81a00f50d9e2a4b198e263b0bab58dd4fe0a343d9d58c30aba3f06fa46032006

Analysis

max time kernel
150s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23/05/2024, 07:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
Size

241KB
MD5

89525bfe8ee83b64d41da9141eabd1e6
SHA1

06500b9cb30daa2556b6ab308a39e8ad0e3cd30e
SHA256

81a00f50d9e2a4b198e263b0bab58dd4fe0a343d9d58c30aba3f06fa46032006
SHA512

9ef54cb23f1d5f68dacb2f71214f113c186cd4a63e8ca5c5054e54f90eba2b4a4af58791e04fa4ac5b30bdaddfb55f766f400f7a759e0b50d3fbd7ff340a7188
SSDEEP

6144:5MnUnaZAFZhBrYX9ClacHcP6bTWnbbFjSJ:CnUn6AZyt2ac7ql2J

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (87) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	yewowoos.exe

Executes dropped EXE 2 IoCs

pid	Process
3012	yewowoos.exe
3448	lqgQwoUc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lqgQwoUc.exe = "C:\\ProgramData\\WiQosIMY\\lqgQwoUc.exe"	lqgQwoUc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yewowoos.exe = "C:\\Users\\Admin\\gmIMIoAc\\yewowoos.exe"	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lqgQwoUc.exe = "C:\\ProgramData\\WiQosIMY\\lqgQwoUc.exe"	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yewowoos.exe = "C:\\Users\\Admin\\gmIMIoAc\\yewowoos.exe"	yewowoos.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell32.dll.exe	yewowoos.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	yewowoos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
2612	reg.exe
2644	reg.exe
4988	reg.exe
2832	reg.exe
3304	reg.exe
3900	reg.exe
4404	reg.exe
4560	reg.exe
716	reg.exe
3976	reg.exe
4560	reg.exe
872	reg.exe
4428	reg.exe
2256	reg.exe
4372	reg.exe
2200	reg.exe
5004	reg.exe
2164	reg.exe
3816	reg.exe
4680	reg.exe
4296	reg.exe
4808	reg.exe
4716	reg.exe
3484	reg.exe
2032	reg.exe
4284	reg.exe
3272	reg.exe
436	reg.exe
4336	reg.exe
5028	reg.exe
972	reg.exe
1984	reg.exe
3104	reg.exe
2052	reg.exe
2784	reg.exe
2328	reg.exe
3192	reg.exe
1616	reg.exe
5012	reg.exe
1676	reg.exe
3140	reg.exe
3900	reg.exe
2872	reg.exe
4768	reg.exe
1724	reg.exe
3904	reg.exe
4076	reg.exe
4236	reg.exe
1332	reg.exe
4760	reg.exe
3256	reg.exe
3972	reg.exe
872	reg.exe
4404	reg.exe
976	reg.exe
3004	reg.exe
4772	reg.exe
4236	reg.exe
4112	reg.exe
2476	reg.exe
3856	reg.exe
2684	reg.exe
1560	reg.exe
3740	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3192	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
3192	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
3192	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
3192	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
3920	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
3920	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
3920	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
3920	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
4044	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
4044	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
4044	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
4044	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
112	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
112	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
112	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
112	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
4220	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
4220	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
4220	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
4220	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
3064	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
3064	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
3064	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
3064	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
3920	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
3920	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
3920	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
3920	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
2540	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
2540	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
2540	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
2540	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
4128	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
4128	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
4128	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
4128	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
2620	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
2620	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
2620	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
2620	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
3100	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
3100	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
3100	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
3100	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
844	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
844	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
844	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
844	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
2880	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
2880	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
2880	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
2880	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
3948	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
3948	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
3948	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
3948	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
1156	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
1156	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
1156	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
1156	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
4224	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
4224	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
4224	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
4224	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3012	yewowoos.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3012	yewowoos.exe
3012	yewowoos.exe
3012	yewowoos.exe
3012	yewowoos.exe
3012	yewowoos.exe
3012	yewowoos.exe
3012	yewowoos.exe
3012	yewowoos.exe
3012	yewowoos.exe
3012	yewowoos.exe
3012	yewowoos.exe
3012	yewowoos.exe
3012	yewowoos.exe
3012	yewowoos.exe
3012	yewowoos.exe
3012	yewowoos.exe
3012	yewowoos.exe
3012	yewowoos.exe
3012	yewowoos.exe
3012	yewowoos.exe
3012	yewowoos.exe
3012	yewowoos.exe
3012	yewowoos.exe
3012	yewowoos.exe
3012	yewowoos.exe
3012	yewowoos.exe
3012	yewowoos.exe
3012	yewowoos.exe
3012	yewowoos.exe
3012	yewowoos.exe
3012	yewowoos.exe
3012	yewowoos.exe
3012	yewowoos.exe
3012	yewowoos.exe
3012	yewowoos.exe
3012	yewowoos.exe
3012	yewowoos.exe
3012	yewowoos.exe
3012	yewowoos.exe
3012	yewowoos.exe
3012	yewowoos.exe
3012	yewowoos.exe
3012	yewowoos.exe
3012	yewowoos.exe
3012	yewowoos.exe
3012	yewowoos.exe
3012	yewowoos.exe
3012	yewowoos.exe
3012	yewowoos.exe
3012	yewowoos.exe
3012	yewowoos.exe
3012	yewowoos.exe
3012	yewowoos.exe
3012	yewowoos.exe
3012	yewowoos.exe
3012	yewowoos.exe
3012	yewowoos.exe
3012	yewowoos.exe
3012	yewowoos.exe
3012	yewowoos.exe
3012	yewowoos.exe
3012	yewowoos.exe
3012	yewowoos.exe
3012	yewowoos.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3192 wrote to memory of 3012	3192	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe	86
PID 3192 wrote to memory of 3012	3192	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe	86
PID 3192 wrote to memory of 3012	3192	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe	86
PID 3192 wrote to memory of 3448	3192	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe	88
PID 3192 wrote to memory of 3448	3192	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe	88
PID 3192 wrote to memory of 3448	3192	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe	88
PID 3192 wrote to memory of 2748	3192	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe	89
PID 3192 wrote to memory of 2748	3192	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe	89
PID 3192 wrote to memory of 2748	3192	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe	89
PID 2748 wrote to memory of 3920	2748	cmd.exe	91
PID 2748 wrote to memory of 3920	2748	cmd.exe	91
PID 2748 wrote to memory of 3920	2748	cmd.exe	91
PID 3192 wrote to memory of 3356	3192	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe	92
PID 3192 wrote to memory of 3356	3192	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe	92
PID 3192 wrote to memory of 3356	3192	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe	92
PID 3192 wrote to memory of 3912	3192	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe	93
PID 3192 wrote to memory of 3912	3192	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe	93
PID 3192 wrote to memory of 3912	3192	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe	93
PID 3192 wrote to memory of 2140	3192	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe	94
PID 3192 wrote to memory of 2140	3192	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe	94
PID 3192 wrote to memory of 2140	3192	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe	94
PID 3192 wrote to memory of 4140	3192	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe	95
PID 3192 wrote to memory of 4140	3192	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe	95
PID 3192 wrote to memory of 4140	3192	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe	95
PID 4140 wrote to memory of 384	4140	cmd.exe	100
PID 4140 wrote to memory of 384	4140	cmd.exe	100
PID 4140 wrote to memory of 384	4140	cmd.exe	100
PID 3920 wrote to memory of 3140	3920	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe	101
PID 3920 wrote to memory of 3140	3920	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe	101
PID 3920 wrote to memory of 3140	3920	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe	101
PID 3140 wrote to memory of 4044	3140	cmd.exe	103
PID 3140 wrote to memory of 4044	3140	cmd.exe	103
PID 3140 wrote to memory of 4044	3140	cmd.exe	103
PID 3920 wrote to memory of 1564	3920	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe	104
PID 3920 wrote to memory of 1564	3920	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe	104
PID 3920 wrote to memory of 1564	3920	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe	104
PID 3920 wrote to memory of 4648	3920	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe	105
PID 3920 wrote to memory of 4648	3920	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe	105
PID 3920 wrote to memory of 4648	3920	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe	105
PID 3920 wrote to memory of 2636	3920	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe	106
PID 3920 wrote to memory of 2636	3920	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe	106
PID 3920 wrote to memory of 2636	3920	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe	106
PID 3920 wrote to memory of 4012	3920	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe	107
PID 3920 wrote to memory of 4012	3920	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe	107
PID 3920 wrote to memory of 4012	3920	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe	107
PID 4012 wrote to memory of 3004	4012	cmd.exe	112
PID 4012 wrote to memory of 3004	4012	cmd.exe	112
PID 4012 wrote to memory of 3004	4012	cmd.exe	112
PID 4044 wrote to memory of 2288	4044	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe	113
PID 4044 wrote to memory of 2288	4044	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe	113
PID 4044 wrote to memory of 2288	4044	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe	113
PID 2288 wrote to memory of 112	2288	cmd.exe	115
PID 2288 wrote to memory of 112	2288	cmd.exe	115
PID 2288 wrote to memory of 112	2288	cmd.exe	115
PID 4044 wrote to memory of 3336	4044	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe	116
PID 4044 wrote to memory of 3336	4044	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe	116
PID 4044 wrote to memory of 3336	4044	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe	116
PID 4044 wrote to memory of 5060	4044	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe	117
PID 4044 wrote to memory of 5060	4044	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe	117
PID 4044 wrote to memory of 5060	4044	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe	117
PID 4044 wrote to memory of 2684	4044	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe	118
PID 4044 wrote to memory of 2684	4044	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe	118
PID 4044 wrote to memory of 2684	4044	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe	118
PID 4044 wrote to memory of 4620	4044	2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe	119

C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3192
- C:\Users\Admin\gmIMIoAc\yewowoos.exe
  "C:\Users\Admin\gmIMIoAc\yewowoos.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:3012
- C:\ProgramData\WiQosIMY\lqgQwoUc.exe
  "C:\ProgramData\WiQosIMY\lqgQwoUc.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3448
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3920
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3140
    - - C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4044
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        8⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        10⤵
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        12⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        14⤵
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        16⤵
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        18⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        20⤵
        
        PID:3744
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        22⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        24⤵
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        26⤵
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        28⤵
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        30⤵
        
        PID:4808
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        
        PID:3100
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        32⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        33⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        34⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        35⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        36⤵
        
        PID:780
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        37⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        38⤵
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        39⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        40⤵
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        41⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        42⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        43⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        44⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        45⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        46⤵
        
        PID:684
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        47⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        48⤵
        
        PID:4428
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        49⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        49⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        50⤵
        
        PID:3432
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        51⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        52⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        53⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        54⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        55⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        56⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        57⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        58⤵
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        59⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        60⤵
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        61⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        62⤵
        
        PID:4244
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        63⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        64⤵
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        65⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        66⤵
        
        PID:440
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        67⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        68⤵
        
        PID:3508
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        69⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        70⤵
        
        PID:3664
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        71⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        72⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        73⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        74⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        75⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        76⤵
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        77⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        78⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        79⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        80⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        81⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        82⤵
        
        PID:112
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        83⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        84⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        85⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        86⤵
        
        PID:4264
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        87⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        88⤵
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        89⤵
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        90⤵
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        91⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        92⤵
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        93⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        94⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        95⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        96⤵
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        97⤵
        
        PID:452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        98⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        99⤵
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        100⤵
        
        PID:4496
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        101⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        102⤵
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        103⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        104⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        105⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        106⤵
        
        PID:3760
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        107⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        108⤵
        
        PID:780
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        109⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        110⤵
        
        PID:4528
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        111⤵
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        112⤵
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        113⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        114⤵
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        115⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        116⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        117⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        118⤵
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        119⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        120⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        121⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        122⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        123⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        124⤵
        
        PID:3124
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        125⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        126⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        127⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        128⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        129⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        130⤵
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        131⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        132⤵
        
        PID:3912
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        133⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        134⤵
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        135⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        136⤵
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        137⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        138⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        139⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        140⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        141⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        142⤵
        
        PID:2092
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        143⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        144⤵
        
        PID:4236
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        145⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        146⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        147⤵
        
        PID:452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        148⤵
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        149⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        150⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        151⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        152⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        153⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        154⤵
        
        PID:2860
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        155⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        156⤵
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        157⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        158⤵
        
        PID:3328
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        159⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        160⤵
        
        PID:3668
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        161⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        162⤵
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        163⤵
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        164⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        165⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        166⤵
        
        PID:4672
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        167⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        168⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        169⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        170⤵
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        171⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        172⤵
        
        PID:3608
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        173⤵
        
        PID:452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        174⤵
        
        PID:4228
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        175⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        176⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        177⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        178⤵
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        179⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        180⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        181⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        182⤵
        
        PID:4228
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        183⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        184⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        185⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        186⤵
        
        PID:3140
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        187⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        188⤵
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        189⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        190⤵
        
        PID:5096
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        191⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        192⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        193⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        194⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        195⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        196⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        197⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        198⤵
        
        PID:4972
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        199⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        200⤵
        
        PID:2476
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        201⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        202⤵
        
        PID:5004
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        203⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        204⤵
        
        PID:3552
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        205⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        206⤵
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        207⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        208⤵
        
        PID:452
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        209⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        210⤵
        
        PID:4156
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        211⤵
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        211⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        212⤵
        
        PID:4528
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        213⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        214⤵
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        215⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        216⤵
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        217⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock"
        218⤵
        
        PID:4364
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock
        219⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        
        PID:4528
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        221⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        
        PID:4716
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        221⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        UAC bypass
        
        PID:4072
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        221⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4136
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        Modifies registry key
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        UAC bypass
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mkQwEQYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        218⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        
        PID:1616
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        217⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        UAC bypass
        
        PID:2012
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        217⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cMAoQQYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        216⤵
        
        PID:4900
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        217⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:3856
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        215⤵
        
        PID:436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        UAC bypass
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MIMQwEYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        214⤵
        
        PID:2212
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        215⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4812
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        213⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        Modifies registry key
        
        PID:4404
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        213⤵
        
        PID:684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LeowoAcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        212⤵
        
        PID:1664
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        213⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        UAC bypass
        
        PID:4012
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        211⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HygcMcAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        210⤵
        
        PID:2728
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        211⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        
        PID:888
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        Modifies registry key
        
        PID:3104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lcYUAcAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        208⤵
        
        PID:3112
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5052
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        Modifies registry key
        
        PID:4560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        
        PID:1996
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uMUQQcgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        206⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        
        PID:4356
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        Modifies registry key
        
        PID:4404
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        UAC bypass
        
        PID:440
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cEEUUkcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        204⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:5028
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        UAC bypass
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Uscokcgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        202⤵
        
        PID:944
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        Modifies registry key
        
        PID:4768
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        UAC bypass
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ewkcIoQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        200⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:2516
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        UAC bypass
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FAsckEwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        198⤵
        
        PID:4236
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:2228
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        
        PID:1520
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xOwAYsAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        196⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        
        PID:436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZgQEUEUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        194⤵
        
        PID:944
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2092
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        Modifies registry key
        
        PID:2476
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        UAC bypass
        
        PID:3888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PyscUYIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        192⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5012
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IQgUMAYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        190⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        
        PID:4672
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        UAC bypass
        
        PID:2620
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ogQIIMUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        188⤵
        
        PID:2404
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        Modifies registry key
        
        PID:2872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CoMckAcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        186⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        
        PID:844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        UAC bypass
        
        PID:820
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XecswwMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        184⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        Modifies registry key
        
        PID:2032
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hEwAMwUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        182⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        Modifies registry key
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        UAC bypass
        
        PID:3292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zsQwwwoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        180⤵
        
        PID:1056
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:872
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:4236
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        UAC bypass
        
        PID:1316
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tCkkIMgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        178⤵
        
        PID:4048
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3900
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        UAC bypass
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QaEIIgEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        176⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:4776
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        UAC bypass
        Modifies registry key
        
        PID:4560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sIIIQsYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        174⤵
        
        PID:548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        Modifies registry key
        
        PID:3972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wsUUUYcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        172⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4428
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        UAC bypass
        
        PID:1820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zecMMsUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        170⤵
        
        PID:2872
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pCscgkMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        168⤵
        
        PID:1676
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        
        PID:1852
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        UAC bypass
        Modifies registry key
        
        PID:2644
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xuAQIUYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        166⤵
        
        PID:5008
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        Modifies registry key
        
        PID:3976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dOwAAQQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        164⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4036
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:2964
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        Modifies registry key
        
        PID:3256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\miAMEYEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        162⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        UAC bypass
        
        PID:440
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MIYwAkIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        160⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        UAC bypass
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZeMIQUMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        158⤵
        
        PID:3112
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        Modifies registry key
        
        PID:3484
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        UAC bypass
        
        PID:452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hwwoossU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        156⤵
        
        PID:820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3100
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        Modifies registry key
        
        PID:4076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        
        PID:1724
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jAQwAQMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        154⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        
        PID:4600
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        UAC bypass
        
        PID:3096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GCYQwkgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        152⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QesEYUws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        150⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        
        PID:944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SQAIoIkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        148⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uyocIcIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        146⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1612
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        UAC bypass
        Modifies registry key
        
        PID:872
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VGUAIcUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        144⤵
        
        PID:436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        
        PID:208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:4648
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LekMokkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        142⤵
        
        PID:4072
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2612
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        UAC bypass
        
        PID:3900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xOIgwAME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        140⤵
        
        PID:3548
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        UAC bypass
        
        PID:3256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bQYMwwkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        138⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        UAC bypass
        
        PID:3616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YGkUwEUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        136⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kYgkscEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        134⤵
        
        PID:744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies registry key
        
        PID:1984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kwQUIMsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        132⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        
        PID:3996
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DOwsYUIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        130⤵
        
        PID:208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        
        PID:1852
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:2376
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        
        PID:5092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rEIgIUkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        128⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        Modifies registry key
        
        PID:3816
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        
        PID:4104
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xGgYoQkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        126⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:64
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        Modifies registry key
        
        PID:3304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        
        PID:4152
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VggAoIUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        124⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        
        PID:1664
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sIYkAAwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        122⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        
        PID:4224
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eUEgcgYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        120⤵
        
        PID:2860
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\smMAMMEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        118⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        Modifies registry key
        
        PID:972
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iUkkMAUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        116⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        
        PID:872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        
        PID:2608
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hKYoAwUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        114⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        Modifies registry key
        
        PID:1332
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TqcUAAIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        112⤵
        
        PID:452
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:64
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BqUsgcsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        110⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SSYcYEAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        108⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2700
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        107⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:2092
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        107⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MUQsUAco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        106⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        
        PID:3652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OocoUAEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        104⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GgUQYgQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        102⤵
        
        PID:396
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4760
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PGAgkQco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        100⤵
        
        PID:2780
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:1104
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        99⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fYQsUYQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        98⤵
        
        PID:228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        
        PID:872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        Modifies registry key
        
        PID:2832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tGIwIoYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        96⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        Modifies registry key
        
        PID:5028
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rIkYwYMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        94⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        
        PID:3484
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        Modifies registry key
        
        PID:4988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        Modifies registry key
        
        PID:5004
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cQAgEgss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        92⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        Modifies registry key
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OoUYskwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        90⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        Modifies registry key
        
        PID:4716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KAUMAEQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        88⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:2012
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aYwEIAsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        86⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:436
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        85⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        Modifies registry key
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vgYQkwEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        84⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies registry key
        
        PID:4772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VAIUUwQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        82⤵
        
        PID:3480
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2228
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        Modifies registry key
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pKsUIQYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        80⤵
        
        PID:4568
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        Modifies registry key
        
        PID:3192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hKwIEUkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        78⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies registry key
        
        PID:2200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wIQMUsMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        76⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:2012
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        Modifies registry key
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IMoAcscU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        74⤵
        
        PID:4156
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        
        PID:684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eEYYEMUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        72⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        Modifies registry key
        
        PID:3272
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:3188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XAEoYEQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        70⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:2376
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:4800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pOIQwcQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        68⤵
        
        PID:112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        
        PID:944
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RYwwcMYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        66⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        Modifies registry key
        
        PID:3856
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JicQMAws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        64⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wagQksoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        62⤵
        
        PID:1136
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:1696
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        Modifies registry key
        
        PID:4236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OwUsMkww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        60⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cIgEIsUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        58⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies registry key
        
        PID:3740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xUYUUwYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        56⤵
        
        PID:3660
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3480
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        55⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        Modifies registry key
        
        PID:4808
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        55⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:4012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TaMgEAkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        54⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies registry key
        
        PID:976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BQAcMQog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        52⤵
        
        PID:4224
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        Modifies registry key
        
        PID:4296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nyEYQwYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        50⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\foQUoIQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        48⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        Modifies registry key
        
        PID:3904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        Modifies registry key
        
        PID:4372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AQkUIgEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        46⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:1544
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        Modifies registry key
        
        PID:4760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aUwwIwUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        44⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:1184
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sGsAgcww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        42⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        
        PID:1592
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        41⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:4580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VCwgwEMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        40⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:4776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bSAoIssg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        38⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        Modifies registry key
        
        PID:4680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        
        PID:3760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VQskUEkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        36⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lesYQgAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        34⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:2348
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        33⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WIgYswMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        32⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:3484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wgIUcckw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        30⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aswosoIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        28⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        
        PID:3608
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OmwwwEoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        26⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tYoUYsoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        24⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1560
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        23⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        Modifies registry key
        
        PID:3140
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        23⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XuYYwkAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        22⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies registry key
        
        PID:2052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:972
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        21⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hkAwcEks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        20⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        Modifies registry key
        
        PID:4284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TSUsoQQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        18⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\csEAYoMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        16⤵
        
        PID:400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        Modifies registry key
        
        PID:1676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GeIQssgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        14⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        Modifies registry key
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mIoQAEos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        12⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:4152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IiwUswEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        10⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nWUYIcMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        8⤵
        
        PID:8
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:3700
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:3336
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:5060
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        Modifies registry key
        
        PID:2684
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PkkkMYwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
        6⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:2340
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:1564
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4648
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:2636
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vWcQwcUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4012
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:3004
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:3356
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3912
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2140
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HEYcwosw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4140
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:1564

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:1184

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:780

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:4276

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Package Cache\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\windowsdesktop-runtime-6.0.27-win-x64.exe

Filesize
721KB

MD5
d088310382c2d009caf57223de0ed6d6

SHA1
58e4f1698e6a7acc3be67ee05534739e12abf1bb

SHA256
9ddf35f273b8d91ae682237f9ebcdb07dbb24df56a9051f0fba93f45aef29c2d

SHA512
60f1676449cf2a8effef4262ac48ae39a13703b0438c1d1172e28bbed5fbf8286e137e6791d1bf36e806be7362176e3a216cf284bfd6e4c1fd701566fdb1c327

Download Submit
C:\ProgramData\WiQosIMY\lqgQwoUc.exe

Filesize
108KB

MD5
8ad0ab60f8d4c968925df7302da986e9

SHA1
191c6799bf709aaba30385868deee670d8cc6633

SHA256
7c98dd2b56faf147c1df484c162c6f66b5f6e4cef4cf1acdeab22934deac195a

SHA512
d2a236ea36d7fa7d28bbe0149445176fcd7f72fd323e818a919906bb99581d59649a8cf81ede3daa7f9d5f4912723a87706fc96c5149d7b49391c194dee6ea8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMHeroToast.png.exe

Filesize
126KB

MD5
40483ac3ed7e99b2a0bb03b2f78fb97e

SHA1
179c143973c553c839e3ceaa6ac0df332cfffbbd

SHA256
5d14d18efa4a52b8286c1123996344de02e05da92078e15fa85f2c5a68017b93

SHA512
b2bf1ef319bf3aa39238665bca245c56b5f6d632a69a4dd18a22ba1ab35cf1fd4311f70607e846471e5c4c8a9718c55d9fff1ffa4a9224338e2b58b9ce94dbf2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\images\blurrect.png.exe

Filesize
112KB

MD5
e7c6e7a5e03ee876d0d24e8905c93aad

SHA1
1173e253581ed444835caaac93ebfde26c7df2ca

SHA256
55286fdf4de00db23ec621961ec39a206ad284ef93486ec74fa8e9132db2ddbd

SHA512
eb6fc4f7b707b0bcf05155555c59bbe296a9cd5eaf418e1476cfbf41695d0a96d10ac4e1bfc3b84fbde97be33a1708b1d496ce2cb475e37068fabd65dedfccd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-150.png.exe

Filesize
111KB

MD5
2ad77b0d44107ce580a5ee5c7f40367b

SHA1
b0851ff3d23ac6acf7d40155b6c116b04a78cfe3

SHA256
8b1ab3b35f39ca75c9dc9ef5b393597483eaf8ff4b03dc4dc0de2e64e7e24569

SHA512
855ed2cccb052cbd91652d51ac2f79fe9a189cd408928559426236c03a43ce98626aa24fbcd81b8c0603941f4fc783a5822801ddd9f3fa59be4ed0f5f98f686e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-400.png.exe

Filesize
115KB

MD5
e89e028fe1197fdcd8bafa5a7c83f122

SHA1
a7f69cc0f482a945d8a31d11029bbcfecf78e781

SHA256
4b3896b4b3e63cf3b458d8d48237684af9bb136be500d5d030825e4cc5486811

SHA512
02757f4724b17e55a46f4b1dad83ceb6152064f81393458ca8afee3c8eea0cb89a9967f03f0d067408f8242227c1ccc0a881eb644308a2f67ae47c1329392614

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-100.png.exe

Filesize
110KB

MD5
95eeb7bc8f2f9b39e1a5d92c37f47cd5

SHA1
39d81c3a84703a935ef2d9e8d06f0d6cae367d81

SHA256
55542f34cf0942adce8e8b871bc2a26587e2ddb80fb90c10c5209462869f3340

SHA512
cbc8c4b3899ae671ba861702a020244b140d8fedb5e5657e49d1b3c0ecff8c0d25425a74edf821837dd125f5d471f2468fe54c10e8a4f2f4beff622f609d3c90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-200.png.exe

Filesize
112KB

MD5
fa5c79a6fcf49545cdbd2893f2fca00b

SHA1
ab7ced4c0f08e8a447a4efc3f6ee6fab57b67ec9

SHA256
5e18121705a505f4b0d4ee9b96e16d1ebeeee64ccdfd96e82f2370c52965dfce

SHA512
3bba59468665ec4f92f445000bf13a0e17dacf057cdbdeb790d13c22e35042bb794c53eaef52a085f122dc564933afcd1709357ae67a7401ab04d22010a24175

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png.exe

Filesize
114KB

MD5
4e39f6ad0c5f2744df01918c220517fd

SHA1
7542124137803d5e2d6a8486db10a5ca7a4b0b7e

SHA256
8ec31015773df452392e74a3de1b4e77f20f8cac552bbe592c916d07b574534f

SHA512
de94777b67755ae0f397e25690035870214f47986e951fe41ee2f7e14fb150d0d8a32188a61b4ac300fdb98c59e1b34b85e0e014632833eba26b3f1aae657510

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-05-23_89525bfe8ee83b64d41da9141eabd1e6_virlock

Filesize
126KB

MD5
9adaf3a844ce0ce36bfed07fa2d7ef66

SHA1
3a804355d5062a6d2ed9653d66e9e4aebaf90bc0

SHA256
d3e8d47e8c1622ec10adef672ca7a8992748c4f0a4e75f877462e7e661069698

SHA512
e6988737153a0996b14e6baa45e8010ff46714fe7679d05a2676cc18e1c653e99227e7507cdae4f2b6a99b3c31478630e7e1ae13d0f7c12525406d8cf9867ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMcS.exe

Filesize
115KB

MD5
e8738cd9ba0029557023de44098ce251

SHA1
440430c7d57966606bf9bf94d4808ac448a6e7e1

SHA256
ec79a6c28955642d242e5c6a8bd5dafd1eb43b7a611054fa46ed06b199c9f93d

SHA512
a74e8fceeb76b5492f8fae08be03444e3eac5e7bd197b500986e3b5b1877e35edee85c01402482c96c09ffae4197409d19f5f0a0538de625423c21794e59e84a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQYo.exe

Filesize
109KB

MD5
a9e2d6280fafd0de405db358b0687748

SHA1
7ab37f4efafe03ac42735e30c04e033ea5a6f81c

SHA256
72da2934b3405e7c926abe6ea423a9f00dd331d08fbf4194c79871bddcad0d8e

SHA512
829302caed4b1ad2f74e89969e937cf9f86ed39f159261feb8577fe825e8f862418ee36d427521973b8dfa1faa7a84d9c4814905d5eadb5924258696c51c7b1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUMW.exe

Filesize
113KB

MD5
6107f7354423abbfdb190026cb9e8a84

SHA1
d93e77882ba5e7cfb4f504594f5149f251159b8e

SHA256
bc9e8c3435781e0866f5d1f93317def12fcea786afd52e1a64902f7f77836c74

SHA512
95a707694892f7e7571cdaa606c37b3396df0f8d4d2fb7501a7ebe8d61083a945d19be2e4d08a695039730f4b408d88c1cf229c2b0996887c61f965352b8cb63

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUkQ.exe

Filesize
237KB

MD5
aab0cf4c6a6644c4a988b3f27373c0be

SHA1
80b52bd5653435188a9e0381d04b13312f768ae7

SHA256
31efe8c585cccd91230981564968443b7c25e2182416df13312be058e306dba6

SHA512
f8e8d07dcffeb0156ba92ded29bf834e6460c5cd10e6da7abb462878749fb7250a82a893a125ce4081d546bf196ada649d617af1c7cb89c36eb709c6412546e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\AkYw.exe

Filesize
477KB

MD5
d7e64bb0895aa558feb288ab74dc0f82

SHA1
84ef959d92c8dc83fa97de1d407cfe3b6fdbd8d3

SHA256
431cad0d0e713a959eda9fbdb46935a6a9bca03c027a3164bdf5e38336a979d4

SHA512
7d9aba2cdf86a50bbb7e33f4977511cf2a3b91cd5761ca265a176acd68374444cea50fb92324c4e28cc49cab2a2f3ea21b13d0e38518f7866ee68d869605e093

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIAs.exe

Filesize
722KB

MD5
adbfe63a2bc82435b06e8556d3b4c98e

SHA1
060f3f4f47f3050ef730194e2e9e9b5dcc083921

SHA256
fe17e3add5051ffef979f286630e2a19efd3b2152ed1b9be9ef2cd1e76c8e2df

SHA512
b66edbfd52e0a7d5a2a3b0923a2d5a25c426c5a3bc1ae51d97f753d3cc49856f8713d587cd2a1f8bec43cafc4fd0f34210abfb0af59b08417857d8f889ca0dc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUwG.exe

Filesize
114KB

MD5
2e9a9141fb9d6049cbe985df3e5ae6a7

SHA1
f295825ec9f71b6bb859eaa84db1ac81666d0632

SHA256
d4d393f5ecb786a580b63fc0622012869d936c19bf15700814d33b9b9c1f6a26

SHA512
dacf685c0a84d367a7b515657f9d5dc13d99e51080df22baa9919c44d45ae1a875daece1a3ecc0a42e24ce96ceea90f7a308786d5bd7cc830ad1f5161514723d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYwq.exe

Filesize
786KB

MD5
78e79c902c5ba1f463791323e299a566

SHA1
4f304e275f828832486f568816b20282b0658464

SHA256
5feee7988b568dc5b53fa8b99c2fc7783a766d722535bd791e4fa1cac3ad49d9

SHA512
973730730d3166dcc18fa6f49700eebfce79c80f7b4f13cc7332d636ae2f508035ef0d91e27be91cd2f47cccb443824935ef2478cdfe078105f2b70cc0cb543d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CkMC.exe

Filesize
112KB

MD5
ddb5c6741b177d4871b800169f125125

SHA1
db688263b89da89143d5be61e78d314d4d331237

SHA256
25c1eabb1729d9a801a383620ba6940590e2bbf225d307dd34560ca5fd3eae5f

SHA512
adcb487bf7f6ac5f83803ce385cf6202c76c0fc911936bab98374f91f6ce84055ccbcc8445cc41ded65563c9fdd88f9d948daa946b2e7c4537d5c02fd08b18aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEEk.exe

Filesize
492KB

MD5
a5eb78093962548abb389cebf874b910

SHA1
bb208b05fd06b687ec1789467644fed44d7c3603

SHA256
6002c8d3a539120127738cc68991212d097c5521dca170f15d9f5413467d6299

SHA512
912adbc72a6795b0d33de3014988091c64864bfe257954260f0c55eec2b97e2720c998670c6a3efb3c03b3b5574cbe317f162e53e4956878696d586fa714e2e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEUW.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEsm.exe

Filesize
698KB

MD5
e3384a4780fd8872ad35f321d7225af6

SHA1
9d7effbe1001225545879384e76dbf11c9747fec

SHA256
ee1c7cf3934b8372634be2ebc2c46f52239574b26d617d8efba17ee7b6250d30

SHA512
7226c36df4e028a6a03132f5bd1d05a921f571321bcbebbff34e88cac64ae54a8ad5b118d3afcad2b4ab180c7196d777a3f52ac2aeae9ab2c40fa820d4207487

Download Submit
C:\Users\Admin\AppData\Local\Temp\EIMy.exe

Filesize
116KB

MD5
62947a329f6b5963e9374c2e1041f889

SHA1
c1551591ff11c3737a2c139b1ff5331b6a7cbc5c

SHA256
6b152cafdf586874b490353c344e796602dc476feedf36be41a643833644b441

SHA512
e7650b53a1674b22b2987ff1ac64bc0d7c694191dc2fd37cda4b40121c3fdd6d3a503e5f5910daa5db350a14bcc184ee6119020c77d53c33d6e4812b011ce88c

Download Submit
C:\Users\Admin\AppData\Local\Temp\EYMc.exe

Filesize
136KB

MD5
26e92aab016dcc423348fa57e37ffa04

SHA1
46428b3daa4e65402b206ce1ff0c7988a17218b5

SHA256
4a9e0180f85575dde5c6aa83cd25e7c2816447e52184a3e77edc57e8c5f60bcc

SHA512
f73158c18e1df247fa12c36717a69889dd3be7a52248178e7bce7d0181c01f037f76d6606750941e46cbf186d2598ed869798d58b21d8348b9209443e0e97cf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\EwAQ.exe

Filesize
115KB

MD5
05387ac5ea2c19b2ad1d9ec8f7c1a5c8

SHA1
009caaa9b8ca13b27614956759a04c48a16a2ddc

SHA256
17720b34ff2ee9f522d680f507d404d173c8d1dc51cb2361b3001b9644086e2d

SHA512
4b4f68eb7519e1c343d33c6d30c4c6740f35916a1a0c38bd0fda6c8ab07aa096df7889a9965320bc7ab214b45ea4e080eb63cdf612b7b7ac766613d04e386a31

Download Submit
C:\Users\Admin\AppData\Local\Temp\GAEG.exe

Filesize
564KB

MD5
9350edfcc4b9702dd83704cffb4fb77b

SHA1
9cb4a0e617f41a4c28da6f427f1b6b8dc2a1c10c

SHA256
9f86718eae86a12e913d9219c4eb76bce40aaba72cb78a0c7fd7e46bbc0ced06

SHA512
fdf4656a504e9fd9224d07ba44b7cb78aae40902fe85b3de27299eea728d8caf8aea3dd34459caa6060414c23ad4675c63e48367787829613666d01df4dfe126

Download Submit
C:\Users\Admin\AppData\Local\Temp\GQwQ.exe

Filesize
111KB

MD5
13499eae9f9282bc8defc28bc2498f49

SHA1
02da678104218a6d407eeeab5a6241148339a950

SHA256
55facf98e91117c18e43efd6b69f105dc8d9b13cd168a7d2fd4c0f483b32ccca

SHA512
82cc9c6b25c7faff256f0ef05559db456d51f51ac6da6fa55b493d9aa079bd88f54bb7f02402503bae4f06d1776bb0a9937a9b49de09c062d18645f67fe9c313

Download Submit
C:\Users\Admin\AppData\Local\Temp\GYsY.exe

Filesize
117KB

MD5
fdc710c27b92ccc60e06677704274662

SHA1
ec47ed3a5b90e9a42bb1329037bbd554bca0dfbe

SHA256
e3da6e25333115e8f130d988392c38deea76d19c9ab72931ad17e70ac1da4a07

SHA512
e7d58c517b674efa9f03f8df9a69fe9a71f7cecc2ff89bb84867d5710959aab1740bd2965f1fc04bbba14b860f87bbe51052bb9211d5094ba682fda7c3c404c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gokc.exe

Filesize
152KB

MD5
f878858b16d96f5507522a1206821798

SHA1
b08c9d887555eb2e4af6f6a5f88833adf8f56e11

SHA256
7e49d6dd4fea7de4ecc4ab88f62563011e2bc4112a21d80ac3620ae148f9d925

SHA512
27d4fb28eedf9b27cf873ac137d80d3a558e4b30f77dc049eef33627d0914427394a6f073e25e4002dc6af1ed1ddc4c0262e89d5dd183bdf15ab7d4af24752e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gsgs.exe

Filesize
546KB

MD5
a6d290b37a63a0c63622d88b02bf8fd4

SHA1
a17cbb2cb08ea851575dc6a710e9971ba57a8d5e

SHA256
e81c0e2dacc9c2e2a1ef76983683d2d7dd626645519d446c8ad9fb40d1e73600

SHA512
cd74fd5005425164f1652fd6fcac8217bd4858f04e223f88189b2a90bd8c54a4a4a13c804dbcf9ebb0709a83efd4393bbf21505d8056c3ee2ac393b735231af1

Download Submit
C:\Users\Admin\AppData\Local\Temp\GwMY.exe

Filesize
139KB

MD5
2fb39f6012d2f3fc1bff9cb99300af27

SHA1
05d808b10c5df1c7a8412e6e42fc51c3478c3660

SHA256
b9cd41f29fef62ceb653079675c1a6cae437c708b14311781529b3b977c67485

SHA512
390e3024dd8ef69dc50a2be0394e3f173474b7207e843802fca5e58ccaae986cfb0777b62984dad8058403095cbda903881ccea5268ba2c27b178d43fb9ba2fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\HEYcwosw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\IAoQ.exe

Filesize
124KB

MD5
2d30992206d25558dd2624c711cd1036

SHA1
14d95ee9f84b3c75a1dd2d3a3ce60f3e2776f900

SHA256
e3ea2bc3bbd7e26a9a0a093d86cab6d9aff867fe0b9b05dfbf4677388cdde746

SHA512
229a6c82685ee86a76dc5d46dd5a158083786a8c556059defdcd1c7ccdf8756cda5b2f9dd39ddea99130eecf338b9ff73c3174c25280b74ac44b4fcfea070532

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYUg.exe

Filesize
112KB

MD5
377f40d0b9c350a3adc16b91f887034b

SHA1
74123e270cb561bd6c64942f387b0b5afc072536

SHA256
c4b2a36d9ff98decfdb3538f78aee9cf25ea6df89cd8c4ed34faa575f875d468

SHA512
397f79ab425aaee735e24d51b8215c7a2bd5bae242b75c5f5ace3edf40c368ee217768e83a18058e88fede4f83c53b2e050b37b8b3d1738fa6093ee4e78e0726

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYgg.exe

Filesize
110KB

MD5
c64b4042f6cc6591200affca8ed72ec2

SHA1
97806ae51a7c50c3c92bd47090faf58af31767a2

SHA256
ca588f37be523c321c27075caa43f32c0d19e8bad572f5011ee68f436ea54930

SHA512
0811fe06021aeb08a0e0a5ebea41b0aee82186097d5deeb6de004a85be0ca11a5582324cc0fe2250469deaa458eae1562c405a82b6bfd4ecf16c4e6d24b61585

Download Submit
C:\Users\Admin\AppData\Local\Temp\IkAG.exe

Filesize
112KB

MD5
b8c142ce5ac41186549d007edda9b8d2

SHA1
8437714ab8ce2f5673470a4b3b13fe9a3772ec02

SHA256
cb9077111b80fa1082721368221f2fb37a3a2f74a2e70d3e50def4677f70d78b

SHA512
5b947e8075e828a97125872ae3b628fa8e727f4ea5de11fb1eaa7ac7b54bc4e0b2bf4dd0a233eac6c81cad2a923df4efca38ca36d8006ddc17b4a26565d2c31a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IoYq.exe

Filesize
111KB

MD5
803312fc081b127f48f2d5446021333f

SHA1
143a43284d7733708627e8d55d95edd59b268784

SHA256
feffc7f1ae814dbf12e252aa46d008a49fadfe7e2ab590659887f4ec6a4a282b

SHA512
a49cacb3c18d95c866ac7fb77960c1ece258627ade434a4cbd347c94c95ee772d60c99e77dce9baf2241d4e63cd2fc8f9382d50b1596d60d868ed39102a6c54c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IsAs.exe

Filesize
384KB

MD5
64421b40299614a96746ebc7f05a8056

SHA1
966bd04adc34e9b37716c4f02576b7ac81d80e27

SHA256
9c170ae2f76f24b285b279d769b079da9f7ddd5773aa9aadfa20ae3ffbe0f940

SHA512
7d24b8caf3791e08ddd3c9a4af59231a3a86aaa907eb0460406a3220fbbf314656cb467ed3da955d854c00e49bac660291ba67e0fc5b5c81e7b58d60c49a1ce1

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUQE.exe

Filesize
111KB

MD5
6243cbf294143549fb128aae3210065e

SHA1
164efdf047748e3340b8b6250106a0b03d9ccd3e

SHA256
bd38ec060ba10095d65aaabcc0e79ff17efff47156bed23fbd28304a408f9e7e

SHA512
ca330f4e770f9a60d48bce819d1b5aafe8a4f51920423c88ff6deb7ad523e6dfbab7c9f08be04cd3790904f9b240e274539810588823b6751942b846ffa8f9d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\KcoA.exe

Filesize
148KB

MD5
a4c2b7ea1b37d1716e4bc11f5a8bd5fd

SHA1
6cb76988c222936d1deb1bad7cc8686ec185f949

SHA256
520d9cb732690c29430c88befe2fde9a581eec3811b5149f0721bc8c0f6849d8

SHA512
ea666d4b057747cabf42a5552840140d9e481dc802752b9215a0592cba439bc0e1332abd60eee94f74cc41768f87406fd141eb1699418627c46cc67be02ff51c

Download Submit
C:\Users\Admin\AppData\Local\Temp\KgIA.exe

Filesize
1.5MB

MD5
48807e4cb69f1709d97d01a8402027ba

SHA1
b9d26a16ab9a4b966a0dec3c40aa41b86060b7c5

SHA256
fc6c8555f50bda8ef444642a743d3ff86e8585a42ba5008ec46070c68adf3c3e

SHA512
19183a454162f40d67993b98e2d1277cd02850a5aac848c03a5bc5b70ff4b98ebaa7cd2ff523315ce9803bb95676700134d5509199f70c36c96a0f95a3d153fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\KsMW.exe

Filesize
110KB

MD5
a45aa32352cae6169533be22a96d88fb

SHA1
14f1ae8387098021a1e8a1da6de5c8c243e690c2

SHA256
a303bc5bc0e970a7988e8dd0745efdbd8fdc01a47895ceaa5e48449736664d60

SHA512
81630e6d3b968279e63a9201c1e099b24fb23a25ff69de4821722c28c723ff6e109352d1be9243c1c0b7f7c63a0b2430979278a4e0e62a655581024c721cb30d

Download Submit
C:\Users\Admin\AppData\Local\Temp\KwAe.exe

Filesize
346KB

MD5
a2f91ad6dc736a8e7a043291c325acb8

SHA1
c2de749a5e0a0076bdc61b8afab7194aee08a2fa

SHA256
976f80f83d6c72d998e83b7ff04e6ab6f45e3901264826a23749caadb16b2ac3

SHA512
cab1ee3194921adf783e5417595ab7101fdaae28d599fe5945c4b7400a55940f6c39ffb4ff181f705af7c18a625f947e5c4ab36be43aedab92796037224db3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMUg.exe

Filesize
110KB

MD5
3a14762c26c16292b26ef643f2af6277

SHA1
17019fc8ee3ed07b5b56df7233df3a4f5bd7f2fa

SHA256
3255a1099c8a46f7286b65171780eba10170c3f29995985c34f2e69cedea1edb

SHA512
b785532a2d5add52cb6aafc6bc250f9be83b66acfec9ad6d0d9ce24636e1f7aa06084d0edaf7ebf92a8df071120dfe1242921fed014e9c4ab6f9a30598c9e04b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MogM.exe

Filesize
238KB

MD5
2b0d2d8f05cc91cde3ac21d6af4e16f7

SHA1
6e51ed61a5ec387caec8ba1bbf1ae5161fe8eda6

SHA256
09a1075c66b26a0f01834223387a3207544d47cb3263668e580a85f168f29d93

SHA512
2672be4cd6ac8869caf887f76e754d425dd7e1ae09342a76a2bb896da1be9ebab7126292150900db489a7081cc7771fa7c2696210e43ca7dd753481e2866b42d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MwYa.exe

Filesize
414KB

MD5
47ff6f3fed5ccf37c0364bbd8492fc3c

SHA1
eadfde9689da4c369b74524a7abc8d5f3dcb795b

SHA256
58814327ad9757273bd0f829808a5f9859e1f20cdeb013bfe6fba9c7bfb11d42

SHA512
a6c4e5329c308bd6706c342726a44eb3becf9cd4003df610c36ad5de6f7f6fa09d234c6d996f27f123f71fc96b0782254a4bfd009570f7fde9fa824017f1023a

Download Submit
C:\Users\Admin\AppData\Local\Temp\OAUg.exe

Filesize
486KB

MD5
980cbc9bd295a7835e1cfbb8da6bfaf8

SHA1
14b72c0a53bbf20756a4b60308e2cdba6ecda0c3

SHA256
433d0e5910fc850b42c8e9604d1ffc0410e1b2d3de7a797cd0980351fa749f11

SHA512
0b6d1b602e47e6310476e08d014beebbe99fa056e89ec8788e29a63844c4a99731c61d10894bbbaba2327db840563ed8d69e8ceea88f87ff8b68c55578967c62

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEEQ.exe

Filesize
743KB

MD5
6360805f41c63bc4693d5a5b3dab46b3

SHA1
e41986fde1837419dbe6b1c293735c9bccf39f63

SHA256
a380ce2c20018faa17e5848af18a8305a9003308016d29d370cb64e2ad596097

SHA512
df9713cf3ce0b3d23c289883aa996ef80a24f1ab0176161f84fbcba2b831eb518f40d4eb2f5fb0fbd8d5aed94b01281779446e732ddab57771b0c2ba88cb84bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEwK.exe

Filesize
557KB

MD5
3baa117c25549e37d3f26a1e210e0912

SHA1
0d22b5806b78eeb199e30dfb1e7da069c93c9c6c

SHA256
0dc558f031a111af09778281324d67d446971419ed37fa79e02f759e76a7f7e5

SHA512
28fbb3fc5ae8a06bd607470d0816232214c9cf53ad2bdc995a56520dbbf6b8c08e257aa2b4963ef6a0755b012c12331bc040d427771447a7b439c4ddd56d81ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\OMYo.exe

Filesize
115KB

MD5
b214f1c7948dd4e22656c0ae63f6019b

SHA1
97dc5998649a74fde418bd7f1d0d37135ec3a579

SHA256
48ef51f8d789b3d706eb9b97dcb31b533e41de45357d47f6f1dbc0ad6d4dfa03

SHA512
fa48c2f3850cb96515dd5a11602ac75cc5c7e0ae3b35dc716a10c96f36e973adfbad1e1c74675dee54e1489f88c7880c4d0bf9900b9461814653d8b9e98e7efb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Occo.exe

Filesize
140KB

MD5
49b825246764e360f16e90684f519953

SHA1
fe27443b59f8b66f6d33f08c7477b5322159c4f0

SHA256
47e6c5d06fa52cc51b781c76aa0f5b8518195784671543575b164822684283bc

SHA512
c792a29a5acc3c38ee90ff5fb82eaa69ed8074824ef624c017532364dfb8583b56c4acd1a8ed4202f4f8d2b3bc4bc4c43485d6ab429f8af2abcdd84cda8c0036

Download Submit
C:\Users\Admin\AppData\Local\Temp\OgIe.exe

Filesize
110KB

MD5
46bc1b2250cbc57f638ccd5ef9e37e15

SHA1
5a0cacda0fea1c39c00f54c8ad058c2df10d104a

SHA256
0b655a8287865113c47b17a1772e55fde2831b9dfdcc6baef971e900bf0f661c

SHA512
8d61c58f89d2c71a08194a0bc9a88ad02ab4c5c20a3e215b6b2a14bad85b827ea92fc222b49f91655de95cc8604a71b08af1504a12c75061c82072b30f892467

Download Submit
C:\Users\Admin\AppData\Local\Temp\Owge.exe

Filesize
140KB

MD5
c1f1b5c809098b8160bcd2b0fd619289

SHA1
2a9adeaeeb268d3758ba9a8df8ef157172c629ec

SHA256
d9ebf7cb4c8bce735e7d1c29f88fb825c7fc78043487bc37c6d9f2f327ff312a

SHA512
99423b8cb48dababceba7ea745493135e5c667cb0238fba1cfe274a04c0c165f317bb20034a69e5f45658eda8150b05ebd762750dff05d2d60741630d7115320

Download Submit
C:\Users\Admin\AppData\Local\Temp\QAck.exe

Filesize
115KB

MD5
735c986ba91903f13cdb5beb06da7c13

SHA1
ab4bc40c4ee130b0ca4ccea9ef376a6f9f4dcf4c

SHA256
17111f19be0a0f6f61d2499bf8a8ae8a26ff23b38def81339d43fea4080fa543

SHA512
3a333a8090459fb26bc00eef604091f94f19cc1385234d36214033c41dd22136a7ad593705fbd80378927961f09c4b29a2ef595c95fb930bf84d5bb010f7c99a

Download Submit
C:\Users\Admin\AppData\Local\Temp\QMIG.exe

Filesize
744KB

MD5
3a673b003558a1075e51a00aa0561018

SHA1
879e842ef5befd5f8008341617a2988c0369aed4

SHA256
e82d29953888cac8712bec471f113a51f20e426ada5d661258ba1c3ae525f62f

SHA512
37aca51005f17a44e0ba05489c96f5ae6427fe3cfdd36685b1836cd98cf87ed1caab1b899ebdf073197eb7ba12cdbf68d59f28e3677201dbe89f1353fe37909d

Download Submit
C:\Users\Admin\AppData\Local\Temp\QkYq.exe

Filesize
112KB

MD5
a0687ea7206567d3aad51c944b278309

SHA1
537960443e59e8509d90eb2d7bb4c283547db8aa

SHA256
292ae5bdaad0cd02050acfd2a4020d77bc7c1ad29fbaddc2fb6f268be875a2c7

SHA512
7a84e2f9b6b5b77a3afea07c9c3b3599ea291701306e0711501bb70974a1134acda0b8ba09ae5c84e2d44a89061794442c9da99b9d947d38116ad4f503280467

Download Submit
C:\Users\Admin\AppData\Local\Temp\QowK.exe

Filesize
383KB

MD5
79711c767ce771c0582461e15afffa01

SHA1
81112f1cdbcf2e3595970bc6944dc42d14779d0f

SHA256
5b73423b2b7fdf9e65683ab4783c1c6290034bb88edccf4edac0e6b6c7aa504b

SHA512
cbbc3cc923a29492cac6b22f5a196c990d5a5a7f48f623bff2658a025a769b34b6679411c8ea561cf229b3bb7297d45e7d45d8c9f6d8ebb2f165cc038524d2ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMYw.exe

Filesize
112KB

MD5
373eb0612fb0ffc6c20c2a16f8a6d097

SHA1
9cceb3932b61fea21de17ec11e409c09bfc66eb3

SHA256
2a47ea1eda936806a45e0ddd38491b3a35999eff9944aa74a1800f400c793e76

SHA512
7f88448ee92697589828264a3d1aa2afa5c0cdd66a0179f8dfc4284cc968f6f8a269b64cab73152c2d8bc9a8f2cf736e281ca43fe6edb009438185ef197d3ab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMki.exe

Filesize
110KB

MD5
ecd3cc64abbce664ce73e2ef16df85d1

SHA1
6fcdb4f4b4cc3f935c88f39a70ab24e8a5a35e61

SHA256
fd016906c7088be5b9566e21f4fcdbdc6034d47352a9a6e695e2f7d6e5d14360

SHA512
cddf39c4dfbb5092b79be8300564dc822c30a509f6cd240e675b80bcd0ada71b9a5a753b1ad0dbe89d05fc0d564bac74b19f70b6b9217459e22cca5bc84045de

Download Submit
C:\Users\Admin\AppData\Local\Temp\SgEc.exe

Filesize
5.8MB

MD5
4a2e350cb154d3dbffcf0825dc991e73

SHA1
9aff4081b7df840fa0de19f8423ff35efcb28ef5

SHA256
8f0bc734eaa075be4756fba4e83b9affcdc321643d6635cee1cd7e5b9a7c1bb5

SHA512
7151e6538f789cbdca13141572d846fb26a4e2a328901233fd33dfe9e631bb1005aa07773f6c5df6938f8837e64f56c8a307bbe58f992abc95a41fdb9b3e8cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\SgYY.exe

Filesize
112KB

MD5
be99f0dc7d66382f9ef8b5a1b15d8f63

SHA1
cc38c57292e4645d24ef238fb07603fd71a7ae62

SHA256
d7f4f8d9c776f1ae14e1a519c048609b28678f9e2622eca844ff684c42da72ca

SHA512
b96426a77383e1108dc336e9d426c10c0aadccf9aa32d9d47de5246ea2cbd8f2671f61e5985e8389a605167b60adba674f0ed6dd4ebedd6f67931cf9912fd14d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoIU.exe

Filesize
114KB

MD5
bfa28dd39a4b2426cc6fc433b5747b95

SHA1
713357c2f6fd752ca8848ac8f9e08ba07b786762

SHA256
e8930de482cf32da3c9b5d2e3d0a756ceccf17e0afbe1acfc87cb14c1702eb7a

SHA512
bdbb9da3fbfa1a13bbe740ca52566e55c4033f6d5b3ac448b6ad9a083ce220132391fb39f4d69b172017c476ef7ef84c8896f8ec543aae12bd8344bb8da53109

Download Submit
C:\Users\Admin\AppData\Local\Temp\Swwm.exe

Filesize
112KB

MD5
f7372e2546032fb404d14f7b46280200

SHA1
480892eb50fa281523e35d824b3396ccc23d41c4

SHA256
12f9d072eabae56b6b66e2bdbf03cc8e155708719636705faf2582dcae9ee087

SHA512
478aa4ab24b475cecf2c00f8c07ad4daa0be6468023505631fea63f4cda5342cd93622afa7a142253d136ca41a9ff2d9fadce71ff7ca85062b9d683c54371b4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQMk.exe

Filesize
284KB

MD5
1ae73a4ae1f1097a8022a24b1068b7c7

SHA1
065a26b702c6684339d29e6286153e891536ca8a

SHA256
56c5fafcdb47e4d87e906ff0f5af58b90187c40e2006651da912c54c6528b6e8

SHA512
24e44fb31ec841b21ca1f5fd1ee31a6050ce297e831555394caec1bd6b9f07b75e9d6210bba3c11850365d50fe276addbc1f8c1ad9b4e3d94837be76f12c065b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UcQE.exe

Filesize
115KB

MD5
1bb06fd31c058ad38d652ca9827d60c0

SHA1
47b1d83e94387461b7782d8b12f431af6ecec21e

SHA256
fbdf8c200f026ee5a0f2f8d6ef41a4c72158a65dde946dcd15d050c410b34221

SHA512
f487293d68076ff4d1e5229d7724d608ca38d4289be4ec3c55aeb80f2e76834e9ef3d68c0c3cca024f01419578f887821c5f56f63c4314e51780864351b7854d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ucks.exe

Filesize
237KB

MD5
7f2b624871b931ac6fb36b7852331e83

SHA1
0485abc3d3318276c697e7d1ea32bf99e226ae19

SHA256
afa72d6eed58615e6360c23c1f850ce68e68ed2971b3c7c68fb2c78595cbd69c

SHA512
93363859cc7f28e4b59e9fed8700b83dc678464b86923d3be40e9dcdf07ea433a5d5c04616b18598384202400ec056a5b3bd441978e63bb005c90c4a483ac3ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\WMAS.exe

Filesize
308KB

MD5
33abb58767050bdd50191ce34cac8466

SHA1
744ff521e1fb6608772da0727c6cbf0c2131c775

SHA256
8545c1e4359b9b65e465bae29ef306c8810c1d5162232db0947c058d32235274

SHA512
bd6fb79cbef53a1b802c0b5af44d5aa191c47985f3ec9c23ad74dbc0108e91dfd70e47bdedbd27cc140e06337a4d45ba743583013d2590f45ac501130961b485

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEUa.exe

Filesize
112KB

MD5
a9bec2a59bed0de3659deb42aed08d61

SHA1
5c98cf051c232425af60cd3ee4e06d116dab56e1

SHA256
12c9d0a277131415e3c7ccb23b05b4a717ab83781c0b86f44da08ad007dbb07e

SHA512
147d55660d733fddc9cc3fd302e03cad7bde26e99b05a4207ef5232bc4051c5a38e52ae397b72b6a72e7c70f5b9db502e7d25b66e00f7a62941706b9b7b72644

Download Submit
C:\Users\Admin\AppData\Local\Temp\YYEs.exe

Filesize
557KB

MD5
a767b57e83309bde486d2ebca83c8378

SHA1
ee389b2a5223d8f3758af49c6e0195a08811a271

SHA256
14bbad39aa233da91a012226d9c13fc04a12480529520c819a724458d74c6ae5

SHA512
b330d7669f0e3b316f45396ba237317407da993fd91c6960be3e05aca10f275dd121b528b69be656f458d21b79051d913f26e289d7135073659292650b14bf1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\YYQY.exe

Filesize
115KB

MD5
fa32c327c8c7ec2ad280b363b1c4ac51

SHA1
7ec61a7f786f67bb78a466af75b33ea3db9e536a

SHA256
e04e4a9fb00611e8b14574bc4cb46d8648627592e91b9a1a6a45003be54d2f5c

SHA512
731f95ef5649c1746fe682ef66d3a5d570a1df4f66315d985dcaa84daff376db45708365b6edb7a572603cfa11463f4b88fa7ce3221f414db8fe425f2f31b3e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\YsMk.exe

Filesize
5.8MB

MD5
d5b37caf12ec6c786aa68a8c09cdf6d0

SHA1
15f4cd08e8df306eba8b3c22ae4a5deb5f3ba642

SHA256
30e4536cad71fc2870c8a38fe36a1c5c3aae0dc7b12b41ffdd02b0924e12c6bf

SHA512
f5f101ec9f73365ae2d6a6e6b13ff2690b11aa65642638b8ff394d82f8534fd41c66f3af27458b0f2c8247e01e93ffdbf4a1c34a8d514d78a61299491e669777

Download Submit
C:\Users\Admin\AppData\Local\Temp\aAku.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMQY.exe

Filesize
349KB

MD5
08c069fc8cf44811eb90c82526b62a45

SHA1
fea16c0b5501fdb513c97ea175135b8851868c4e

SHA256
29fb984f462756155fc3030854beb68c5b04d4ced96833796762867759431ac8

SHA512
d6f478bd2b9e0077f568f22de5eadaa5e0e169b7f2abc2443331b004bba5a78ecb99a2ed8ea6d7c0a5dc9728a80809d7376d85abb37bb415114c9bd8e08177a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMYS.ico

Filesize
4KB

MD5
d07076334c046eb9c4fdf5ec067b2f99

SHA1
5d411403fed6aec47f892c4eaa1bafcde56c4ea9

SHA256
a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86

SHA512
2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQIu.exe

Filesize
286KB

MD5
507fa948d876279a95e729340463eb14

SHA1
cd44a192614456edbad1c99c0c42bcdd4c0961aa

SHA256
592575c3edcb6b8aa41203809a4ad467b471c6ac0831e8fc997cdd3fe59fae77

SHA512
285b35f78bb52d48a59aa7a20f411b405ebbbfcebdea6092b55c0c925291e5615609b662535a94f7d08e6de79754c95450a022201cbb6782eb2c3ed077622c4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\aoQi.exe

Filesize
111KB

MD5
379f4231720a1250d5355244f0f9f58d

SHA1
bbdb02511cfbec79c563d01700fbc4a89087aafa

SHA256
60faadd92d73c5224d210ba69653a6ae05871c86dac6397097587adf06d6f4cb

SHA512
de7213ddd082bc9eb660e426b22056187e19cf039f6f0f0cc5fb44ae1e720db629f9901720a7aace149b834e0477112359d702c346f0d9e586d4c7c68c0e0d9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ascw.exe

Filesize
699KB

MD5
2164bbaacd6c2ebed6cc81f73b073f09

SHA1
952e68077eef44e720f12ce7a497a18ca348a5e7

SHA256
8ca63fbdbc0f4a3deca7d16c8589b716af5c4a2bd247059b924ec62c4d39a919

SHA512
59494fffecb5ef7fa35b46d134eb6bad892712b5b7b61fe91e3ff72ea704528c60abf8fdc6f0962a8ea4af9e7d395de2ebf0579e02b50e958ae0bd4c93fdee3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\awgi.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\cEEG.exe

Filesize
139KB

MD5
1df90c930ba6576382a61cfbd1fa01e0

SHA1
c276f9d4e3a78d50885a444ae2c63c5694eb569f

SHA256
192c1d6afdd07834c085250f24952ca21189ed3acabac34e23f91abfaa0a287c

SHA512
d9f87a058ce4f84f23dfe9d6e792acb3bf1f695ebaffedb2bff497947a79fbe49d7e7d825417667c19039060f1e289d427750037a999fa9587e98f711e2321c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIou.exe

Filesize
720KB

MD5
c9acdc66113fc8881c446f6a51e8af03

SHA1
1ff1c70f04f84d519f47c7985c81cb6f4d89aac2

SHA256
7c212f50d6ecfc73f39e40eac337fd4e3052ada6efa524e7739dc402ca4b0d7d

SHA512
828f65bef34238433b5079ccf8f85a70e0bbec01beab0a3d4b3a360a2d1dd0e23199f4b0255c5e868eebf21ba3bf4d8bfbea27af33e653b8cd348e15e208696a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cggE.exe

Filesize
112KB

MD5
44315c85d823aaa6e3d1246a21f150e9

SHA1
7a394266954439d258f156ddfb105246a0937bde

SHA256
5e0549979ac45df15ec3f0baa35c6bf3c0bd00f597e51ed5fa7a40dfa322496e

SHA512
dbcbaf08fe932c7f474e4e277adcf55fc0cd2fea7c9c0f195962f1583539e5d42bb2401f91b76af9fe8bf901db01bbb4bdd0c19dd6be383fd0bea04941254aa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIUA.exe

Filesize
152KB

MD5
9a1b3d68a9ccaa2ff239223ed995816a

SHA1
824f2a8fa7956295d4278c6f4d3cd87ce1ab2386

SHA256
71cf946b64b42847402e12b580877f6d22749c8cfc534c12e2425848e8e5ac39

SHA512
d771608027b3ec722bd5e6c82e39a03df669af555cad078fed5ac68f914a3094d08f39fbc59c1d56828757bc796321bcae3c4e7c5f989d35f20947ef9b4041db

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIsm.exe

Filesize
109KB

MD5
d755b362eab40a46d3703b28f4190b40

SHA1
8e7c4aa09c012ad958a06ed59fae8c5ca0bf3cab

SHA256
234c3cde6d1982fa1271daad019c07c38d31e9cf928957e85eddb46f0153f43d

SHA512
79807e2fc7c087ff7b1780626fcc86096d0982ab5e7e1eea9181f3bb5b1245b5551bf9d785ba4eada903c82875bf92682c0d77230da1daff5c70c183f6c3a780

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIsw.exe

Filesize
566KB

MD5
001ca496db26cead9a0f71f776eabcb0

SHA1
514b7916e0eb003d6a93476c7b8e2eb22a77775f

SHA256
43422c7500c504eeb2f4958eb9d9bf04793ce0ddac9e17427a10d92153b15f68

SHA512
0a619e8ed98b11d5a493343a7c2db0c69fd32a993dc48e78ee1d8c973819a0b0e8c21bb2e5d08e11c6fbe54b00d21f74c0b1d75d140cacb21d550b1636057067

Download Submit
C:\Users\Admin\AppData\Local\Temp\eUAq.exe

Filesize
112KB

MD5
c09afaac3b3c07af1bf7e943a67cfafb

SHA1
9c2299bfde0a43833e518e6261a71f83af4178c7

SHA256
29e13eaf06ecf5ad7b4ab041cfef3ed92033f6f735908cde31b99ccb6fbce5a9

SHA512
b04c277b3a744e44354fffefcd9247bbcc6a38bd749015eb3fdd9b73e64b44988fbd722a3e9d83aa524e3ba8b46a3248f88d6a5260e93e1007de0a34b2ec708c

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkoo.exe

Filesize
451KB

MD5
53c602f4bf34e4cee45d83fe170bdaed

SHA1
e3676716adb476a79e777a0eab5c5e7e623f6066

SHA256
b50cda3e01e650450c6e487c4f8ca7965b1d42227c563f6cee520ff09b4c4539

SHA512
e189e5d567358de4ba02fd7ecaaf007d5dea56710cc75ab0d4dfbcc7688968d2869f7096ae618f777a067dbbef4cdbe990cf4621ed280529e55a934d8587d88f

Download Submit
C:\Users\Admin\AppData\Local\Temp\iMQQ.exe

Filesize
519KB

MD5
7708788132ca9e269ed96a51ccb691a9

SHA1
df0fa73f74f79790cf0a07ecf5412b4be7f95d37

SHA256
0d3a45c272a09dcb2be2a77b2036c36874e006e327ede749b1c59f6a4e8a2f03

SHA512
d04fed8ae349fd1cb42189422966e73828962185104acd03c57a8e69250f3758df8374bdffc9be53d0025f2fc89ccbd3549dc77dd7e08dd0dde37764b11b92ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYoo.exe

Filesize
151KB

MD5
0506c84c5e9d188861989681a5e3d932

SHA1
939645a8f99bd1f4ce92d3d693390d14f4b2da8b

SHA256
63a1e85a9dd66f2772f79c151cf5e477831500ebbb18b430b82a0175a9b6ede1

SHA512
24f64d865463cc1166debfc3a3595dbd6faf50dd4d1c185939fbc1aa7094a74ae1e09f289aaae2ddeed6e7cff9b4e05025a38edd77d344f69022db7e9bde87ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\igwy.exe

Filesize
554KB

MD5
e5ba19fa0a72e3b4366b345b0be41dda

SHA1
7b73f2f3309b7cd712c33b398e899ad5c1be01eb

SHA256
344e5bc1865b2e209623d18b0f9574bb71b866cd11ad5d4a01064f96c58b858e

SHA512
6abb32329d4b8abffc90e88a0a4eb1fab529618eb3bb94a1c4a8460baae52d9feb6f85db785e547e8ddadf1b193ab137ab0c127b1b81a9fe834e193f2bd9b30e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikME.exe

Filesize
114KB

MD5
acacf16529b45848cac4fafc9d1bd1b9

SHA1
57bafa47e47109c69bba555d353af3c0a1c124b8

SHA256
0ac56bf96714b20562d1a06d6c7ba62e5451a95203eb4c68cdb2acfb87c15139

SHA512
673a87e093864ff7f4bd93cb075537f57dfacd7a59b26347c9d8bc6ae02695b64974de4f783997ec66ea08bbcb0a65cc883a1610e93e99fcb373f9ed2d3307ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\isEQ.exe

Filesize
111KB

MD5
8b02e145870ecc40fd7e9bbacdb58b9c

SHA1
f3e89e69be1d430a5d5ffb11d6bf60605942d344

SHA256
ad414b42056e89f92e58f85420d5cd6036f5893fb0b09dae0e19b731cc78b935

SHA512
b0c94dcf6199dd38ed252bd7c5946c36fde2dcaff78a58f18f95aa06cec9cc4eb48552e7f22fb2267b9216d2d2d888d8513c37fc208ebb8e41f7627997b15318

Download Submit
C:\Users\Admin\AppData\Local\Temp\kMMw.exe

Filesize
114KB

MD5
c98b1ef88e2d68ff1665e49ac4b42bf3

SHA1
6be65bf4dace9d45b1d912651f13176ab54189c5

SHA256
6d013c64a81c4795770a4578378b01d2c9bac5c8db2ed0630b24d9cf83569514

SHA512
2be79dff36ce1c814a00dc16e0b02c121a8c76c0a8c5de6e3db8b284d2324911362f5a87cf442aa944f28c6137a0ff916dd8b2d49f30bcc5177af4959e9b5990

Download Submit
C:\Users\Admin\AppData\Local\Temp\kUkG.exe

Filesize
110KB

MD5
a49e00d303fa1fe8f50b6ab81e7452cc

SHA1
601c10d2dfee86d5b295bd3e0f62eb90dc94486f

SHA256
69b2bb8ef2c4df65cdb2705594173a740ec0b9bf16edc103ec996dccfd5d940f

SHA512
21dd6d619c600afaf7e7460cc07a3b2dbcd04c38cb3b1443cbd89df7151cb114b6d9f2d41e54e41dbacdf04944a3b0def4ae21286deefc4e2bd3c24110544ab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\kYwu.exe

Filesize
112KB

MD5
45e6fffdd8ab31dffa04215e639828da

SHA1
42c7d9818ecb190873f77908d87385c7ca390be4

SHA256
0135eee18bfe8116ea69411ee8ea462d14d8d1219f211d12347e55a4fb33b0ee

SHA512
c75fa360f626d960941d72a63dc393f990a0be435128674a3f8412ef858d6021805055ca8591a1c9965c57f39895f4e457c72e54e9c347d05637fbdda9f1384d

Download Submit
C:\Users\Admin\AppData\Local\Temp\kgos.exe

Filesize
241KB

MD5
8b5abac0cd6858db51818bb38ccb2124

SHA1
b4bfb56ccaf45a185352abc4fe53749b2dde6349

SHA256
0f6dbda0475ce4d2c69a1340fe94d614212e48b623c5638cece004eaff3d31db

SHA512
bfd992cc4a9b32a52c46420b1565681c42f8615b973405bce2b00daf013f2adf01d388b64b05db68372ce0daf3f3dce990d9d1f2dca84252d401a24989adef5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkgg.exe

Filesize
113KB

MD5
ee91bd4558a998984b71b0551032f044

SHA1
008e30e7eeb5af2adbee84a5b8d9d27152442204

SHA256
13ec3d1f4015d4dc8b880db11efb165a347358431590a9b0373a1416f4530987

SHA512
b0c68131dbc2518f35bbb8a483477e1e82d3a26e8b5b36819e3fe2dbe9904007c6a486a6bd164cabe0a6d024bd6c1822ffe93af2e91e2981f127424135c86ffe

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQMS.exe

Filesize
110KB

MD5
04272a6f63689550e4f71ac08ecdc35a

SHA1
201385b0b07fb977fbd59157a790f382a3987e71

SHA256
0b9d757930c0c3de81f30c1ee2469438d8ca4e6e46e01729a4ae70348eb1d675

SHA512
e55c3c2cdb89b816494d08bf461c1be7e53d95af69fdeb971e39ee255309cba1ac754c7c2464a305573e89a548e6468930658ecd8148afa1c7cfe17b15d80b9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\oAEq.exe

Filesize
111KB

MD5
183160213b31586a6d6cb268cc57d926

SHA1
52ef784b94e76c0179a41075bfda9ef03c5142ef

SHA256
2cf6de898fc7001cccb9bd499436c1abf28b23f56f57c7ea282a57fba5600ba2

SHA512
305f750014d1578d4a89e9f293e11e57f9ee72fcfb1953d99e51ed67725b2d47e6198260a85692eb1a7c9c0e0841f6a37a5a6f805f1162e399fe7bc9555734e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\oMAk.exe

Filesize
120KB

MD5
db0124fecc36718298f64dec60315fd5

SHA1
c3d366116874365f25e85ab79551308a495f8e9a

SHA256
3584bf5ccd25133118b6da528710b0467c00ae92c638de1bd27a0225fad45a7f

SHA512
a8a133b02b73b34abd3652e12405e243adfca872058d2977faf51e669eee6bf81eed186bcca8d3e48a37b2b3ffbb933df982e2a317fbb1b95ba8d4fe40398d9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\oMEw.exe

Filesize
566KB

MD5
41051832d1b527718defa5b9cdeff587

SHA1
7b341e99245f96a6eeda6d3194de277c07fa4bc6

SHA256
cb21496031f6f89f1840cb3de8bf51f64c7abc64f61b3d1e0565229171f7a3f2

SHA512
4f8a3ca5872e69d8d7b96faacf25d01779df597fbc3f3f616168230b6962a502ef815cbc038cc8ca89746753050b1e7a3f1f9e4240efb291e6ce37dcb48b38bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\oMQi.exe

Filesize
113KB

MD5
16ed663cd982cacaf2ba5243e537acc5

SHA1
9b416135eb2fb69d5750b294466723b2a3fb167e

SHA256
85d4c541a4bb2e2b5ed4135db9f819bc7f1536c1c88b2d1ae4ccd936bd996e94

SHA512
fe3eefe4b6abf6063d5393068180fc92beb1e2ebbf0bb6513274b8f30bb64e81f31232f12a274b8d7ec96c2601633121357274c611d434abfff24e406bf507e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogMq.exe

Filesize
119KB

MD5
6ab77da06d4380f6777cf519903b1b86

SHA1
43756bdc3728c8f0941f08d4681d91bd108576a4

SHA256
1e6e2bd3a62f00d97e1c56b3f55783b1c5d0e2fb29f1e9a4b97330b732359b15

SHA512
8904f9d283a2854aab9d694aaa4f4e3ab384983f4e0d7428080d9e917d18f45877f24f2403624ed7dbedac1e8fa3bae1c9eb72f201d61c0f5ec3b1ac34f0f7f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogcS.exe

Filesize
112KB

MD5
b3b83783c901f629cdea0390dbc03036

SHA1
7d41645c9d7484e7fc77515980b256aff6fa2d02

SHA256
b00f40a40f54ee8cdc7613edef44e11301a093bcebb3806730608ce2161c732f

SHA512
51b7a3259be5249c1ede527dd194fc3b757f47f145fcbd091701990ef9a4cc8dac1e57469f417842d5c5d7816387fe47f0a31fa027c6b92d60a21207fc8a828e

Download Submit
C:\Users\Admin\AppData\Local\Temp\osow.ico

Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\owwq.exe

Filesize
119KB

MD5
74e3ead5246174b40a92fa1c24d27344

SHA1
0c543fe22f50a6b4793cafc3dd5ad8a5096d92c6

SHA256
81cda88a1323403dd78cca7a319dcffb79ea3cb45ae17c7bbe8ed5227a5e23ce

SHA512
3b6704e62fd8ad494ecd9234fc19778315eb3dda18c121327d70e84477a5fbf323b026b5807b3aa370c2bf7d4bfa1fd7084a2ebc7a7c1a35f08f58d6a2930ece

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUMu.exe

Filesize
1.7MB

MD5
f24860155690a7593fc8ddb0b61ce298

SHA1
62d055ae84663fc7ed45888e9d65a63cef7f7868

SHA256
3065fa8114b5a25929005524b37b09ebae13ea6141123aac456fd7a4b3820dcf

SHA512
02b217fe1a038e8f3b606724a6a8c8ad703ec3cd63d539cb99abf8eb60a67a15eff3bc4ab0c2a98686c14db034183956b811256135c0ea87c8893d1fa61aea56

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUwA.exe

Filesize
120KB

MD5
77d8141dfe25a0c9ef3fbdb6fe827e90

SHA1
3452bf2b6af622d479e15b47cda4ac3d0f5d04ea

SHA256
aa3a70132857823f044667c70e4d28393bd55bd503f242612bac7ef1335d30bd

SHA512
389db3e3a80a07d6e74b1e4030f2518e07a11dd7ef4752c48bb50498457d8368a66e0af25e191a55ebfdd4f2ccc985d0f650ee90bc580f08212892148d9d6893

Download Submit
C:\Users\Admin\AppData\Local\Temp\qYEo.exe

Filesize
114KB

MD5
a7c9249ee7932d4faf2923a124e10977

SHA1
f28ecda8a3c9a1c162540ec2b2b454383e07e172

SHA256
ea423195cddef3e850feab65cfbc0de81ccfa3faeb505d4d396a5b068582b533

SHA512
7155220ffa26d3433eb962c22f2ea3f2f3472455fc58805cbfb171aa88326fecf2b91459dba4124d60450b52131341a8269556ea857a30ff92343e2c4fcab5bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\qcEO.exe

Filesize
116KB

MD5
9a799d576f5f6b71e8983b2a72929613

SHA1
0558dda2a78dfd1dadc1458744b1ad7e04d96c98

SHA256
20eea4d55ddddcccdfbf6d03c3498900c8ca88e1b1cfa821fdb40957d2bbfb28

SHA512
ab0b59a0194579735aa0bc8cf450b47907ec44ce15053a91266f7cbb22f89c27a872b4eb43c4dca96b1d3f874b5e70b97c4dde83319a452c8574622d2703635b

Download Submit
C:\Users\Admin\AppData\Local\Temp\qcUg.exe

Filesize
114KB

MD5
74dd6ab2266b62d61c0d1abb2dd7acf8

SHA1
ce34929ad4d1099e043a10ab0ce89c3af3908f79

SHA256
e693d1b194dc98ecaf06d70383628dd399d2de8837f1f6465b60e84ba23cd9c4

SHA512
35d9c3dc304a313dbc2ba758b39b16b9149dc96eec7680514bdcb4f41708f36eac349c324fef4784f1c3bb5a0045c3aa946f9ce45d542ff517c3b42ee6e72cb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\scYm.exe

Filesize
496KB

MD5
32a5b2085e73d8b4dda522e5e31fe487

SHA1
cc98970556ab9479e09c6e649d1b683a944ba24b

SHA256
7627ab386367c9e9c7df0345f2c7e99c3e02dad72c84ad4ea0441867095f9197

SHA512
d118ba15ce2f9f9b2137256a848f650fe661fd1368f3fc7abfb4fd7291f02e2ee9e530d85b99452f97453eb3f0f6b5efc4f08f7e361da6192a525b2beb6f7b02

Download Submit
C:\Users\Admin\AppData\Local\Temp\sgQY.exe

Filesize
113KB

MD5
90f068f0b4c26290947d089832734725

SHA1
c4c7e90dd90a02225c3bfe0183e78acaeaf9ffd9

SHA256
9d4c14d01b333766aae053a9098d3af2afd92aa7c78e752d40bb4fcc12c90314

SHA512
341b9216361b8ab7a2a731fbd13430e4ad86585dc4a4a1280f1d08fe54aca4a73fd74c0c27171990140a2595b0be1b78a208970c702d7af7e5cb078e00fbdaf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\uYAE.exe

Filesize
111KB

MD5
4d23199e18105a29eb234c5bb1bc0448

SHA1
cc0b4a7d4789943238141226894b48257f2f3620

SHA256
a20fcd641b33088a9f53f8a348f1fddcc6f7096e86ed035431ac79239b17f8ab

SHA512
da1e623b9d8c3ca66d0c06ec954743fcfa09cff7cbb82e055729d285c8c3bbd848ec6f2ecfad2faa044eae5859133b1313d646088e8156298e9578de8dbedff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAsi.exe

Filesize
118KB

MD5
014ea3b5cbccfcc3ea1880cfe23a3b1d

SHA1
bc36d8cc8d43a04aa940671ece57edbca29f781d

SHA256
38341bd72ef604ba194a1ccc1f24bce1881536a13f244598fdbf1c9a80baa97c

SHA512
c58b111c7778e7e98ffac7646801babfb74101de08b352b97ee0f54187a4292f0e082706d2640784ad41e0fb09e80d11a0a1c9d920098561df73f9391e4c6642

Download Submit
C:\Users\Admin\AppData\Local\Temp\wEQS.exe

Filesize
117KB

MD5
64163e31b85c1beed2f6c80b8819616a

SHA1
2532a0ddce4d3a48c9ddb98a0f69d5de872fe413

SHA256
fee3e583b17292bc6650b7ba8f87ac8e739c2aa2cb5e885952e0797ee2a62c1d

SHA512
a029d2fb65256e420efb7fa25f7a521355143cfb63dd475b04bf712d19324c346dcf333ebfcebc30848c8685202d2b99e9fe1290dd46b7f6628fa8da5ceff5b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\wQYO.exe

Filesize
5.8MB

MD5
92dc9af24939e11db4fe159ec9d7afb3

SHA1
35e1abfb945b310e9817babfac0d3789c23187ce

SHA256
21c349d445215890c7e2be815249e40eb35bb9cbc22906ab580c8ca0e037e0e8

SHA512
19a12f169e979069f759f69a48417920600d3d46e0d035593d9b6447d32373aeb52b474368bb66cb27bc00fca02e7879440854f316b7016a148d585f9e373101

Download Submit
C:\Users\Admin\AppData\Local\Temp\wkII.exe

Filesize
5.8MB

MD5
16980a279936a2bdeb3fb1bdd6a89f8e

SHA1
c74f8468b37c5531b0ef0c9a5805290e6fd83de1

SHA256
e40aff7859fac3910da463e12abe07ea5947f2e73a2844ad8d2cc65a74463822

SHA512
364468c5ef3945e601bcecb847c62d0de51d2a5050d13ee5d0e9b15aa31e73820fa41b5b9d6fc332f8467c27cbef83c6a3f65ac4f3a348557870b62776b257ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\wosM.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\yAEw.exe

Filesize
113KB

MD5
4ca1c19e552a912908b7e16b419dbed1

SHA1
4bdf90a16a2890f0a023f7acf52130167cf7bacd

SHA256
8fbaac347d0189929ab15b5dcd491dc8cffbbe5ff4fc92dcd27df9a3783eb255

SHA512
05ab0e93a9cc7070f7e9a3002ebe1dd74f7806a6c04652e138beb5630ec4667e8a0a30b66eb7f2972c58f7f120ce7487299f5e10ea309ecc79c6a323a5017464

Download Submit
C:\Users\Admin\AppData\Local\Temp\ysEK.exe

Filesize
111KB

MD5
be1694a3a20d53cf7dbad64160f756aa

SHA1
f491f1f942011ab72eb512b98982c7ddf2f53fab

SHA256
91820d2f42c3fe0d802771943e809d4d0b55930856eff6cb036e7fc5abfcb8a3

SHA512
6411623dd171c0852ceff6b59e12a1ae2babe5b424697d629c0d0ce6a8d88363fca22a522898a01fee77002e705c06fb6f74bc4f1a770419c1a42ae7ab661a36

Download Submit
C:\Users\Admin\AppData\Roaming\ResumeInvoke.wma.exe

Filesize
376KB

MD5
c40d318020cf9516cd6f299bf6986af9

SHA1
8f44f2cd596fdcd8c3384c09a4d0a921096c272c

SHA256
10dfa6499f49387239c0c1976957d6fb36dfe88634d3f61a1bbe24f9e3de3e43

SHA512
eb3fde1195551007183b473bd156973cf85e316896ac952aab87aaf722efedba36448d53d90690579d8a916ca87b068ac301738796933e31e22e67669b47c70f

Download Submit
C:\Users\Admin\Music\RepairAdd.ppt.exe

Filesize
745KB

MD5
3828e195ce28332b97b5683377740384

SHA1
a2278ef99a7ef22a5ffb07937c98c6b76fca61e2

SHA256
ab87d90648866c418705b952abfe79ba3b5f1c984fe31f59075cdc045c01747b

SHA512
785456729669dd4dbd801610b41042985b66bc0f205957753549c7edafca7d983f3665ea64f9c7d0fd13f5c954d8a757db86e0051badc5d6e40529e5ce14a3e9

Download Submit
C:\Users\Admin\Pictures\MountUpdate.gif.exe

Filesize
355KB

MD5
de60b88f47fd7547482736f68873c14e

SHA1
dd17716d0433e63ee27ce64dc18f9b37818db0c0

SHA256
fcf59759525f7eece9075e6d07d53858a5959e1a9df3d1b935c435c2887da775

SHA512
27c21fa0b3ec72946cc061ef51c9176ae0b59ff7672e6938e9e4762d9c6ad34ecb5f9b90d72e46921891e1e41559c9afa5e7339fab3a661dd995ce45cc17b3e6

Download Submit
C:\Users\Admin\gmIMIoAc\yewowoos.exe

Filesize
110KB

MD5
de51d96354c669b36d512275c5c375ac

SHA1
3f2089c9c530cbdb6673058344aa66eb3fa39aaf

SHA256
52cead433bf318acc6aed2291ebafed0d5bcefd81e0055d7b4e17380fd46e0ec

SHA512
d0b809d932f79e9a6b47840c13a952c4dcf91c76cfdb94a516639ba73f8ff860b80f8d963b1231120cbc30bd226ca8bc381d6968a8927946908ba45348f05a21

Download Submit
memory/112-56-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/112-40-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/400-514-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/452-505-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/452-493-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/844-136-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/844-151-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/872-460-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/872-469-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1156-187-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1156-172-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1332-353-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1332-340-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1800-362-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1800-349-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1904-235-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1904-219-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1916-257-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2144-406-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2144-399-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2540-434-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2540-422-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2540-104-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2540-88-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2620-128-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2620-112-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2672-207-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2672-223-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2684-452-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2684-317-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2684-442-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2728-301-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2728-289-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2872-461-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2872-451-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2880-163-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2956-195-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2956-211-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2972-416-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2972-425-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3004-266-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3012-12-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3064-80-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3064-64-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3100-322-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3100-140-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3100-335-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3100-124-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3140-511-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3192-20-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3192-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3448-15-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3508-344-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3508-309-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3508-331-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3660-293-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3660-280-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3816-358-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3816-371-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3920-19-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3920-76-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3920-92-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3920-32-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3948-162-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3948-175-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4044-28-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4044-44-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4076-376-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4076-389-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4128-116-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4128-100-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4136-397-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4136-386-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4220-68-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4220-55-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4224-183-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4224-199-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4388-326-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4520-433-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4520-443-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4520-470-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4520-478-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4568-262-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4568-275-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4616-480-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4616-487-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4712-367-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4712-380-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4716-489-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4716-497-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4716-246-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4716-231-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4724-415-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4724-407-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5048-284-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5048-271-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download