607587473aa91dec3e

SHA512
b1610e7c5db950903612ea2f7e613a2ca61ec1c9f2eb43b44df5f5709507046ba76e5fbee4c061a9ac9730217e857e95df30ff048fadf4194e51a273faf5c9c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQEy.exe

Filesize
562KB

MD5
e715086ebf176f85a581784c1bd25e72

SHA1
02abed939f5a8c49cae39a6ed03a7940b0d0cd28

SHA256
88c1d892851b77c51f77a471bdcca172ba3d92746e7787b2b876b3f0eeaa05e4

SHA512
08a5381dec3ac85a3c2b5426a459257e83e487856378470ab779a15e2ac4906265cb9d8d93fb0a2ea18d9e091093e8a4e4f1b0d135e5e3001d52e00d9d88414a

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQcE.exe

Filesize
202KB

MD5
aa122b8e5c4dee5a715a84b6ca550d42

SHA1
ff8662cea0f33539941eea3701b893e4291844b6

SHA256
f32462bdc3f924f524967816db3fdee0573b6b80dd453b5eb21af4bc0ce25f17

SHA512
f09ea5ead52084a24f891497a5c556309a97f2b072003c7ee7d07167658326777398ed38331de85585768713543a9f1ea16f73c546884b2dfea11f93dcba68c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\OkAQ.exe

Filesize
1.2MB

MD5
d56d09081927cd5504dfc521e30a077f

SHA1
58333a34d64720b643cda6aff0591260f49cef72

SHA256
e31e02874b10b36ee8c174c795b092cba8de9f3a9fcd1d218d69d016b441c818

SHA512
d879877cb4258202e79557d47beb516cbae306439e7a0a42af92e149ea6e24a19122f9e33b4b03837448cd48aff278ff7aada39dd285ee9f8fe04c5e33b63283

Download Submit
C:\Users\Admin\AppData\Local\Temp\Okwi.exe

Filesize
330KB

MD5
2e2a9c7b0862465fd2d76e44e688919a

SHA1
94fa333da08bde3f180930b83f32c56b32c5b97a

SHA256
8242cab0d2037f2c2fa0d3fc79ffdb0d0fcff40b3f793c729606e2cc8a450c67

SHA512
fa46856e270eca106197cc609d6247c4453ff28a630efb89eb9fdad5934ff3fbb597b116d60888bbe353fff2ffff2752befcab109c61fb95fd5490f5ad665740

Download Submit
C:\Users\Admin\AppData\Local\Temp\Owoo.exe

Filesize
218KB

MD5
c64f1feb9cdd62cc24ceaf7e13aa9b58

SHA1
af334b6b755fde544d51413bf379df32e5a0a098

SHA256
7940ecdc04d19002823a0a5135abfbae7270e74406dc21037d4943e981e3687b

SHA512
cfb9009a8d8454924ca868e2e07a2c8296adca483e8a792fccd4bac5cf917987db82bf04bc46ce93c9722889c6bbb9dda1a8041346bcd59965d22d0c2d2dd11a

Download Submit
C:\Users\Admin\AppData\Local\Temp\QAAi.exe

Filesize
5.9MB

MD5
99d795d245f61ac5a50d80d815bfea12

SHA1
93d104772f0feca946c7de93a4ae9a5153471b83

SHA256
cc6953740f85bfebfd56d4e73b9a2637320fad6eae82d11b56d9ebb39e2ae376

SHA512
b79b71ea744f2362397af1af4f2e2dc96bff478b4c3088640f3fb036865051fe00d39bfff151388c60279c64b790d9825b950cb595a4559558177fcb4257078f

Download Submit
C:\Users\Admin\AppData\Local\Temp\QksO.exe

Filesize
196KB

MD5
d528eb992a01dba320f9b8cf908ad928

SHA1
6d7e61789f70382c41909c4f6cbb4bdef9fabd27

SHA256
87c909f883bd25a4614bd021982e4a5595be0377c082519a73a6b3e4840b0c6e

SHA512
2e9a8daf61b9440178cfc36406b55e94faf2f89d67404379194c46559d1d3bd9c85e33d01695077b86b2f85ef01356839e523bdb8a285598819adc24eb575dc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMcY.exe

Filesize
185KB

MD5
31f0329508843aa788f53549bf8e8d2c

SHA1
eb9d9aada4ede2034db422cb5cc71311cc93cc50

SHA256
f074c5d373d7147168ba8731a858cf81152e97b38772216d280efc51905b116e

SHA512
df75a7b37375ae249e0220d92807c9e294d145cea212fd2e21ab2f6afe0026b1ec01d7ded9e21dcf34f8312fc40150d06f50e22edb06b991d160ed6df41a5499

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYwS.exe

Filesize
435KB

MD5
3bae20b54e7c513d567d3f558f9be16d

SHA1
5e7a9327f3f00a728a45db201e75a0fcbdff95ab

SHA256
dc4d12d535a8d049c3321dc415ded5f68813043e1bd2232043f327551f01298b

SHA512
c961022f1be6a42ee18a7a9aec7a27f665e03f7dc709cdac5eb8821a365409dbf11c317e60b57216607e3d251fde69b7364bbb4add5a7eafa3c7d4667f59e458

Download Submit
C:\Users\Admin\AppData\Local\Temp\SkAM.exe

Filesize
239KB

MD5
5e6fe146be6a6430a2594c829216ca8d

SHA1
9fa18ed0ffe7978e9adea6fdf67400917c8a9f03

SHA256
34ff2cea845b5cf03b316ab3ffd85a93c771396ba57e7285909fbc76668c4cfb

SHA512
d9db836ecacc74e8eccac6eb1a668d32e5099d2a77faac3b1a0cce13189662cff4d9275fedf6d9669d4164d2b67150cf2f4ddfb8077cc2b0fa903dae746efc11

Download Submit
C:\Users\Admin\AppData\Local\Temp\UEYS.exe

Filesize
226KB

MD5
6b22d866819eac73c2811b7cb2c7d6c8

SHA1
f6a5a2393cce58bc47a9b2eeee78287051fb1754

SHA256
d3ba1d8b2cd9720b8fc471deafd4d3177663f9113eb1ffed3d2d89b51a2f8433

SHA512
8d3aeb64ce6fcb3729935af9dc280c02c4f2ceee8002a6c7789e1e7d3b1c7411431622b3cbe0106619a2d8ca277fa4c529862913e6340cac3140850cb3b8567f

Download Submit
C:\Users\Admin\AppData\Local\Temp\UYcO.exe

Filesize
206KB

MD5
d6e9786c3a918b5d8ae5cbfcad23d110

SHA1
ef46aa64fd0dfafc54e8dbd4252288048df165a0

SHA256
d359eb17176faed509f565c883d24fc64c6d2f55c8470432319a08dfe39b69e3

SHA512
7bbfa460369d7a281ec4414394a77b7aa43f3fd10b3ec9113371382bdf256c3c1374540d4b9d0091caccb29a502eb97d36c1c4ee1e2b53e615934188b6d31c6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\UcQS.exe

Filesize
185KB

MD5
cd1228994f67e7023bfc2da358cd3f45

SHA1
d510a919f4676f9c64840e2cef504323ba72af49

SHA256
24ad32dee461ee611aa4d0635739265fe1a35f313817ca74b52ef99a22fe2f04

SHA512
be93faddcf9b7ee1d33ac76b0e3cbcd14c23efb60b7fe762930061dc83dfe643ad2b695c71bc4bc9d329cb7da02eecaf08d94d693b013b021d3a5fbfd6777f86

Download Submit
C:\Users\Admin\AppData\Local\Temp\UcwI.exe

Filesize
895KB

MD5
6c1ca60cd4379c2aab9e3193c477d0dc

SHA1
4e69cc6c7092770d8fbd4aea948fbdf247a4f528

SHA256
df614c7241325464e88e147062c1d8f8e407fb8e51059df87eefd34067393442

SHA512
074c1c775d5f703ecde240da1782a585c16239a796e3716e0ac2c3ad2e5412e9c284b721956d72665297eee37ca4c71a098a8cd66c99e0993c00803bfe203b8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WAMW.exe

Filesize
193KB

MD5
705de21b8c18e9f088049197bced523d

SHA1
92f80ac59c186098b66e772515098a56db742625

SHA256
8b58c491d8816a06e38b1af66053c0b5b6276fe98ed843d561af141375c3806f

SHA512
77fe687cd3f0d2294a7f88b4751b67eb244c17b0469e5d2427162a5fcf3ad7a27107df51bad0bbd746b086a398850baa5a86025384c9d486ae15668085f9f976

Download Submit
C:\Users\Admin\AppData\Local\Temp\WEMS.exe

Filesize
203KB

MD5
2d73bdf826b4883d244c1dc343c4e3b7

SHA1
1e767fd8363b747bb5af35ae3dce49b11224ec6a

SHA256
eda77dac92b4707ecc6b2a8add03bec031e95ef629041206f962fbebf975b38a

SHA512
8eea7dbf624eb0e0f1f48396685d889088cad408899a787d5fc652ec6595cb952c91a1324125276c398bdb5c4dd4ce48e69ced08bd2af80264a2bfc0d5131fab

Download Submit
C:\Users\Admin\AppData\Local\Temp\WUIM.exe

Filesize
196KB

MD5
062f10ac77dcc01eeef180fa52eb1ac9

SHA1
343e571f8b069cbe46a3775fdac97829d375daba

SHA256
ef8bb856a20d6f7d7da8a1ecb6c6c5c8018f4e16a3089a501c6e0f359ed4bf3d

SHA512
a2de7b99d9a7587cf4ecb7d0222c8ad74522badbb4c36b3fda95f9f8966c4027bca5abfb879a5fe4877d1eb76ca6443e6a82f3b7432962ba74c252705c96a6bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\WYUG.exe

Filesize
210KB

MD5
e2d5cfbca87c71eb175f2debcb8a2bb1

SHA1
4c34b9ebbc1c6cfb3ac692f6538eb766b36175bc

SHA256
719bd4e2d56fb7b44bb11e4f732580c697d474351a0a171bce0be0b6cc17c0c1

SHA512
cf8c4a3d9ca6efb95ff6a37dd23b120965e6eaf0852623be0c21b3cee8fcb3b622c03bc613c51b68687f612234e2936a965e0eb961d7b4af6b7a96af0741a2db

Download Submit
C:\Users\Admin\AppData\Local\Temp\YAEu.exe

Filesize
638KB

MD5
b9dbfabc0f48081aee4e862eedb94a15

SHA1
44e943f9b2670794db68a3d230eff5e6615cf874

SHA256
20591a9191647c954511f8a904efc7ca8c730bf91c509cd2725b41ee61b15921

SHA512
79b56c3803e7b6c3fa76c595dcd0b48ccc4ddff67ba8c916ceef612d1efb414b2d277b73701e8ba18bc205db365d66242821c8174de8f55273fdcff59c380a67

Download Submit
C:\Users\Admin\AppData\Local\Temp\YwsE.exe

Filesize
1004KB

MD5
f150db084a8ade2d00f1a588895b5224

SHA1
b1e59468ebec34451edae3a26297be5005a1d61f

SHA256
a782c8225ac41d5898163147eeafcb0df665c492297e6c5afa2ef4e9bc235375

SHA512
d2b0656d3bafc99d82bb3dcec4b8dcdec6dbdafd92098f4a9e453b0f7cc7aad484e8102405552029b5adf01e5e1bcb5b1ff816b94a5fdc13ba2bcb16f320ce62

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMMs.exe

Filesize
181KB

MD5
e4df5f520ce1b95729f502853f67b706

SHA1
b85564c9eea5306937687497f4aee2a836c3d203

SHA256
c724296232d5ca52d636ca6fdc66b146839e83ad925b1b5000abb2151443ffab

SHA512
a116a17b98cc3bd048ffc352ae968b491814c37dd642c9c8822567e93417e3f58e4ccafb7367d0fa2c2383c1a99453817835e24619509cd8c096275af5f67fcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAIk.exe

Filesize
190KB

MD5
7bf4c58fcd78125a8a435cbac66f917f

SHA1
26ab0021c510832959def62bafcb230708879c8b

SHA256
880cdb4c785e3d868148fa3e74df52d150cfb8440ff079a1b8423887159c70d3

SHA512
8fdb39ea62e95da058a7885c0824591497eba821a5c7706895375152191e301d70b498ee978c53d5af2b00577f6905f13251aa7041b54ccaa1d5913cb56aa529

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIwe.exe

Filesize
654KB

MD5
033970a4e750b6c59abafed73c46f8e7

SHA1
e3f8c8b715dd5e1e8295ca03b57a521929119b84

SHA256
5d1649cbef4907d77b4b0f5de204256a5b20053c76681f1ff3ff6152ba608596

SHA512
94a309b3538f5bc90c4bb08faf0a93e9e693c0d5fcf35525b885e82a04cdac85bd44d0d2731c0302fce08af04ffef9c637e86a0457f874d944cd2c555da7a41f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQIW.exe

Filesize
205KB

MD5
77e725c016e7552f86f7893470e02776

SHA1
2865808b2427f2600f711729c369c9b93ebd3dd6

SHA256
ba72859c84184bf9892b851aea651881fc3ceedf6b97d87ac6410ad97eef4224

SHA512
722280daadf3ec64ebea7b8ddf9fb55edb422e4e566567e350573d0c526d6b43ab50f0daaff5d4b834c57439b066803071a25eeccfea2f36be2eeef1e92405fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgUc.exe

Filesize
985KB

MD5
258813fa7908235b1a1ffafdc6520fe3

SHA1
85f1a25a5a1fb9f1c2db205fe4dd5bc6bed8ecb1

SHA256
a84eedd7adf510b76931de958a632a9a42b479b194c7a8f0f70d4e9448d7eaa4

SHA512
c1468eb5ac1b2413c69e313b8d25a003ae22cf56953f7d79923e3a20287283839dbc861f17603c36bd44cc39aadef44b4a76cd3321e5d63ee792ac213bd19e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\coEk.exe

Filesize
200KB

MD5
cc6e46838e31b79858c6a9dfc130ac45

SHA1
cc50a925abfae991e636bcec5a9c93a568954883

SHA256
ce14d58a1a741a0144e7d65bccdb72e72ce2d582eefcfb4d46b828eae707aa37

SHA512
0bfcad844e4ab6bfa2104aaf29df671af0d969a1952d4d23bdfdfdd88140f3a766e4019491aafdd4bebb663b45d958c5120994298cf812a97bd0fbb906c06a7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cogG.exe

Filesize
207KB

MD5
e381a25b1d092587b8848ae0f00d43b3

SHA1
1944dd785779d60300029c59242c8cd2bbccfa56

SHA256
d952b4e2068afbe6dae637ba82c5a363fd3118e8a35ac4bee93740ac95a94a3d

SHA512
459d5df4ca3a6bec0e78092defb6ba872beedaab1bb9febfe155ef1d1b0508c0c6059ebe1244754a88e7b7b5f525ba6b18741ea923f87d433399ced40b9a4564

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwcI.exe

Filesize
196KB

MD5
757801f7df892c2fa137d067f6ac6a69

SHA1
4cf2e93ae568c1e914d8821aa09f45a50473193d

SHA256
fc262261df7da664ddc5b7e9c35eeab127b4920cc30a3917a115f7436b82b25d

SHA512
5f9ae7ce5d285b4b4a41397ae338cc5a70c7be1b704e6f691f6efaf4de492e00b523fff3204231b6d03c30e3362dc10ea0ebe6105cdaa3e6df24392fe6faac0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\eEgm.exe

Filesize
647KB

MD5
7f115a03e92d4631c7fa5d6063060651

SHA1
1281772b9f7459a8e32578421a1cd96f8b1d6c6a

SHA256
ba02ba04daa26ab7dddf5e14ad0e4aee9733b0fd866d69c214a36fe6967d09ea

SHA512
194735caad90097cbdf065f9cbd977f5297ce747a61cd6fd61f3074c10ae8245c59e798fafde18266f52f914f5fd244d153081a489c40a6721bce2438563105a

Download Submit
C:\Users\Admin\AppData\Local\Temp\eMEU.exe

Filesize
194KB

MD5
1cb93544bcaa9151eb3de91a9e08a794

SHA1
8262a1918e251fd8f1cf80a7b085b470913be38a

SHA256
05e0a8783f90387033ef6e89d11d1c27d12bb64215ec620411e2e27b006f865f

SHA512
c07ac794d3421176ab87c02de6181d9d43156abacc0827921dd7ebbc8348fcc4466a30c9c6f09dc2c3355ccbb12f6386226278a618129f8e4a29864aa4fffff3

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQQM.exe

Filesize
190KB

MD5
3d51d3fba38dca9d81a8da9e241499ef

SHA1
88f7c0541733d7611adb5014cadc2de21c79104f

SHA256
0d6da62350fab5421acf0863fa6f9ae9d6209cd78369f8eeb750d918b8be1738

SHA512
4e26c285b1ec3714b5448be5b1ab82a899672f10a9ffc7ef8049b88094a770314bd3ff4690acde830465867adc9063a6b78189e581b1d269989e49024361b496

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQkg.exe

Filesize
639KB

MD5
563946aee5a81be71118feaf83c843d3

SHA1
43db3393f54da26d207a0a70ce713c414f8c1c9d

SHA256
377cb98fe95bd4eff993a75a4d00211a8cfe06b2387865f601955bab4c55e186

SHA512
4c7a7431c611559448fa57bcdfaa7b99e18c429a845858d6e22b83c8773315b66033934b2f65c2ba2a1b6ab5d6db495480634dfe5b225bf97922f5049860ed15

Download Submit
C:\Users\Admin\AppData\Local\Temp\eYwU.exe

Filesize
185KB

MD5
b6a9d96c77c5b9c5f59b75ec10fbbd08

SHA1
aeef8cc6a46b71bbf7a5fb9635b94301d329da1c

SHA256
1ccf97bf3e0a3761992ebf5baad08bdb60396660258ac9c570b1352862b291b5

SHA512
fd3a89182c59c82fda2f78f2a41c5f0d14d38e6e214501c351ebac6b0813e63c3b21e7cd8bc075ae64f52d328e73c61fda7f13f926de33ee330775934e948abf

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gAYw.exe

Filesize
182KB

MD5
9ae31049571e355becb506123b08c4ed

SHA1
89b9e9d8447d8fe0e27b704a9af19bdcdefb0333

SHA256
550f56ef620d2db71aa1528562ebb107b4f9e2d20e980688ec51b818558feff6

SHA512
ca42c346cf40c7a7c8cc80539c096cbf5ab51fff8fb868188a84681b09263bb472d481343e2778ac2ee8f1da6040edf2dddb43beb260c1cd09420727d1064a56

Download Submit
C:\Users\Admin\AppData\Local\Temp\gMgI.exe

Filesize
206KB

MD5
36360a34cfe4f38dbee6782c915f855d

SHA1
6584d61831dfa07e607ab72983dbf5c3e25f848e

SHA256
d460dc7cb398081ffe6baf1665e3c79401e3ad10f6f18355b39aaacce0f9a6c3

SHA512
7610d7f19502be65cf02d514f3a5532dc17e036604bc169cdc4aba235a613ae3ff5725fcb4719ac58e6620c21a22ef51360c946751f78c796d2360c520b40071

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkcC.exe

Filesize
325KB

MD5
e514618f611a25d6e06137d44b6651d5

SHA1
8f48e0b5614e343541a90ff9bb864d8d7282130a

SHA256
82c3a000850153a6207ba2a73cc478d0989f05e3dc37e97e6413414e88eb7ad6

SHA512
2292edc5910be0a45c58e8617726578e33edc4d178e1d0c68d1a52bd6180941adb40db7b2a2d678cf4b615fd70c2a9c171bbe4bbc6b71bba9d6805aa91025629

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkkc.exe

Filesize
633KB

MD5
12bc6519664a17cbc27beefefd21b01c

SHA1
ef37ec02742c4ea9f0654b6eff0a05d53b70c0cc

SHA256
2cdaf5bf802a9d0a6738e8d0967fb327445a9b7cc1cfee260bf7a0ddd7e7e057

SHA512
acfbda84f17956502f6991349520be6cc6ea4c2414bb6395933e62cf689d6d57068df5fde1202469d1d2b12a641d0776140b1966f1becc879daa076bc8daff83

Download Submit
C:\Users\Admin\AppData\Local\Temp\gsQa.exe

Filesize
1.3MB

MD5
ad4b5a9fe1f19cba97cd8a2f82ff0097

SHA1
f1dfaf04618a6ae6c60c52bfd2e0eb44ed0c82fb

SHA256
71383cf0d1bca3247ef9f2f939d0c4be5cbbd56f94babbbe43604bc6690e960b

SHA512
76eab5e55d1abbc09e9cfdf75d3b91a2526a0ce69763b7aa8a910662e836fb701591f8bbbe3fbce5645891f3315d95fa62abf80707f7fa2e068b6db24a69d84b

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAwg.exe

Filesize
195KB

MD5
2a99a634bb797f47b1c5c15473d4fbd1

SHA1
a95445427764139bc6dc54914cb07cce9d6f5276

SHA256
e9147f44824c0070f589f340e75d12e3b3c2240bbfb8846b3c562680773288cd

SHA512
13c08b0337cfcb1293b71b673ea02480241faf3676ab65668d230aa616b690da37a309a85836ae369011a5c7e5acd538de40d7dc386e7bf4d387330bf8144912

Download Submit
C:\Users\Admin\AppData\Local\Temp\iUUC.exe

Filesize
1.1MB

MD5
de4a7eaebbc45a2c581889171e5cf10c

SHA1
3315e3be46b5be9d2955815c938a2095fd28ddd8

SHA256
107ca6fa31345d83fe3d9fa258ecef1b7602f63f5ebee3457e002eb11f51ff68

SHA512
e2ef2c5bade5507f826e7b259f824af9fc5fc219e09195ac2c5e0a567577ec5555cb86479820c56c3db9d3352386ca9509c087e3a23d26c0f5839b5e8ff6880b

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYgC.exe

Filesize
197KB

MD5
fff399dd666941e50b4da46e3374b5a4

SHA1
fd96d3a5434f5808b99d452f875b36b5b29e699b

SHA256
c304b5c5a2a14d8cf8aa6ec55e8685825c1be33db902c0ed15fac1d712caafc3

SHA512
658109c23a6d15c24b2d5895cdca7563ce8c67326f8e65ae5891ac82f2dae8bf2e25e214142fd821159c4a6d2a9d6e20904f6a1ceaa7fb4cbb1987b9cc3861e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\igAU.exe

Filesize
194KB

MD5
f6b228b44506ef29e4a9189db0b6accd

SHA1
858f381ce99cddeff7ad5be18df62a0314b4f386

SHA256
6070689584b9c8a79a742bccb8c235973f647bf35c0746d0b2486f248479d439

SHA512
0949b2d12759c77de391ac252f8d3d16b5906244134bfc628e998cee7ca9e8ea7c0225a3ea7536e60915165098a4bb12a3fea8396d3e91ef653a24f2cddc2b0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\igQa.exe

Filesize
1.4MB

MD5
0d3e89d3658bc8527ecc04d28e0c37c2

SHA1
dbcd90d378e9873f514a839bd3799c243cf7d60b

SHA256
188719ab4783a2c8a264b7267f0d5ec9b40840f463ca61aa2c0520207cb6a005

SHA512
44918e1d78f0daa93278f6c5339b3f09174c178afcc0ab7ce8ac1641aec59d8c010afb030f9857b8c3f3288ef38a64e496e9bae78c94a0463e66bfefa27b2e3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\igUa.exe

Filesize
1.1MB

MD5
5597d0f20be52e3f7fda1c1efa037da4

SHA1
1ae7b039613c3e02526b2a35ddd51ad042c1fd2c

SHA256
c586a667df7ba83ea8d0b5b8bc62b0a30e059605f877a3bbe713c1ebca31dcaa

SHA512
be5b15513ca443884173fd428cab504a0a67ba53472bfe5ac6b3444cac798ccd2bdb6df15f6180d17980bba1212416cf22f4da4839bdb5f27097ed923ad50468

Download Submit
C:\Users\Admin\AppData\Local\Temp\igkU.exe

Filesize
184KB

MD5
b303fedb9433aaf4d1937588b3363109

SHA1
8e0b0d146ab5aebe55ae39d7fbf117df33e64f76

SHA256
c4ef47096bb185b118a7d1c35fa9b702e8f23b3a5dd133beeb08eb65592dbe93

SHA512
c943f7e4ebfb189747a3cbad83938a7b505b9b88741e4c14bda8bf10f852c99e5fe9b877db1365e7d46d47f1547dd1e459218718d9fa91e5f11690bff2cf6385

Download Submit
C:\Users\Admin\AppData\Local\Temp\isEg.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\kMMu.exe

Filesize
635KB

MD5
ea9d090679a3c73ee1ea0ca36bb50df5

SHA1
2064b25985f65a2637886bc431b5f0fe746a82c4

SHA256
87ec34fff4bd763d4c19d464deea909b01f1588ec1fff81817519778e090cab8

SHA512
e7b0826ad23a6947e385add5eb40147ee8c3a8e497826598a601949c3e02415f6925ccb9eb91589e0488d9d10e95cdcb35e037a84773f0ce84eb562d4c012bfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\kQQG.exe

Filesize
996KB

MD5
4a4d8638a609794e1820888631c7eacd

SHA1
b35f93bff457fff0f3c23c758d71c8354c02c60a

SHA256
f7d917f2a08ddd83178b9780661fd3d070b803fda64af4cdeaf7cfa4e482f934

SHA512
6d367c68041c142f6b7597d4720567dc7019208e0b2ff326371defa0130ae5fda54b272c2f46e296866ce07e88ea06e50b38b6e9508230b74a199e6d7e958f5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kYwS.exe

Filesize
812KB

MD5
6cd3b9f1b1e63b42ee7de8dccdc75dfe

SHA1
276fbc06bc9237f669e0087bb219874a657ef542

SHA256
1721b6dd5bbcdb3490fc3ad91f4c6112219883a09b18774225ceace954756b7c

SHA512
e9235cf03b73828973262064bedde803624cbb8f22d7ce31d5b4c019ae5dc7858c5258035eeeeff4d1645fc67bd4f0bd05dfc402740de526e2010346d5b86713

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcAq.exe

Filesize
199KB

MD5
3ec6394ef11b1f4494da44e7ad5128de

SHA1
8425f9e85c36ed91a011aa6e0ab74574c286c2b1

SHA256
934b956f1f143a5f4d22ad8cf7adaf0fba02c2cadf808b61bcacd5e1058194c0

SHA512
a95731c5ea6836c70583c1b12f31a8e415b03d034ba7c0a592f5bd55cd954a61b7c468525d541643eb362e9fa086bfedb1a6a21f20e0d676326d5338bb39378b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ksMk.exe

Filesize
197KB

MD5
9e085cce463c4fb5fde39126d030bea8

SHA1
9abedb77409969cff27a0dad9ab81fbc49c4064c

SHA256
dd05586429c27a23c134b5a5afb239a406e866d3b99b9ddebb2ff825269d3cac

SHA512
ef393e5db5cf69a25a0cc29f6b27e9d358208dd9d4b699c2db3132f30809ad07599d2f3bdeba41f7f337bd6862028a9aed0403469b6bf843f497bbc9eba2048c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mAQe.exe

Filesize
591KB

MD5
13b5d344faae88a07bd453b4833c9c28

SHA1
e69bd41836525287552728b0c7ac898e797c0ed9

SHA256
c621ca79c51bfda27e02de318fbffe77d1dc4a52d4862bff620ea21340e8eb54

SHA512
1b5a71fd5356680291ec3270c6326c1c903f27f28dcc51ababf4257738eabd7f2a8ea8eaddc809808f0999292e24a90d674d4ce1c61be08c788c642088405522

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQww.exe

Filesize
228KB

MD5
da661ed04c46155922dd1fbb812e17f1

SHA1
80474e8397ea01b5e268c091c0d9dbccc87df770

SHA256
9f57ad17c799747ca9166ccb14838cc0709f519f0ea9d2599499832f6528eafd

SHA512
1dd5a2cc931d027e5807959000c92acf2a1e1c5099b78d7552bfd4b2518e9d28ad257dca53a0fb2088152c6a0bfab56a8871bdb970b04c5d574337fdd01abe3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkIU.exe

Filesize
211KB

MD5
fe821d7d9a2843c2a60eb9c86c926f6a

SHA1
360762b2a92d5edde7abb01db6fdfed211e5adb7

SHA256
31fe701f3bfd54e0937281e2ae7d78dd4e284d09937e9473e3f00ae6c63e6fcb

SHA512
768081ff4f59f326c8649bde2f65162f1413b500ef759f95c8727def19ef9caee975ac41a8a23f9dea7caeb262d42e9263b00f5ebd6dfcada28baa25a5caf933

Download Submit
C:\Users\Admin\AppData\Local\Temp\oAoQ.exe

Filesize
199KB

MD5
a1853357bc139eb2830e355ccdfa53ec

SHA1
f38f4442aabaad8ce2b7abd87b6006e51687fc45

SHA256
84b2f0ec133cbf24186ed0d87ef8cd1b089450d0af2d9fc9f199adc030f42a6c

SHA512
6f5780606e3c468701e60eb169a1b9e3d46f29c643de2ea30195e7ea2436736c416bf81d1c9e8da40f689d54d9a306d95adb02461cea66c54865e0dd3fead63f

Download Submit
C:\Users\Admin\AppData\Local\Temp\oMgQ.exe

Filesize
327KB

MD5
61b5f34a948b209328e09b323678d358

SHA1
c991d908b23f3db72e4f1917f7ce6e0d63aaf006

SHA256
ba42460a37bd8d910fb6882de2028677f34a375db6594cf74519bf23f3d8aaa6

SHA512
a9336958e15ab05208bdc0568fada9fb145b1c9505fcc02abdb4645998d85a5725c89ccc079b6894589c2d78063ac2c4a9a6cf9c5566a4b8d4cc49a910b3f7ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\oQEY.exe

Filesize
204KB

MD5
3ab8fa1caecb058b1a07b8c2352d6391

SHA1
f8c4fbfd8dae6ebef05f30fe99ab53685263663d

SHA256
3e06c49e5b42bbce36fe3264b0658b8cf8ac6536a784f5f5e6137855c663108b

SHA512
37b805212674f1864be24521b191a3d912afef9de0ab56fd371343809283e131bceabdff27be71c7c2eea8d8a1619de2c7d10ccb2cca4a50456c8b63c625994a

Download Submit
C:\Users\Admin\AppData\Local\Temp\oQgm.exe

Filesize
199KB

MD5
63db5d2292306f9a6dbd2aa7817bdc58

SHA1
416719032b47023f7e755d8fe7b9313553420168

SHA256
f0dbcad5cec084abe14bf3cbcfc1a963f10e0afb2b7e123610cefd6bf795a675

SHA512
bfc6798935ff4e217709d25cbdc785f3fabbdbd872fb87eca1e8812a348dffa9ec239cfc8d1b73173ed3de355bd4fee145408982e9d391741c06f61eae94a56a

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUAm.exe

Filesize
816KB

MD5
e4d1b3b6ecdb85ff69e39d452da63c68

SHA1
f95e45d27a20b2af137d6e2bd5ce3a0ba32e10ab

SHA256
c358b8647d3f9396305a4f230a8b601f8a2795340801a2ff45f202e1bc3395c1

SHA512
46179e9b87d9d1c3aa1f1467f66e6c5b2ca62796bd60a3ed66c80b40a93388a1b3a50f1d5762fc31c9c7ed1699043e073627af4d85b8b2846b84ba32ccf73def

Download Submit
C:\Users\Admin\AppData\Local\Temp\ocoY.exe

Filesize
232KB

MD5
2aa1ebfb1c3c4c8d63b43ad6f25a7668

SHA1
5e44ce5687ee300673c48cc2b6622629f5db6f0b

SHA256
c7b72874d4b195c1a5f55c54c3d6abe558bf540dcf60973eaf54436cd04ba075

SHA512
fb591cb9bc8a087f3dd18419e804e28d9efe858a242253b9755908956390cdc746fe1a00198a22fcbbb50975898bb4d6278463968cc8f4c41ec0c2a486196a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\osYc.exe

Filesize
819KB

MD5
55f54e7d143078a243d04e46adbd3344

SHA1
c4622cff5afe92edf77c0d7e2a7b85d90dc98a61

SHA256
5113c460b060a82e9c0deef9b3355892f0386219283b65f4e30df54447493e62

SHA512
7c0867a5444fc2e3cb4c77730020154197fec9e2838cf861f4c9a2ef1872e7705c4b52fe05936dc9cbba9ab096246b5ff1f2a188ecc37cf4368ff249bd94d2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEcy.exe

Filesize
182KB

MD5
05d4911d6d8f038cd1787d306b0acc7a

SHA1
07b5e540019180251b69148f268610dd8247f909

SHA256
8caab0679e611852aa98b9a30e56d980676521f38e20360adc1aae49cb8d7c7f

SHA512
8d19afb271d1fc0f5dd4e97fc14d5839c31c8b9eb71e3cbbc99c11f3a97fa973f0dc4c79dd2afba6b6c2afef5910acabdb87d26f795bbfe826d9b442f25676ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\qYca.ico

Filesize
4KB

MD5
2d56d721c93caea6bd3552e7e6269d16

SHA1
a7f0d3d95a19f61d30b9e68b0dcee7c569249727

SHA256
f8e8be11d1062a945187b65fc5e5b1500bce03cbdbf6f4af9404b649aacc2aa3

SHA512
c01d86c43876fb8eeab79b72380a00f095d95c3047f530b777ca89d309e7bd797bf83857beab29527eddbbc491da3edd95ba343f6a0725cc565015f095cf0919

Download Submit
C:\Users\Admin\AppData\Local\Temp\qcsw.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\sMQg.exe

Filesize
202KB

MD5
f834ec7e5691c7fe81d5e2c201832727

SHA1
72eb1885af9d1db956d895e4cb5a8374dfa05c47

SHA256
027f2c6be414ba9e0019c4cbaaaacaae14c375910af61cc3161dd47fd284f2c0

SHA512
6a042546daf38dba0f69f969997f8c774cc9d140016d692433f6da80132b9b87fb3f801d4486f7b7b4668123b6d3c59a0c90ce4e8c60e085386ef76070287842

Download Submit
C:\Users\Admin\AppData\Local\Temp\sYwy.exe

Filesize
191KB

MD5
8009b15ff0fa1ba44f6870033564ca45

SHA1
0fb1bfcd418e65b364350e7764e1e540c844dad7

SHA256
9249dde190482895f3d37218afa5a1fe8f11907956aab1cb95ffa3fef6d00e2d

SHA512
21624adc3c98c772f33bf9944d78cef27b85ce1381ac38d104e765c84b90999d9255761bf5e938f5ed7de161e5a5d6557b499d80ed7d4b2155057fc8ac054e57

Download Submit
C:\Users\Admin\AppData\Local\Temp\scUw.exe

Filesize
785KB

MD5
e0e79a18e67f0599946d3fc461172677

SHA1
579f2d5cd8915ef6b5ef638a6ba504f539c42d77

SHA256
d90481644edb321d35b76bfd2838226d6347a29a8a8e8eb9751f941f6a4a8379

SHA512
4b0c3ac537ae8d267076aa39cf0df298c0da8f8bcbedc36261bbf0c1fa3b58a72a26fe214908f2533d9acb2f6f11f32f4cbca57b144051ba0d76da35feb52bf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\sgAs.exe

Filesize
189KB

MD5
3d9364deebc2682dbfc3935585c2bb62

SHA1
ae60dc79501186c2b512d0b333cddc83217018e8

SHA256
dbab9e4ff8be61d15df84e762a7e65c2e485fe4c81555acb212dfeabc06c3cdf

SHA512
f9b71b8367f4a589bc1b0a1878af0670a1484cf51e9e1b8f6ffcd44a76983698cb553027a17dd9877f7e0779694b95a5540db2987dda80490f4fba53e7972cd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\skIw.exe

Filesize
196KB

MD5
8cc51da83ac1a77012316c44d3502234

SHA1
36671b89178c76447bbf2f38924efd20a81675ec

SHA256
46c174f7a99f353e44664b25d37ae462ac877745192b2f93d380f9cd3bbde585

SHA512
a2fb055ae9b260970a534784929333c00eab0bbe7806cd25e79c1ae483c0c59dee23b999350e0a0fe9dc356f12af7ba1df1150ef2f7b4b0091b30d1fdf948ed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEkK.exe

Filesize
803KB

MD5
eff3aea96776c0e7147c6cc4ebf22b57

SHA1
20ed91a4ca72a39c4b4f64d2694ab86bb8aecaa1

SHA256
30ccd2456ede088373d462f4e91a57d1fbc3a8e651c442d4d0a66eaca1261143

SHA512
3884350b4465e16f49549cd97f43522e6b35c8666e41859861875bdd5639e5dc69aab9dc66057ebb342fac554e1c6c4cb376ed85564bcb3eed058ee75a3f49d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwQW.exe

Filesize
240KB

MD5
a7fde60eb12f8ffa50e42bc632b6f7fc

SHA1
e3cfdec8ac95503c3f62ee81651dbc59b7c5d8f8

SHA256
a17f2940f1082304c8cd59a7d8ec8aa103732d0b4639c2066e0c7fdfe2c75395

SHA512
aee606127220f0201efc7acb5b0ff5ddc3a5ff5001f218c25b1cadb0eec0dae9e6cd6c86f250190df6397748717a046303aafa58968ca8f9f99e041be330f193

Download Submit
C:\Users\Admin\AppData\Local\Temp\wcME.exe

Filesize
187KB

MD5
065b846fdc33d8c8f25382f556040cf7

SHA1
0953770705b3f75c919729141f4d6d220ab75bf4

SHA256
183b8cb68e099def3b05ec3bac8fd5653241369e4353f2f19be124cb8df3164b

SHA512
00155df38e1a0eed7516e18d87c45d6058607ae0c4f402b5916bfcf18b5e313c92c5694c14d87db5e9b3ae4e59005b74ce62f6731d945041e19760f3df6df2c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\wkcS.exe

Filesize
208KB

MD5
eb445ae103446d680a45c4b5eadffb40

SHA1
dfc0997216248b18d414aae919905620284f14f1

SHA256
3f3f72d7304374694283103a2e2adcbf013401409e8aaba8665a37c339cf0333

SHA512
5e29c975081e694bbe8b4c4bfad37f4658c65127afbbafe3e698782e90bce036a2ef2c618783f6d4857d011fcccf145f3a1a34ee29247df949e311b8a6207e2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wwAC.exe

Filesize
234KB

MD5
3be252586286c92543e139b6c7e972cc

SHA1
9cc4b16253b119f97b1acb3a76933759500ffda8

SHA256
10d1ef0dddfa14d0d83fe2cbecd85c928cf7b81ab0782f6d68fca1f526063904

SHA512
bed22059963bfff4d2a6f0b4b624471f71fefe0f8adcd2f84210a1a042631073e03af06a0bf300d9790177e76773164f44b033bb0be6c41ca7781f5380a410e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUAG.exe

Filesize
805KB

MD5
03ac435d4c6b62c176506bf265ba2c48

SHA1
c49c1284720a768e754cc1ccf1d4c8d9c405e8eb

SHA256
69bf8d1ecbfec4f39eecba0b9c239090d7f1e452b12ff5e984d5fd68764ac20b

SHA512
7fd49a0e4c4d2d41db4b051b7b9768a11c0cf5eeaa52adde9dffec83f8448b75f681fbdfcbb3272e3567db22d85e688f6070f0967e3b17c7236acedfb2c71c55

Download Submit
C:\Users\Admin\DCgQUEcg\buYYUgYg.exe

Filesize
201KB

MD5
ac35863b1d079a6b29509f82e5157938

SHA1
a08c7454670c1513eb304bfed294db999d988c26

SHA256
ed989a8fdadadfc3d849c18a0f98c6fee011078edf1daf41380fae6748269b29

SHA512
7ec18dd37805f177363e30bf2dd8d4a31802d1684b06c4728ebedc5e077f71a4151f31726b1dc36837bfb0b84681edbc352daa5e8fe87706e5472b64b467b370

Download Submit
C:\Users\Admin\Downloads\ExitTrace.doc.exe

Filesize
597KB

MD5
2557c231945fae7368bbde8790f45811

SHA1
21171612edd7cabee77abe13ad592fa50e66c510

SHA256
0a8e516fbf43600be2fa730830b3fc928c713d2c73076258bfbacbcb43a58763

SHA512
9c336af6d063798883b9cf0d834f8ac39eae5568912a93d3814aa22e23259605a2fc2ff09d92c43c9306d75352d7f5392585e89ecaa96c054da5dead698f252e

Download Submit
C:\Users\Admin\Pictures\DenyShow.jpg.exe

Filesize
1.1MB

MD5
acbdc170995c9e4b8db2511544d2c88d

SHA1
38fbff3d5de8aef91d8a3e6b3e06580c25963eba

SHA256
e44cd2b2cd06f4c0389a774ca5fb976456e12b773f041a6ea07d892432a598ee

SHA512
1fd1dc4283a8a0110e32ab4f26e2d171c0943a521bead5a2680617733f4aaacf99b5421270345605d96fe613aaf0323bb69dc95c1820d7b8050324cf74fbfd65

Download Submit
C:\Users\Admin\Pictures\DismountRestore.png.exe

Filesize
622KB

MD5
bced40ad7fb0b75d9a745b7fc58b2138

SHA1
3977171b6dcf6125359eb2b8f4e084761909a070

SHA256
ef8c6e34679af77c275ed5b5bfe57eaa0fe5c3c369a51dcad9fb73e66b1ed901

SHA512
a07231c1f68c113e6ea103a1de50b94e590969baf11d1f4df49bdb9eb0654d1117863ef82ec7f2cf0827ce122ffd0cd76dfe46a3b1571a6fd1b2d36904a69652

Download Submit
memory/376-33-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/376-16-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/620-242-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/620-260-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/732-524-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/732-532-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/736-398-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/736-412-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/820-317-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/820-307-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/820-354-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1052-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1176-145-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1176-129-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1236-374-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1236-359-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1236-206-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1236-220-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1480-401-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1480-388-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1616-475-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1636-133-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1684-333-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1684-345-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2400-316-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2400-325-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2420-458-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2420-299-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2420-284-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2652-270-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2652-534-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2732-523-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2732-511-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2896-195-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2896-179-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2928-20-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2928-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3032-371-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3032-383-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3048-435-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3048-449-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3172-42-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3172-58-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3208-486-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3208-279-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3208-266-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3208-495-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3284-485-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3284-474-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3664-93-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3664-353-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3664-107-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3664-363-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3820-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4060-327-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4060-337-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4128-392-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4128-379-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4264-515-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4264-503-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4292-96-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4292-157-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4292-141-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4292-83-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4380-275-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4380-288-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4404-156-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4404-171-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4444-421-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4444-298-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4444-308-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4444-411-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4572-66-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4572-84-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4584-454-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4584-466-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4592-229-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4592-245-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4624-207-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4624-192-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4704-233-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4704-223-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4712-70-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4712-430-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4712-418-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4712-54-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4824-504-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4824-492-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4848-439-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4848-426-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5020-121-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5020-108-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5068-183-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5068-168-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5080-34-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5080-46-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download