03f50d864618096cc19ef8df4b5a186b375c43f35af9d0d057af7e582643df33

Analysis

max time kernel
150s
max time network
112s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28/05/2024, 06:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
Size

261KB
MD5

730f81a158df05a5a8848d7aa177385a
SHA1

824506c3494072bdafc50548effd5358baab726d
SHA256

03f50d864618096cc19ef8df4b5a186b375c43f35af9d0d057af7e582643df33
SHA512

28c2f1c379681ea98469b7638baf60eca8c8f67137d0cda102ee34d0972ff981925f61dfd40b0099c9c240b9b547f01b8919fed6ebb54172a4670902730abd01
SSDEEP

6144:1T65NEgLW57pgao9kyEyRm7yxvQrRm49dGjmhnxID6Q:tG+gLW57pgaoWySOxkm4DKmhniDZ

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (70) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	dCQsgskw.exe

Executes dropped EXE 2 IoCs

pid	Process
3224	dCQsgskw.exe
1608	LGQgwcgQ.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dCQsgskw.exe = "C:\\Users\\Admin\\fWscIIMI\\dCQsgskw.exe"	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LGQgwcgQ.exe = "C:\\ProgramData\\WMgMIQkA\\LGQgwcgQ.exe"	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dCQsgskw.exe = "C:\\Users\\Admin\\fWscIIMI\\dCQsgskw.exe"	dCQsgskw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LGQgwcgQ.exe = "C:\\ProgramData\\WMgMIQkA\\LGQgwcgQ.exe"	LGQgwcgQ.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kYAQcYow.exe = "C:\\Users\\Admin\\UyAgEcoo\\kYAQcYow.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\owEMYEoY.exe = "C:\\ProgramData\\cuMYwIcU\\owEMYEoY.exe"	Process not Found

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell32.dll.exe	dCQsgskw.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	dCQsgskw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3796	380	Process not Found	1901
3332	4248	Process not Found	1900

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
1420	reg.exe
2372	reg.exe
3924	reg.exe
3012	reg.exe
3240	reg.exe
5080	reg.exe
3792	reg.exe
856	reg.exe
1852	reg.exe
4964	reg.exe
5092	Process not Found
5048	Process not Found
3788	reg.exe
4632	reg.exe
216	reg.exe
4636	reg.exe
3048	reg.exe
384	reg.exe
3668	reg.exe
4580	reg.exe
884	reg.exe
1516	reg.exe
116	reg.exe
4052	reg.exe
4040	reg.exe
2480	reg.exe
4052	Process not Found
1852	Process not Found
4636	reg.exe
2856	reg.exe
1472	reg.exe
516	reg.exe
2432	reg.exe
1000	Process not Found
1852	Process not Found
1584	Process not Found
2240	reg.exe
3536	reg.exe
2236	reg.exe
384	reg.exe
5008	reg.exe
1972	reg.exe
1880	reg.exe
2784	reg.exe
4008	reg.exe
1940	Process not Found
3264	reg.exe
732	reg.exe
3880	reg.exe
1632	reg.exe
4004	reg.exe
1436	reg.exe
1652	reg.exe
964	Process not Found
216	Process not Found
2752	Process not Found
1572	reg.exe
4304	Process not Found
2308	Process not Found
2556	reg.exe
672	Process not Found
2108	reg.exe
2268	reg.exe
4316	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1856	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
1856	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
1856	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
1856	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
3168	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
3168	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
3168	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
3168	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
4332	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
4332	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
4332	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
4332	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
3136	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
3136	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
3136	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
3136	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
4056	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
4056	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
4056	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
4056	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
2720	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
2720	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
2720	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
2720	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
4040	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
4040	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
4040	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
4040	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
1228	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
1228	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
1228	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
1228	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
1792	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
1792	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
1792	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
1792	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
3880	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
3880	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
3880	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
3880	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
4128	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
4128	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
4128	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
4128	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
4740	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
4740	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
4740	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
4740	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
3672	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
3672	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
3672	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
3672	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
624	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
624	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
624	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
624	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
4900	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
4900	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
4900	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
4900	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
3012	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
3012	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
3012	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
3012	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3224	dCQsgskw.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3224	dCQsgskw.exe
3224	dCQsgskw.exe
3224	dCQsgskw.exe
3224	dCQsgskw.exe
3224	dCQsgskw.exe
3224	dCQsgskw.exe
3224	dCQsgskw.exe
3224	dCQsgskw.exe
3224	dCQsgskw.exe
3224	dCQsgskw.exe
3224	dCQsgskw.exe
3224	dCQsgskw.exe
3224	dCQsgskw.exe
3224	dCQsgskw.exe
3224	dCQsgskw.exe
3224	dCQsgskw.exe
3224	dCQsgskw.exe
3224	dCQsgskw.exe
3224	dCQsgskw.exe
3224	dCQsgskw.exe
3224	dCQsgskw.exe
3224	dCQsgskw.exe
3224	dCQsgskw.exe
3224	dCQsgskw.exe
3224	dCQsgskw.exe
3224	dCQsgskw.exe
3224	dCQsgskw.exe
3224	dCQsgskw.exe
3224	dCQsgskw.exe
3224	dCQsgskw.exe
3224	dCQsgskw.exe
3224	dCQsgskw.exe
3224	dCQsgskw.exe
3224	dCQsgskw.exe
3224	dCQsgskw.exe
3224	dCQsgskw.exe
3224	dCQsgskw.exe
3224	dCQsgskw.exe
3224	dCQsgskw.exe
3224	dCQsgskw.exe
3224	dCQsgskw.exe
3224	dCQsgskw.exe
3224	dCQsgskw.exe
3224	dCQsgskw.exe
3224	dCQsgskw.exe
3224	dCQsgskw.exe
3224	dCQsgskw.exe
3224	dCQsgskw.exe
3224	dCQsgskw.exe
3224	dCQsgskw.exe
3224	dCQsgskw.exe
3224	dCQsgskw.exe
3224	dCQsgskw.exe
3224	dCQsgskw.exe
3224	dCQsgskw.exe
3224	dCQsgskw.exe
3224	dCQsgskw.exe
3224	dCQsgskw.exe
3224	dCQsgskw.exe
3224	dCQsgskw.exe
3224	dCQsgskw.exe
3224	dCQsgskw.exe
3224	dCQsgskw.exe
3224	dCQsgskw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 3224	1856	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe	84
PID 1856 wrote to memory of 3224	1856	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe	84
PID 1856 wrote to memory of 3224	1856	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe	84
PID 1856 wrote to memory of 1608	1856	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe	85
PID 1856 wrote to memory of 1608	1856	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe	85
PID 1856 wrote to memory of 1608	1856	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe	85
PID 1856 wrote to memory of 4248	1856	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe	86
PID 1856 wrote to memory of 4248	1856	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe	86
PID 1856 wrote to memory of 4248	1856	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe	86
PID 1856 wrote to memory of 3188	1856	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe	88
PID 1856 wrote to memory of 3188	1856	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe	88
PID 1856 wrote to memory of 3188	1856	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe	88
PID 1856 wrote to memory of 4612	1856	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe	90
PID 1856 wrote to memory of 4612	1856	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe	90
PID 1856 wrote to memory of 4612	1856	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe	90
PID 1856 wrote to memory of 864	1856	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe	91
PID 1856 wrote to memory of 864	1856	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe	91
PID 1856 wrote to memory of 864	1856	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe	91
PID 1856 wrote to memory of 3892	1856	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe	92
PID 1856 wrote to memory of 3892	1856	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe	92
PID 1856 wrote to memory of 3892	1856	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe	92
PID 4248 wrote to memory of 3168	4248	cmd.exe	89
PID 4248 wrote to memory of 3168	4248	cmd.exe	89
PID 4248 wrote to memory of 3168	4248	cmd.exe	89
PID 3892 wrote to memory of 2260	3892	cmd.exe	97
PID 3892 wrote to memory of 2260	3892	cmd.exe	97
PID 3892 wrote to memory of 2260	3892	cmd.exe	97
PID 3168 wrote to memory of 2816	3168	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe	98
PID 3168 wrote to memory of 2816	3168	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe	98
PID 3168 wrote to memory of 2816	3168	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe	98
PID 2816 wrote to memory of 4332	2816	cmd.exe	100
PID 2816 wrote to memory of 4332	2816	cmd.exe	100
PID 2816 wrote to memory of 4332	2816	cmd.exe	100
PID 3168 wrote to memory of 1972	3168	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe	101
PID 3168 wrote to memory of 1972	3168	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe	101
PID 3168 wrote to memory of 1972	3168	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe	101
PID 3168 wrote to memory of 3924	3168	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe	102
PID 3168 wrote to memory of 3924	3168	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe	102
PID 3168 wrote to memory of 3924	3168	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe	102
PID 3168 wrote to memory of 2400	3168	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe	103
PID 3168 wrote to memory of 2400	3168	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe	103
PID 3168 wrote to memory of 2400	3168	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe	103
PID 3168 wrote to memory of 1224	3168	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe	104
PID 3168 wrote to memory of 1224	3168	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe	104
PID 3168 wrote to memory of 1224	3168	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe	104
PID 1224 wrote to memory of 1080	1224	cmd.exe	109
PID 1224 wrote to memory of 1080	1224	cmd.exe	109
PID 1224 wrote to memory of 1080	1224	cmd.exe	109
PID 4332 wrote to memory of 64	4332	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe	110
PID 4332 wrote to memory of 64	4332	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe	110
PID 4332 wrote to memory of 64	4332	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe	110
PID 64 wrote to memory of 3136	64	cmd.exe	112
PID 64 wrote to memory of 3136	64	cmd.exe	112
PID 64 wrote to memory of 3136	64	cmd.exe	112
PID 4332 wrote to memory of 5008	4332	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe	113
PID 4332 wrote to memory of 5008	4332	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe	113
PID 4332 wrote to memory of 5008	4332	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe	113
PID 4332 wrote to memory of 4824	4332	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe	173
PID 4332 wrote to memory of 4824	4332	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe	173
PID 4332 wrote to memory of 4824	4332	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe	173
PID 4332 wrote to memory of 1996	4332	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe	172
PID 4332 wrote to memory of 1996	4332	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe	172
PID 4332 wrote to memory of 1996	4332	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe	172
PID 4332 wrote to memory of 1868	4332	2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe	116

C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Users\Admin\fWscIIMI\dCQsgskw.exe
  "C:\Users\Admin\fWscIIMI\dCQsgskw.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:3224
- C:\ProgramData\WMgMIQkA\LGQgwcgQ.exe
  "C:\ProgramData\WMgMIQkA\LGQgwcgQ.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4248
- - C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3168
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2816
    - - C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4332
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:64
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        8⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        10⤵
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        12⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        14⤵
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        16⤵
        
        PID:1996
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        17⤵
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        18⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        20⤵
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        22⤵
        
        PID:3152
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        24⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        26⤵
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        28⤵
        
        PID:4372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        29⤵
        
        PID:3680
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        30⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        32⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        33⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        34⤵
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        35⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        36⤵
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        37⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        38⤵
        
        PID:3420
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        39⤵
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        40⤵
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        41⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        42⤵
        
        PID:2300
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        43⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        44⤵
        
        PID:900
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        45⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        46⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        47⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        48⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        49⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        50⤵
        
        PID:4404
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        51⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        52⤵
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        53⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        54⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        55⤵
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        56⤵
        
        PID:3116
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        57⤵
        
        PID:968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        58⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        59⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        60⤵
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        61⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        62⤵
        
        PID:4136
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        63⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        64⤵
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        65⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        66⤵
        
        PID:5016
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        67⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        68⤵
        
        PID:528
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        69⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        70⤵
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        71⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        72⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        73⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        74⤵
        
        PID:1348
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        75⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        76⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        77⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        78⤵
        
        PID:3320
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        79⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        80⤵
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        81⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        82⤵
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        83⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        84⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        85⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        86⤵
        
        PID:1932
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        87⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        88⤵
        
        PID:1348
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        89⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        90⤵
        
        PID:4288
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        91⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        92⤵
        
        PID:4400
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        93⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        94⤵
        
        PID:5040
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:4020
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        95⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        96⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        97⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        98⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        99⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        100⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        101⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        102⤵
        
        PID:3608
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        103⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        104⤵
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        105⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        106⤵
        
        PID:4556
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        107⤵
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        107⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        108⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        109⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        110⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        111⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        112⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        113⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        114⤵
        
        PID:4180
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        115⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        116⤵
        
        PID:3364
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        117⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        118⤵
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        119⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        120⤵
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        121⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        122⤵
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        123⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        124⤵
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        125⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        126⤵
        
        PID:544
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        127⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        128⤵
        
        PID:3540
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        129⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        130⤵
        
        PID:4688
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        131⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        132⤵
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        133⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        134⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        135⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        136⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        137⤵
        
        PID:932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        138⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        139⤵
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        140⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        141⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        142⤵
        
        PID:3104
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        143⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        144⤵
        
        PID:3628
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        145⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        146⤵
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        147⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        148⤵
        
        PID:1236
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        149⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        150⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        151⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        152⤵
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        153⤵
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        154⤵
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        155⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        156⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        157⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        158⤵
        
        PID:736
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        159⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        160⤵
        
        PID:416
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        161⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        162⤵
        
        PID:3800
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        163⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        164⤵
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        165⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        166⤵
        
        PID:3196
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:3680
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        167⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        168⤵
        
        PID:5060
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        169⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        170⤵
        
        PID:3332
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        171⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        172⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        173⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        174⤵
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        175⤵
        
        PID:924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        176⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        177⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        178⤵
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        179⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        180⤵
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        181⤵
        
        PID:516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        182⤵
        
        PID:1068
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        183⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        184⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        185⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        186⤵
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        187⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        188⤵
        
        PID:2084
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        189⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        190⤵
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        191⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        192⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        193⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        194⤵
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        195⤵
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        196⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        197⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        198⤵
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        199⤵
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        200⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        201⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        202⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        203⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        204⤵
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        205⤵
        
        PID:732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        206⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        207⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        208⤵
        
        PID:3648
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        209⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        210⤵
        
        PID:4004
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        211⤵
        
        PID:3788
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        211⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        212⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        213⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        214⤵
        
        PID:1652
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        215⤵
        
        PID:3924
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        215⤵
        
        PID:924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        216⤵
        
        PID:5060
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        217⤵
        
        PID:1348
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        217⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        218⤵
        
        PID:736
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        219⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        220⤵
        
        PID:3940
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        221⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        222⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        223⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        224⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        225⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        226⤵
        
        PID:3800
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        227⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        228⤵
        
        PID:1512
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        229⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        229⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        230⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        231⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        232⤵
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        233⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        234⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        235⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        236⤵
        
        PID:4532
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        237⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        238⤵
        
        PID:4856
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        239⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        239⤵
        
        PID:692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        240⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        241⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        242⤵
        
        PID:4164
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        243⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        244⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        245⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        246⤵
        
        PID:4468
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        247⤵
        
        PID:736
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        247⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        248⤵
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        249⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        250⤵
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        251⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock"
        252⤵
        
        PID:3720
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock
        253⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        252⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        252⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        252⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gwIMgkcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        252⤵
        
        PID:1952
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        253⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        250⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        250⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        250⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KkIgUEMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        250⤵
        
        PID:2900
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        251⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        251⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        248⤵
        
        PID:216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        248⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        248⤵
        Modifies registry key
        
        PID:5008
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        249⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ESsIocks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        248⤵
        
        PID:2836
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        249⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        249⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        246⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        246⤵
        
        PID:760
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        247⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        246⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uUckgIgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        246⤵
        
        PID:1160
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        247⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        247⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        244⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        244⤵
        
        PID:3720
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        245⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        244⤵
        UAC bypass
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nycgwsMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        244⤵
        
        PID:860
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        245⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        245⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        Modifies visibility of file extensions in Explorer
        
        PID:416
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        243⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        Modifies registry key
        
        PID:384
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        243⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vqMoQIQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        242⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        243⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2236
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        UAC bypass
        
        PID:3320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OaksEkcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        240⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        241⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KMMYAwgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        238⤵
        
        PID:4524
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        239⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        239⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        
        PID:2716
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LAQYsUYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        236⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        237⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        UAC bypass
        Modifies registry key
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HekEgUMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        234⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        UAC bypass
        
        PID:3308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IMYkoYUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        232⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3904
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        
        PID:4368
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ssYcAEUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        230⤵
        
        PID:64
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        Modifies registry key
        
        PID:2556
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        229⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OKYwkIgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        228⤵
        
        PID:3488
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        229⤵
        
        PID:924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zqsYEEEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        226⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HaAEAccc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        224⤵
        
        PID:4368
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        225⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        
        PID:924
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        223⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jOAMAoQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        222⤵
        
        PID:4968
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        223⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        UAC bypass
        
        PID:4268
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        221⤵
        
        PID:932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sYkskIMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        220⤵
        
        PID:2788
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        221⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2816
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        
        PID:864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        UAC bypass
        
        PID:1464
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IowcYIoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        218⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4020
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        217⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        
        PID:3024
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        217⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\agoUUQks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        216⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        UAC bypass
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vYsYQsYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        214⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        
        PID:1104
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        213⤵
        
        PID:380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RQkcckEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        212⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4356
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        211⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:4740
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        211⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        
        PID:3296
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        211⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nAMkwgwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        210⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        Modifies visibility of file extensions in Explorer
        
        PID:692
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fSsMUEsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        208⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        UAC bypass
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iiEkMksU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        206⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        Modifies registry key
        
        PID:1652
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        UAC bypass
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YCMskYkI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        204⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        
        PID:3648
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cCkIsUsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        202⤵
        
        PID:216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pGYIIgIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        200⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        
        PID:4628
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        Modifies registry key
        
        PID:4008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HaMUsQEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        198⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        
        PID:4060
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zkkgIYgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        196⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        UAC bypass
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uagIwgoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        194⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:2132
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sQYgsoUo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        192⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        Modifies registry key
        
        PID:4964
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ACkQIcgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        190⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yiUsokgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        188⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        
        PID:856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        UAC bypass
        
        PID:4532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\baEgYYIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        186⤵
        
        PID:3000
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        UAC bypass
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lYMsAMQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        184⤵
        
        PID:4024
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        UAC bypass
        Modifies registry key
        
        PID:2480
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XikkQwQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        182⤵
        
        PID:4612
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZIsggksQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        180⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cgQgcUMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        178⤵
        
        PID:1464
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        Modifies visibility of file extensions in Explorer
        
        PID:512
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eGUUgksE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        176⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        UAC bypass
        Modifies registry key
        
        PID:2784
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OyQQgMwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        174⤵
        
        PID:532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        
        PID:516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:4028
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        UAC bypass
        
        PID:1000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\huoAMwkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        172⤵
        
        PID:544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HAMwIwEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        170⤵
        
        PID:732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:3940
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        UAC bypass
        
        PID:4272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSsQMkcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        168⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        UAC bypass
        
        PID:4084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tGswwkck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        166⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        UAC bypass
        Modifies registry key
        
        PID:516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KkgEkIsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        164⤵
        
        PID:1452
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        Modifies registry key
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GMIAAcIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        162⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        Modifies registry key
        
        PID:1852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\acwocowE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        160⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2236
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        UAC bypass
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LyQYwQQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        158⤵
        
        PID:1512
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        UAC bypass
        
        PID:3412
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NuccUYIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        156⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        UAC bypass
        
        PID:1644
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\syskQkUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        154⤵
        
        PID:532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:2724
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        UAC bypass
        
        PID:3624
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QwcgMEoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        152⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        Modifies visibility of file extensions in Explorer
        
        PID:700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MwEYcwMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        150⤵
        
        PID:4248
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        Modifies registry key
        
        PID:4316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:3892
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        UAC bypass
        Modifies registry key
        
        PID:116
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jQEcYIsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        148⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        UAC bypass
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BkUUcEQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        146⤵
        
        PID:4696
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:1080
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        
        PID:2372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NQcgoUos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        144⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ImMEcowY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        142⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        
        PID:468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        Modifies registry key
        
        PID:3240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uAYwIwQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        140⤵
        
        PID:1476
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\occwskwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        138⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:2312
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        UAC bypass
        
        PID:4292
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dgkYYkkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        136⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        
        PID:1852
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        
        PID:380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vasocYAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        134⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        UAC bypass
        
        PID:4580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fYssIQsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        132⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LYAsQIYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        130⤵
        
        PID:4528
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        
        PID:4248
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        
        PID:4292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oAEoYkcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        128⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        Modifies registry key
        
        PID:856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        
        PID:380
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SeIEQkEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        126⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        Modifies registry key
        
        PID:4580
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OgEUMwkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        124⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        Modifies registry key
        
        PID:3668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fyEEkYAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        122⤵
        
        PID:1952
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LEogwYUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        120⤵
        
        PID:232
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:856
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FgocoAQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        118⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        
        PID:968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        
        PID:4488
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dkoIQAYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        116⤵
        
        PID:1476
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        Modifies registry key
        
        PID:216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SucwUgww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        114⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1644
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wUwggIIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        112⤵
        
        PID:344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        
        PID:3176
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        Modifies registry key
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CaQAwwoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        110⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        
        PID:624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UKosgoEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        108⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        Modifies registry key
        
        PID:384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LgkgYUUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        106⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1516
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:4968
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vAIAoIoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        104⤵
        
        PID:1424
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:4612
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bqEMIEgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        102⤵
        
        PID:3784
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:232
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        
        PID:3788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GIsMMkgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        100⤵
        
        PID:4040
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IwIgAwEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        98⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:2020
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IYcYgcsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        96⤵
        
        PID:864
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        
        PID:4088
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        
        PID:4144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ygIwkUYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        94⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        
        PID:932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fAQgAMAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        92⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        
        PID:864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zIksUYgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        90⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4920
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zIIMUYIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        88⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        
        PID:232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EgwcwgIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        86⤵
        
        PID:4368
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        
        PID:2356
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        85⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:4048
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        85⤵
        
        PID:516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:4968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\saAQIUEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        84⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        Modifies registry key
        
        PID:4040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uAggMIoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        82⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        
        PID:4060
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:4180
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OwcwcscI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        80⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        Modifies registry key
        
        PID:4004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LiYIoQQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        78⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        
        PID:1000
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\faUYksYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        76⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\negIAIsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        74⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:64
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        
        PID:216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:1148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EOcYwkUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        72⤵
        
        PID:2332
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        73⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4084
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:4248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mgwwoAwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        70⤵
        
        PID:4636
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies registry key
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        Modifies registry key
        
        PID:3048
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        Modifies registry key
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\agMMUkQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        68⤵
        
        PID:1496
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies registry key
        
        PID:3880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        Modifies registry key
        
        PID:4052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:4028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qGIgQgcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        66⤵
        
        PID:1880
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MmsEYUMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        64⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        Modifies registry key
        
        PID:732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZeoIokwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        62⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3668
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        
        PID:932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hSwcMMQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        60⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:2108
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xMYocgsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        58⤵
        
        PID:4468
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:1544
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:4524
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        
        PID:512
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rsQkEMgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        56⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OQUMYwgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        54⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yWgwcwUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        52⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iqMMwEAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        50⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1752
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        49⤵
        
        PID:516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aIkwYIko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        48⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZMMYEUMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        46⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pIMQUUww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        44⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        
        PID:468
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\diAIIAYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        42⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        Modifies registry key
        
        PID:4636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pMMQMcMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        40⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:2032
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        39⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\woEwMgMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        38⤵
        
        PID:516
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        Modifies registry key
        
        PID:4632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KAIwYYMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        36⤵
        
        PID:952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        Modifies registry key
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SKIUMcgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        34⤵
        
        PID:852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        Modifies registry key
        
        PID:4636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YmQsUAcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        32⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        
        PID:932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        Modifies registry key
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VMowAUwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        30⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        Modifies registry key
        
        PID:1420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        Modifies registry key
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NaowEAsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        28⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JWIQYQIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        26⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        
        PID:948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DSgoYoYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        24⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        
        PID:516
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        23⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:1548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WCUgEAcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        22⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        Modifies registry key
        
        PID:3788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        
        PID:404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sagowkkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        20⤵
        
        PID:60
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies registry key
        
        PID:2268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WSsUMMwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        18⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UWAkoEUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        16⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        Modifies registry key
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BUowIUwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        14⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        Modifies registry key
        
        PID:3792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JMEUEMgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        12⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        Modifies registry key
        
        PID:2108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:4748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TgQEIQQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        10⤵
        
        PID:224
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoIYIEos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        8⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:2160
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5008
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:4824
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:1996
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mMcAEwAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
        6⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:3680
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies registry key
      PID:1972
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:3924
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:2400
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AAMQQQYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1224
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1080
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:3188
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4612
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:864
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kOAcQQoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3892
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2260

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv nNmrGe78fk+d2jPXWvSosA.0.2
1⤵
PID:4720

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:1448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

Filesize
312KB

MD5
b4cc42cefc638ed6e0f878ab504d96d8

SHA1
e1352a422553a8731a6e5ba4cca23213aa0ad446

SHA256
197ab1ceaa1c1468a612b74c5995909afed7794c9415c15464d602055741db7d

SHA512
940f2b7773ee64dcc3037c8c921240cad8b925bfe07e74a56f71dedabbb063f0369ba705880679ddd8af5361b068612bd687bdf43a7091572ef2f79b8813baeb

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

Filesize
226KB

MD5
de5fef4c397d0b8765012f557e9a196c

SHA1
66fc5fa7d2191081360667cd2a816bfa3e897a83

SHA256
64a1990714ebf7bd7640660c0992fef175f50eb7cee79c6ddae3f117793a3ed0

SHA512
5fc2e70973ba5d8a8ed89572fa39bc7ab27f7f1e140bc5f5c6bb0ce7f87bb81e426c2fcbbc13eec7ecbce8143d3cebd1829166f53d3c15582e08de482f7845fd

Download Submit
C:\ProgramData\Package Cache\{ef5af41f-d68c-48f7-bfb0-5055718601fc}\windowsdesktop-runtime-7.0.16-win-x64.exe

Filesize
794KB

MD5
7f92dfbb7b8ff988a72e13799b8429b0

SHA1
f44025b6037a3a5b9d86e7bad088885476719188

SHA256
2e7c8dd9f0242b4d8722b903d7ccbeb7e50318261880ea791c1a23c81b836c61

SHA512
b9ecc225d82679d97490ebfc5a851a285a7cee6221d6cf92b6b7a89ae03cc1c980b5345853be2f80208e0e1fe615981d80caa237b547344b5ea8221e625afe7e

Download Submit
C:\ProgramData\WMgMIQkA\LGQgwcgQ.exe

Filesize
189KB

MD5
4e61a3105e8a91a15dafcc40e37d399a

SHA1
622e66335aac011e5401633d640aa08a0c0797db

SHA256
8ca56dbc201410b7fc3706f4df43202e2ae05d8ee9869b6175930113ac175d17

SHA512
8ab8585d70bd5a79a9501c708ac7996981c75f6f16982f4493834ba2ad57faf1f1db326a761f6d7ce057d4ec6c2c8b48c55f8e223a64f86b98019d734fece6e1

Download Submit
C:\ProgramData\WMgMIQkA\LGQgwcgQ.inf

Filesize
4B

MD5
51267fc25b03d05c0783275be97531d8

SHA1
62c2610e81dfa2b31456f49bf1a6de24dc773847

SHA256
0f696cf58f888f51afed2c5c762d4a6b028973b0dda435cf83f3dab0f9f9630f

SHA512
09a370565588aab3c4192ef3df28e3df0d8b67c85a41e19476dfad344ee497385ae999f691feab089099f98c590586946ba836b6dbed73f150bf1594d828938e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\256.png.exe

Filesize
186KB

MD5
a55b63c96804d9a579b59b0ee2404454

SHA1
6591e27ec7e290dd2724c865422218ce8d662710

SHA256
491753feb26a5cd2209bb5b2fd519abdb097a77e2a792216767636cb1d33e0f3

SHA512
18e5c662279b3996e198f21e1fc20dacaf4471f792d020b4b9aefce238762e58d4ea7b81387fe837709c764d600a43244a5c813fd2a1d50286df6dafe42d5fdd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\96.png.exe

Filesize
185KB

MD5
2130439fa9634d37d1bac523be0484e9

SHA1
3de0c8cfdf74915fc7b024caa4677fd63e3568ca

SHA256
b12498b3f86a29d1b638fb23f7c4142691b371150ab8873e47f2d950008dfd05

SHA512
fd759cdf5e126a6262470245d27b8f48800309490835a373bed4ff29564c2c7f2329bb3db87ff74af189f7073e8ef4596db6dddef6de0d84015b6fe60feb5753

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\128.png.exe

Filesize
197KB

MD5
b6ab496d9328491fb5d2297da5d116cc

SHA1
32494de6ed6197c58bf5cb7f39042f7a955d9e7e

SHA256
c6050e558d4f47222b41d1e58aae465c397b04f2a56310e37722cad2ab7a8781

SHA512
bae155eb24130da1606f78b43e3e3064c908452d16a890fa2796243d4e0f14946874280bed29f86f6f460fae8a4b45ded121ff2842dace4d52160fc6a5ae9dd7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppBlue.png.exe

Filesize
194KB

MD5
a9f27df31ce2b25ef546c62f16495b6f

SHA1
e372daadf4f715559c8faa8e1bbc63217bb381af

SHA256
420ea71a216f123116117c5ddeea1fe5550227fd54ce8a21478d7ee169a5e71d

SHA512
119b7dd18e4efcbd9e2a7619819fa0bc692f8ef21f75a153a872f7c0b91a19e74df5b0f04977fb442cbe34438d6dd7c15ffcaba87cf765f7b661fbff3785c73d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.gif.exe

Filesize
564KB

MD5
bb9e0362c97d0663b4622d14a9a78574

SHA1
b5d5bd35de4bd0ad84dd387b4e70d24b65a0a421

SHA256
54368ea1bceb2fa491ac95f727e6ba3e5075849a963a35ff49f0f34abdbd7ceb

SHA512
f2c710221146e92090420f0997533cb94a38924630d33aea66c1b15ce736e02615af953ab56d4669317c6b7332e6d911e090c62af6cb9092ce14f11bcd0e77a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Error.png.exe

Filesize
197KB

MD5
f13f97d913435cc77a897982495ba7bd

SHA1
6a75f99d707722d94bb8e573f596ecbf9bb780e9

SHA256
e0f3771de3402caf8a407dc50e1bd591b8741bce6ee39c2536ce3c0a36ddfef9

SHA512
d64ea4582b4b69b7036ca26cdfb8262957e8870d690e043202ddf845482cfa05f25ef3a1ad74cb77bbb38cfbcc88eb99af0bed7186b39d6f0248c405731da3b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-05-28_730f81a158df05a5a8848d7aa177385a_virlock

Filesize
69KB

MD5
1bc5b77f3e50b7fbe12c792ee438da45

SHA1
5bd2ef6030d665aa615147512a0fea3055930cc6

SHA256
ea3b1238a38f72b330aac53364bd0a0481946b93fc757dde7314ce3319f1840e

SHA512
62139dfa1f200687b847462c76ff4979c4892ecfe65ff5e8c06822ca771da3bd3db472aa8bdaa61b4ba359e493cf51882f9731e3fbfa2d496dac8cba03332905

Download Submit
C:\Users\Admin\AppData\Local\Temp\AgUW.exe

Filesize
188KB

MD5
999f402d4e5252e7bf67c4baf3c57754

SHA1
a7b2ebb57abda83faceef91d5b58f61e2a0c29e9

SHA256
ba0ee3285b42ea6b4103f4cbb7c32c4bce0f43c35082eaecadd5cf03f0d258f4

SHA512
112f53a9c2ef91070c6edb47adec61170ae2784643d1397cefe87936d4d64ab3265883e32a5dbb3d7d4c14f0d72679d3aac561120eb00d6693e4eb8ccd459640

Download Submit
C:\Users\Admin\AppData\Local\Temp\AwEm.exe

Filesize
227KB

MD5
db3201f8457532c7ed482678302a8869

SHA1
5e908f68629045dca5f7394ba8695277a1d48b8c

SHA256
b0661e1769e71c0fa2c6311f69f2f9ae91b0a86a9cf4eca8d8801ef70430d97a

SHA512
37c71e4f6ae236c702eacb5a18800d51d3969fd5bb09f6702b46df58d368261112e4e68166661f002bebcf024a596af27cd845cee443a4a3584f1f2c93515d3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CEEU.exe

Filesize
630KB

MD5
ff0b9d64bc7afcbce23ea1568b961984

SHA1
e102397375a0c307b547f262d1b57f4e8fe0b98f

SHA256
328203c65bb4c5f62de3bfa60fb8688096dfb8db664bab503f19d6ec39a557f3

SHA512
c46182fb679fc90bb25c8ee203ea0654935e63e69e5657845c25b770380758a2586b2646a4ca69576ab62826b598f681215b286e50ab7258c8d550fa532559e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQUq.exe

Filesize
181KB

MD5
4b0cc9c5dcbe006aaaef3c454c51fdcd

SHA1
5696faaf855bb3860f4415f6db3d9c8444207b3a

SHA256
4a1d63417be08cdde198e72ec1ad0bd25ed8c66f895546587b10bc8765961254

SHA512
c02bc062799159e7ed0b394064226bd1d96b6fe4063b23b942c554d21eef7c0130c4c6d3c34900210500f62279ea548bbea76d111a3ce6911aa0af2e84d0242c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CoQy.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\CowO.exe

Filesize
215KB

MD5
ee15f75cf384f4d3766ebc3ebdddbb31

SHA1
4cf3704145d8746ccddb87df3b70d3c4d659e737

SHA256
1798bdec5e449efe1d9b76e6b16017c447e322429ff1e83e8fd33f15d476334a

SHA512
07632c80ff04b175c284c56c32a7f6fc7747d03569dfe7c8b0983194210f4830c994ad332c71200d2ae222285a436d2004467ff7086cb27ab543085d1b414fb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CwUk.exe

Filesize
184KB

MD5
f86b8266406bf395279c27285d089cb1

SHA1
42cab82cd7298bb5988954874b24f25bf7709433

SHA256
8182632274487bf180649e6e4ebc72c1b4b16de436d68684f25ec15926cb6dc8

SHA512
e108031c0c22bb621eb5453c3cc9a7213de8542a3361fe42b076843bb3641fb6c011301d1974f5ccfe4d8847c2fa11aa1336f879c073fff4cb3b876d43335f34

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAQu.exe

Filesize
189KB

MD5
6764c4788a2337470a961b72e9dc271f

SHA1
dbfab669fd800e189b162f275301c2ff5f841c82

SHA256
2bd09f2c700acb202d559b74df5176b889f080c6a611f835d0608fa12f9f5a40

SHA512
46d4109627ed4b8c3421377abe264d639ac1b14c7bb92bc7bcae09559c333588c62af6e31a62684f489a50860797ad692c33ad38ded22548af9922d754b9a7d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEsO.exe

Filesize
550KB

MD5
08bce4c64d7d6102ded04c3660caeb2a

SHA1
abf028c87078cfeb54cc7bf48bd44a6fd01a4643

SHA256
b1b9fc10017dab9ea7c71daa3d61c9f3aab3d0bdcb8279213f724581bac0d3f5

SHA512
7b95a0d129c7043d50c82df217f8fb8acfe0f175e5554cf317f5d075d353fbf2321cce302ea43b028a876b76f632f583f80fc59b7a293becc8529d7260d651b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQgS.exe

Filesize
229KB

MD5
a2fcc44618c5616f97f9cfb654acc7f9

SHA1
4eee31534157d96720a64320237d279047a7fd2e

SHA256
a857cf74edc25e3a629224008545f75fc841edcdad8ba6d356e2f56f5e947acf

SHA512
e7a8c26e97e0ff41d610db4a41dc151cf948b2bf21769ac926e8949d4d42e5a1a993b82aa5d03b0b0f6b15f2e873294544fc9da79a851052cabcea30775070cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\EcIK.exe

Filesize
239KB

MD5
56a24859d88b342ff3fe6745a3804c89

SHA1
62e8171850473ad11b7237a8217e26a9036856be

SHA256
0b486901c77c6831c37530813889a4d1a6d5e44859bcdd8bea395353dca8b463

SHA512
4947395063f41e10f14578eef76ea1f9757eb81dedc8d575ce8c97685cdcf167212f47cfddc32dbde80baba76a1bcab84a1edc9c892775f13a4fa7e98f15899c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eosa.exe

Filesize
207KB

MD5
25732e59c3b2fab2f812bbf81f451072

SHA1
678820da543a72a93c6aa4c90867d273354f6134

SHA256
243e320f0ffe3d4a958ae611c6fcd011590e0d1301a0d3a75af0864a01383892

SHA512
44cd0962b374c1339222f43af15e97c92590fb0330f049a087c13152893c4575fcf628607a6fafc4c5b1df1784fb340f539c97465d4eba1f5116f3c6a90583fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\GMsg.exe

Filesize
242KB

MD5
c34e9b7ae684270554905ef9b22979a3

SHA1
927aa3b4e2eea76aba55b4e17d4c9c719a10cf55

SHA256
0d6ffac932d128dce60e996247c67ec7a915b82feaa484ce418a0f91330f60c2

SHA512
126fcdc5d886cd4938c636ad2c5391bc84085daa974767918a2b171549b48ddeb7278892669674afa8b56d89ed129df6fc359be69b7bcb29ff40150f18fa3d00

Download Submit
C:\Users\Admin\AppData\Local\Temp\GQYc.exe

Filesize
197KB

MD5
e98020b60974dabdcc769da557c90eed

SHA1
8db39308a2766262d02a677d3299b51a188cb8fe

SHA256
b03fc08e381794e1a887fe21008a10af6dcb88a6744c9816f5da4c277ee1cd1e

SHA512
0895c9d3f145b39a5db6e64be78048f1ce8352ded031c9797cd6fc964b66a0d0660765ced78c91cb1f08f279cae07c830d5db122728a60fb2a6f6e3a988f179a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMgi.exe

Filesize
196KB

MD5
1fedf7c690bc20d309d829a4e528a26a

SHA1
6176075b56f351bdcf0298f5537f75f5d8fcbe3f

SHA256
e4d1b4548778872d51d23ba7e7b4dd0b68b478029442312667058490bae6f54c

SHA512
64c1234d444cda3b62e2933a449e057b8d829a2d73480d14fd268a87a487dcc2c8332e12766f4c903ba9f1b31bb7f6dcc5de02c651455e4c127db729362b04e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IQAI.exe

Filesize
194KB

MD5
2cf69faeca5c503437cf8663e41ac648

SHA1
8320257bb9bbf7cf780877e50c25e7908804561f

SHA256
eacdf334ae105ad7dace372fbdf1eae67e844e821fcaa4fe9acec3fdf1a7d233

SHA512
a446843938df0925d076b9cfb86e7974e85e8f2e5dccfae877fc03f66fd9566f38744e2c8836b19c04ffcc906ccc47b5f57d99ebb9c1344de7bdb37e68b8d9c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYQy.exe

Filesize
181KB

MD5
aa0fb5af3d5ff44e77fd5c713e0ffc8b

SHA1
0d00cee6b35393ebd4cb34d3f7507c1203192431

SHA256
1382c70fe5ada7a1921e74eefddc6bdeb1d56b001f18e2f3304ae1c7ecee1b4f

SHA512
416fb52c71ef54705fc2dd3053816ae82f065a88c18469927df4492ab08f3f279c7ef4099fb0726397c21ac896f9efe2d29ca8a89318f3e7a396578e747171c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IwYc.exe

Filesize
769KB

MD5
0a5cf2fc283f223cad862a9e07376f37

SHA1
0c5eb8b621c4a703bab7676b5b3665ac92d4f635

SHA256
97af60d2aa919885a5714447266b8be4a26a08af77bbc573faaeac6ceb2d1915

SHA512
eacaa1e283a5c0b244fa0cc33566c6cb531697bc2be99032252ea837d8335929d87b58ed4b1b490cf2e649e7207d8cc3debbc684f67e9c2d1506a0bc797f278c

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAog.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\KQQU.exe

Filesize
5.9MB

MD5
be11be4f13ebda7457fcd13463f3467d

SHA1
88eb38fd2fe425c0ef0a400d5726a8d7d67ed07d

SHA256
bd7362ea07d73bf8c5375559ea4310d232da50de07b893c2f8b41cfe6942ca53

SHA512
b7e16c0695a66c3ca8f34a53af8a3849488e4e23293c60d88a4400444b3dd79cf5816e1d8bf1180d74e2a3387cd55dd2be08924ee528ba85295ddda643aced5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUsA.exe

Filesize
313KB

MD5
b15f4034193b99492b0fd78b138f5555

SHA1
69380eae9fa6bc374c69450b9e613be814774c2b

SHA256
faaa3273b896eed7d5bc013b0412d4f11b8fe2a7a5f8b3c3c455598d28f6e8a8

SHA512
fc595b44a3c5d1d1123db82ec40207d527990e1f5bf93a52f692e7cdc888a4aa56166152b7c7b0f3ab3c86a86f818e0540e6ffa2be650f258b00a02cbf26543d

Download Submit
C:\Users\Admin\AppData\Local\Temp\KoEe.exe

Filesize
184KB

MD5
68ac71101064955c84bc7a6cfbf5946f

SHA1
2254da63ff0bb255d7e14f3a3520ffebfffc7871

SHA256
bb4816f379f0e068f13b8b136d44553c38c0444a9191d6db9f1637d1bb8670a3

SHA512
94a21cc6a94b4dd53d133b810da7ff70aa86db5c8eef5f92b27562cd27777d51c31d0cd2da69963a81eb6c4c08d92c98ced1a5c63b9b8c7a02e940a2ebc4a959

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEIw.exe

Filesize
186KB

MD5
3ac640e32aa1cc297d2f767eaf617416

SHA1
57d4d4e5e5369b0c9fd5258dfd1d685974c2615e

SHA256
f191625f78579b16017b41895e33f3fddb6591be6297176c8d799a0cf654ac8f

SHA512
1c07cad89327856ed3313913d2677b82e33012801c0cd312966b79e0ec06441a3fa55d7d1d52cc4c2bf5b3c2d03d9828d380d20167178779434fbdedceaed1dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMQa.exe

Filesize
192KB

MD5
4a598dd2bbdadbd032e3992953260049

SHA1
fbe3c7cea86190ecf84aca50a2316b312b75034d

SHA256
4a6823084845276dc5689d60c5e33a37f206a128649f554b6dd536fdb4a50018

SHA512
d0a3714c031b0dab7bf37d97e0cdddec29a5866a244dac7265bb5926b45cc05f1de5b6a13d30ffafd0c3d52fb0a6882fc19bddf869fcf596d247a6c05bc3a575

Download Submit
C:\Users\Admin\AppData\Local\Temp\MkQQ.exe

Filesize
215KB

MD5
3f8a0e9a83ea10de677da4b1754759a1

SHA1
cda36b7ea03fb9c871b5fcf4da92cf8924d723ff

SHA256
88826b6bd515405658335e22bfd5ab5e0c0cd0dcbde4edb3d251613a8a551424

SHA512
98679a94d042c4bac464e804b35da92398ab054d94937a21c695cfb4013495bf15e20e90b18a29452fe76dfd4b6ec12a8c3576b304779231588b83d09bf37aca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mkow.exe

Filesize
214KB

MD5
363452e66003365cde8d72d81cbff886

SHA1
d2d4adb4e1386359e6958e01e954f1fe5faf8a10

SHA256
30f1febe351cbbf9701a9b9aa9d9abc450d7d00ae4e4642de803f1fc96152868

SHA512
ba9a816a0bf30b071a32d6f50fe2e04a0deb7b61ddcf5e7dad413713903f2c39e0e493822d13439744bcdee11e1869d971a550411ad3e04a4077320fdc66afbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mokk.exe

Filesize
187KB

MD5
22109367f33c1379fdb11f21beaeb159

SHA1
66650ea7a4626bef977e0c9178f29639e6392606

SHA256
82811019e6adc6a91f4b4e291003ba64dfe0e06b771c8811d35b00bb1f75fde6

SHA512
564d74009f4b3833907b8237ca1325c2e2fe621ef90d517a0ec5b0f0c39a0502a56f44da3dd060cacb6c882b7eb3a403cb982e952161f50c776e0c8d233aa786

Download Submit
C:\Users\Admin\AppData\Local\Temp\OAgQ.exe

Filesize
207KB

MD5
289e9417421437be67d3eae25794f9f9

SHA1
e061cbfa7667e8ed763027296a54402b075dbbaf

SHA256
1dc6716caf1b616bf42b775e270f1fc56cddcbfd6a50465e1d400768ea561777

SHA512
8bcbf4c6258f5870a8c46b2596eb83f60e37dedfb1653e8c1b403e8ad1579711a40c89fa932186d60a4da859b2c158bea6d30f98a113060d02875872267efa70

Download Submit
C:\Users\Admin\AppData\Local\Temp\OIEE.exe

Filesize
210KB

MD5
d06265e0e7c696051d7d5f453c95d13a

SHA1
7ba589448c244be407faca494f6ceb854a0554c7

SHA256
0d7fbe6962ea4c1c417586b844ef4fc845d21551f631cf264cacf250611ed677

SHA512
6af4f6d99ec8450cffe3275ee8e265afd764b7f924a28bf7656b187d359a2b02a8f20b39aa850e7a80832b38ce3c995bbdfb75369f74c6189a72ec5e90f56c8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Owwo.exe

Filesize
202KB

MD5
7d1d5eb3f5451831283c83b5cdfbef3b

SHA1
bb8e4c45466c4f84396ec9f22e30f5ef1c098c5b

SHA256
32b6f97f8ed8dd2a875ad473f2d26d53761f3a65d79c292d8c969c43d3534ca9

SHA512
41d60db6b91d5bb9e86c56e947bf88d9ee2cba087fb9e245df131a6ade73eda3cce73b34cf6f79fbee525c63a391ca26706734645bc099e70a4c4e9518f76e8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQAi.exe

Filesize
856KB

MD5
e1964f9286c06b13d7b5aefdef862e08

SHA1
2a3afd05d7d57f8cedfb5c67deeff21aacc42ffa

SHA256
11b445f5e8c865ffde90f6f5e1c6ccfa8cfd77023d2e0707add20bf442d9066d

SHA512
44115323906bb737e7f17f94a4efe2a1e872389e41f5bccd46796578b0d723c2520084685a8e9df4104aeb67e583f2f06c14148683e63fdbe16c546006036745

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qksg.exe

Filesize
837KB

MD5
f3a4096f6164f83680bb2337521338a5

SHA1
b65f880fd3ccd6ab6c89e3890ef21f1ec9aa6542

SHA256
a3bcd9f05234ca05523d61d67ea57230290141b02d2097afe92234cf17dca1ee

SHA512
395e5a29cb87a11971c7d1ba345dfc3435e28ef5fcd3a2938acf43f81bb688df1b2bd3f6f86793b62fa336a87704798fab8a664084a3a50121eb8b9f0289a7df

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUQu.exe

Filesize
202KB

MD5
a0faa0a18d57588d8ad47936feafe56d

SHA1
2a543c29eec81520c34793c4c49e5a5c94c2e8da

SHA256
fe4f07c43306dab21b8333ad009f0e2fe87395007db2bb0863aa4c29b4d5b181

SHA512
4ae23a88c5b74d336cafa3ce9ecc047afa7ddcae8bd532f4c7adf7137297ea3fb25171fd8a28bac881abe5d5b429d45b5bc4d6ddeb8e851efed5040413951163

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAEE.exe

Filesize
207KB

MD5
072d4188a93f2853da616cef1ea3796c

SHA1
e5ca61037360aa327d891a5866520a945449da4e

SHA256
fd57ae4270ade40cf9b8f519e8536b80507c0de94c8c72b54a49ed9946a4ab5d

SHA512
03b39b4c27171785d2a3ca6546d242927cdafa3ae9f4157a8a7b7201ddcf6d4c19fb8a3e828f638e2c7b14810729f6d1a3c1146b630e272539fc5d17bb4606b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIcU.exe

Filesize
209KB

MD5
cf09b2f464ad4ebdf10e66f6833f5c53

SHA1
145b382006b8c06778896aa5fd29341415f6f564

SHA256
7da0887c6963d0847373cacbf5951481a0f7d5b5038a552c8c15f2bb3d4949d8

SHA512
1fb9d45aaaf0d0fb302b48219a1ad609d0483ad47a314f839bac8077f1809aad80c4c4d82714b005f43c8c4971a206223c75b5a3e0157717a4a6f651caeb5bc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMgo.exe

Filesize
201KB

MD5
fef871aad7ca1f1deb1079120f695b6d

SHA1
9c64071cf36e5f995bdff92e4484f9b18fee46d7

SHA256
12dd758dd42354e7a9b76a189616fb484bd6453ba68143fbc481aa9aeb864350

SHA512
5fb90bc705ce27a952b62fc6d920bb7a4226673f60a89484dcc717eea918c0f42d0492c5c9650a8910bf6dbfaa8a87ac4838ef1ec913c3cd142781d119bd7f16

Download Submit
C:\Users\Admin\AppData\Local\Temp\UYAm.exe

Filesize
235KB

MD5
af16432a16d1606f904a1a6c0a462ef6

SHA1
421a4a5abc31d8369bd506a5acc9b9691abf5586

SHA256
4a8b4da0e546d3b2f8ff357d697e8acb8aa5ca1e422db20603d5bcae80033d65

SHA512
2d19db40bddc372a7b5b388ae3ddd5a46281255700ca9d7e947ba319fe01f4fe4597e371e6db50d9f4d03a33f080856b32b95fdbbfec6ec1e474a1fc78611fdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\UksE.exe

Filesize
196KB

MD5
efb30142e2686afe1861afe8ad1f344c

SHA1
7845ff378cfde0d02b0b6d214d6a6537071f37b1

SHA256
2e77b82707d4228de25fa6cdf69e0dc0025ae18f8c44c77eb8916cfbdfa97478

SHA512
7ab71977d5fc3c9adddc66f56d156180821999316dddcebe1810e32b74de10a4aed217d42c6eccdbb57132b4fcb6c162e1cdd22a47fdad7c8bc69ede4a8c9891

Download Submit
C:\Users\Admin\AppData\Local\Temp\WEUC.exe

Filesize
198KB

MD5
4c2f9b2e74ba822aa6b484583382bedd

SHA1
0bae36c560ac5a849ba471cdd6dcfb8d9b1382d4

SHA256
8d5834738cead7d4670636d4c129aedd8cb325c09a8ee59c19c462e05a6cb914

SHA512
a6e8dd1e7abe5f00f7c526d9ab5c8e1589da7e08e03ebd7d52063bc08fd903460ee4652fc11af70ef19af84149d8d95b9a28bfdcb715841083eb1ce462ac531f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WMgw.exe

Filesize
185KB

MD5
7842208dab5ed2bf9526c77bc035a8f3

SHA1
e073e29e89d6ea86021c90a6ae06984b572588c0

SHA256
57a7db611cf81ecdfbccab6586dbac4bed9f3a2979af558c003dca600d7c413f

SHA512
e0d2554b7df77b0549d9bf329c493087f6ddab457a140dd4dfbd7475936bc67c6c7f9699051e90ae77133bddf904043ec16bdbc1ec5c39d178bad18dd45761b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\WooO.exe

Filesize
196KB

MD5
8b75e29c567e390a8e765c5ccb481661

SHA1
a232ee4514909aba84c41ca01de063e4e8ec9dbd

SHA256
0cfcfd0cb3fb76fa26490f189017a98613c99c6a4d6338ed1cb0e01be6310c4a

SHA512
be985e8fa885202aeb948a8f8775c286b2757b2f20b89d015324b352974ba95a7539b1deafb3b89d77d23172c3d6232aac67d558faaeedb23f76beeb5f0bb0f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\YMkM.exe

Filesize
689KB

MD5
f6db1c4445d334bf3fd4b4058db0185a

SHA1
494529dae972ba2530724ddb0ff4d190eddfc157

SHA256
da777bbfa7fc5e81401619bbe0472d4f93d9b4cfc3d4c81c97df3ced857f0bd3

SHA512
7d8ab2f90220d11db1b0dcefc6b55b8594c14aeba6ec27e7e706e572cb89773b53f0cc06f38a57b2e5a9ca68a214ea5ed91e29f2ca2478901817c02a7d9a7db2

Download Submit
C:\Users\Admin\AppData\Local\Temp\aAYa.exe

Filesize
201KB

MD5
5853fb8a9d3bbe104acc9e34e1c97b9d

SHA1
2f870f12fbbca267c1919b1ccfa7280dd9e303b2

SHA256
83bf36383bc4bf417d2dd65eddc96d826f773fb8a00b8b348ce2dfc725fd419a

SHA512
2aa46ada33e5b61ad8fee62748d8fd27fb64ea88997386ed7469fdac5d41e2d96b28f0ed28ecc0d4fc9c197ef40fc12063e46fb54c6706ff2f31c31d6b09e58e

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMsO.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\akMU.exe

Filesize
199KB

MD5
87e00aba83607d8b869c8501c79c0564

SHA1
0188f208017610711e41b30108d1f96b80d34094

SHA256
d86a2e4ca8ff0a7f130ef873ccd8e8f446deca641404d3d41b5bd7ae4b728251

SHA512
cc63368cfe7a849f2e9ce6dea35c2dd7013e6b6d6f8760d7ca065b49b5ab4a3d971a3ed6813f5a1e4e6938c4f0c2175a3979feadd83c023e36efeea0a5e2cec5

Download Submit
C:\Users\Admin\AppData\Local\Temp\akoE.exe

Filesize
1.8MB

MD5
c59bf5d9e31535ccab9a677a84821a48

SHA1
58cc83cb14d7df9430504655093c797d5219830b

SHA256
e76dc1fc9942e2315e2fddbe46e9952a8cb9bfa1862babdb7a261520f1633a7f

SHA512
e0e00546a4cee9d9f7a4ebb813557332fbf09ff4b2ed8e4187e046c2f181b11a2162b30e691824de81c531430791a694f763a6d82ea69d4590cadfc3ec45105c

Download Submit
C:\Users\Admin\AppData\Local\Temp\aoAW.exe

Filesize
207KB

MD5
86dad5384ceab764528762546254c8a4

SHA1
2431ad285262de032afde29719dfee5bae80bef0

SHA256
9f28ea11fb410c6585d3a37ee7537433ef28cd240bafaa2b9263349acdddc303

SHA512
761c61a9d09df9523e762b99d3f4f9e1ae8c37b1a789c3099a4f784fca60242ef9824eb2263bfb57aa548a3aab9b642383dc261a211f0db68be319a353277bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\aosa.exe

Filesize
206KB

MD5
d59c82c64b6d429fe8e1d73752bf82ae

SHA1
847017fa6a2fc21e04c2ef264b25511d4ca1845f

SHA256
952ca5019d635651cc7b252482ab8f0ba98ec6e101d13045f33bddec2e4502f9

SHA512
cf5fcd8cc2479807de7762095c1bbdacebec0542ef02e6c6daa2f253ea4ccfffc69da279be80fc26896f020d47f2adde0b68b08c48675f2ef2ec9d7b7e832e21

Download Submit
C:\Users\Admin\AppData\Local\Temp\awwy.exe

Filesize
187KB

MD5
29f723226ae50df7f0cae43ce80a160a

SHA1
23dffb867c0b0a0674485f041f61cfa56946e6d3

SHA256
406e2bd20cb0462cd1b72fc1fe0b0d6ac5274f6570db70a52e8230d9720f656b

SHA512
c3879e802797055b6fd8d11305b7052686b80295910272d893ed061629f63a70c58fb6c11f2761f370aeed74d9ab5aa3081ce68adf9e76e97209da69335cb821

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAAA.exe

Filesize
424KB

MD5
eb779635433246652c781bb071f08317

SHA1
5975c4d58096e2b8ee78b72027b983bd4f3e6024

SHA256
d964b9af016789f67d257d268100f0ca7f7dead37560f16ec610b7fb9085b25a

SHA512
137495b642eec74a97f649a789160f81cc8102f7be92b7d53d317bd765557c4f28cc1aec40c87a0c1d6ececad1141a2a19ca77e5a5850185e4f14d78fb7b512f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cMom.exe

Filesize
208KB

MD5
c9467f15fdc1568c435f2d76c177dfaf

SHA1
96ab327d78e3ea7fe3e1ccce5d6be9f9c55d9482

SHA256
faa8e27c8f926396d8e525c79e6191c6d47e914423caa2e597a1b323260b2edf

SHA512
4a7099e794f16009ec2cf9a3c53b49c923a8f11b5250ae80c76a624781d441697ad59b8953b6eee84c2dfea44551df7bea779e6ff924528bb3608397f40a498b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cUYC.exe

Filesize
249KB

MD5
c4ea9931c9c2072625ea558ed2be1571

SHA1
64f60d2df072da301017f2eae391d80b50eeb029

SHA256
6832469adcc51b9e65907d7ad5b51af4007a1d63cc1c0df352bc119e0e41f403

SHA512
46c496e1cb44e002b1b25059e7d690dbe00cb3c1c93bded355a0db8df2c62dba837c56acdbf13631f9cb59f3eafaba07d00b1f19e67bbbe607c800c091006754

Download Submit
C:\Users\Admin\AppData\Local\Temp\cUcg.exe

Filesize
1.3MB

MD5
cf99336df5c057e3e342d8c1341f118d

SHA1
b56607bf6d4a6e96b1023c40e3dbe89e6e4d928c

SHA256
843b72d12a71f9c549b850737418ca543fb19b11fdbd8bddeccb44e610780932

SHA512
34654fb88cc7a2c0816a61f6136618e060a62c0e7e3bca6f33b0f3f3f61fdd1a22739b398591844b395191d25438688e83fd8059476ba7566949eec1bbba146f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cYIa.exe

Filesize
186KB

MD5
196497053f559dc17efb745eaaae9bd8

SHA1
06b7ae35de4f626db8460ba45cdd18f20529bbf7

SHA256
49d5b6ad830b8852644de3a6728550289bf4f75f8ee47984d658b8d6faa4d0f1

SHA512
6ee51f8cc4223695785cd204802473c26fba0d826e099f65098e982b6d99b282af696820df14c59c39938398b28998b08c735e3f5128ccc2caaf47ec22bd9733

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckAu.exe

Filesize
652KB

MD5
97771b5e314269c69e1ac7e5fd3a9f77

SHA1
0971685a3af6258181e03ed7811a24f6ef8a0d97

SHA256
7474d681cfb024d1e2997ebfa51149449f22f53753dddddb3afac34cedbe7710

SHA512
6b89e5ad41a7d8ecaabe98d5dd3e11dff35013f3e0bf096b87f8f2b0fae8045cfb65680d81e3af230e54e7d34bddbf4e4c729cb951c6f8873356916c310ee1cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\eAUs.exe

Filesize
543KB

MD5
9923d8b25c864aa47140e46e8ca94920

SHA1
4dcde4c821bbf5420e57e2505c73320e5a5a502a

SHA256
82a3e9765976d57d473c11f0c0b3876833356a94a49b824e1e9d8c4b5ad9f4e7

SHA512
154c8dbb80f2a9ac7d7f581fba80b73e7026f494ee28765980fbab92afab87d6412d661f40f1506447ad357e85d116f93e6853756c64da7a29ae20d9b13e08ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\eUkq.exe

Filesize
628KB

MD5
5593a2c4f18298dc237ea9ed733977e1

SHA1
9c2c4ea1508b095828ce57777672a4c80f881ad4

SHA256
cc8b79b647b9d2ebda4ec18aad95fcbebd69c82fa1b4a863575be7757c237dd4

SHA512
339cea731512a69a12c30f35e0dd6f4ca2b884a4a4def63534e5635edb5e3ac58d33033c45b356df54f2f76d63c7ca0250e9581a40d708c12c3ac17eee6ff8ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewkk.exe

Filesize
794KB

MD5
5c578f6e23d9fe75c23f9f90a5376914

SHA1
359fe6248df1378d0ac42e5a862adf8137bb6178

SHA256
a4e1411dbbbdf7788ad0654a46ab2ba8f8d6ecc08445407dedb6c94cfd549341

SHA512
fa6496810b295f9a1f38e0b95a3f11e47f8aa66abdaa9f87ffceb985a6d58c3b52b126b1d07909d203d74b72b04e581bb295c275f120e61e528d3b5b5625bda6

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gMkw.exe

Filesize
331KB

MD5
14ae64a6ea5a86567dff5c77e4eaf74a

SHA1
a2b16ec9892504428ef79bffd3c37b6f6c2eed74

SHA256
e7c8ed0f18b2ba1ec7de65910b88c1480d0690fcf5654f7b26d3fb27d2debd87

SHA512
e691d6c54b0168e95b194c1f52d8714aa6f66357c3b047a4b41b405b986ff7beac3ce1771da0eeec5fc2cd50620e1046a89898853267edf2b7336f609ac46687

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkQy.exe

Filesize
182KB

MD5
64b753e38eb977edef1b21fdedaa2689

SHA1
89f43eb391c501c8cefb42013f48b969ce505cef

SHA256
112dadf5663ac1b016d902976a85100f7f79d6189317239dc21fea9fd7310de4

SHA512
6b712240484c287e192c6e1d3e9439968fd800e54278d4b526cc1a337c7e17a353d24ace0971f0539b1602fe94079e4fdcc9fadda5b275e5c7fe5cb8fedd43f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gswq.exe

Filesize
633KB

MD5
5df04f3a8edf6c0d29cc07b1084756b3

SHA1
365c0332f3920c84cef408c90fff2f6e7096af98

SHA256
dfdb963001b1309e4b377245b3591c9555ac0c56c78deb9eb757168042f31929

SHA512
3dae489afbe5677c27474dfdc2c7d342f499a7a4f370197e97fe7225d322b8b09159e59940a8e25a4e9f4c7ee65dda365f9940850ce5bded7fa8bf9934781553

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwUw.exe

Filesize
200KB

MD5
40a740c8271bc13e055945c9a6822127

SHA1
b77ba7d386d6d3f932c5d4f7c7504e13c805a94b

SHA256
2a5794d7e20eb39fad6b7dbe23a9af4d88c8263f579e0f22b2d8ea2fae498b72

SHA512
d88418f05ae18f878d7442cb45241b41cb2bb6998dda065b45d43290672297bb9fcc8a821226712437b818550e5faeaa161463a946d8942d2da7f48f3b8a4b89

Download Submit
C:\Users\Admin\AppData\Local\Temp\icYc.exe

Filesize
224KB

MD5
f99b4113dca50f11d307b8e88f5d535d

SHA1
e0de630981755ebb24c8ddb8101edf42f39f965d

SHA256
41cf0489c1d663e481940e2bdb453542664ec48912dd5af1dae9b1a7e5db2e98

SHA512
ca3763adae782d5231f789b6fcbc91c8184003205bfc3f5c0791ab84bb4adc57f86adbeb4d86d2ca7540f067443207e8d3472277c79083a008369726f670565e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ioIY.exe

Filesize
5.9MB

MD5
f091e95e88e145dee82c37e288499cb2

SHA1
36f12731d388b3468d9086f42f430c200bab2e4d

SHA256
aaccf47c0169a6ea906a91443975efc77df73c92efefae88193e0b995b9d2011

SHA512
c1202a4fa49d5ddd56f8edd9364fb22ebf34e78278d73d435c78ac086d8cf9ce705a29dfabe5beeb3f63f8f9de4e57ffdb12c15f46169ea95e95ee11153ce62e

Download Submit
C:\Users\Admin\AppData\Local\Temp\isYA.exe

Filesize
186KB

MD5
71c64742a409d3eb8c4582d6f26645ef

SHA1
5432ac948406e44b2e4cf868f9713415dfe8d0db

SHA256
4058f8a5294993e098d4d7440961a75287e9096d5dcff7357a5f391c37d46624

SHA512
bd387b87afc8b7262bd2bf134a7b6241f4b48e35aa8f6f451c23b543fb3d263d53395c36c85e75e071247ca8ff50a5dad7caaa2c1cc95e5f322689e19529e1f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\iwAO.exe

Filesize
824KB

MD5
e6f0801a8d07ffb39b77a700b9da02d8

SHA1
0cf95246a4454ae42c92a3f9560e6950a2849aa8

SHA256
ee4bbe812080979a8ec8461fe57ef6c6627d37c82021d212df3f6a1b21e1002b

SHA512
7a7bd03f5603411303ed30c37ba8bacccee536a81d91aaef9916c05226263fec7be417189ca4b30407941e4fe8cf2aa1ff51c703be9ae5827f4f76191103ceb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\kOAcQQoA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\kYoQ.exe

Filesize
194KB

MD5
90eb27b8583725ebd782366ef48b0115

SHA1
e7cb299311e18b8dc76e5192df863168cef83112

SHA256
29dc430a3b8bed6cfc247b099332ea5f231a734c034e53ab7d1789fbdadf4e20

SHA512
0b55c1a814be680c0c8a2e029ae21ef1ec7155c2d241ccf2d433270145b13c03159bfb95fee623dfae0182b275f52896f932d7cba3a4d411da6fc49c098a45e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\kokO.exe

Filesize
186KB

MD5
37103fcf741458dd4b163f88c1b40a2b

SHA1
e1563f8dae5c8d7876179334f578e68ceebbd9c5

SHA256
0ce4335cd15c8a4478fcc37a19162f13f4efd1ec481e2ff67c37f463b3bf6c2b

SHA512
a1dacb96afae57e44a4f1494cbe499ee968f5169a339fbb38a6c9524aa29cc079801545afc402ca595290d560b98cdca34d19747b3b81d6815fba3ea6fbb5d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUsK.exe

Filesize
182KB

MD5
d542327ce26357dd4eedea1f868114c7

SHA1
e69543bbee1637b479419cc5f443d8f8d7fcc480

SHA256
c0bc8222845ef22316ef00f36f847008146e7c8b4372ef895c7bce82e56e6924

SHA512
ba362b852dd7975674220c18d73f5c97dc7042294b321d35b8ab0eff4df0cd66e95be72ef8d91b2e775b1149f41ebab8b39426f728bf9ba5461bad7315623083

Download Submit
C:\Users\Admin\AppData\Local\Temp\qAAa.exe

Filesize
207KB

MD5
3208d1b36e8829cdea15641d93c7eb4d

SHA1
e8e3174484902b436a2a6cd620e3eb0e5239691b

SHA256
289ba5c7bbcf2a7f1615dfd98821c34ae36f2aa59949018b1747b2a2b6acad54

SHA512
1ed08bee8258cd948f3c1a372f7f1e701984b0f49a5f7e31e0d995b41191e63644c813ea70ba6946b8ac48c55215a083bb63cd144bd4b2fe6a6713036fe2e2bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEku.exe

Filesize
206KB

MD5
bdfe0af50ea5b42f32d98b500cc19d4e

SHA1
5349eb0564289f9c8f8686b529a883042f382037

SHA256
eceb3acbf5c4fa83cc4981a4780ffdb9a3c61df79b64a6ccea2e6fedfdea9255

SHA512
7150fb2a26bbaec4ea39b5bd306c3744d41abb7c550d1e9f3918e2d7548f4e70d22b4e5800ac654f61fc2be8973923938d1bae6db7fb27ce180338054814802a

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQcC.exe

Filesize
656KB

MD5
9b94e9c4a812660ef6d02414d54e8e39

SHA1
74a86ff573e6ae5fbe667ed921c29027489e405b

SHA256
4a1a2b2a07dec606e8ce947090034bb766788f2d2b5a8f98ef0bdbada039c3d0

SHA512
93d8162221323a72c7927244dacba563778bade5f26cb1a251e2d5e56174525da6e3d5898bf03508454f5b40e2eb3932a94c2a779b69e38dc8578e44a8c5dd51

Download Submit
C:\Users\Admin\AppData\Local\Temp\qYss.exe

Filesize
781KB

MD5
ab96107f020e3ecb308da9e4fb55da3a

SHA1
3f99b075b393ec6c6b0c49e8561624e31e56b04b

SHA256
4b66491fda9c13d317aaa06cdcf3f08be82d6b26d49f9e93dd8304ca9ebd30b5

SHA512
0f62dbf4a8716959e9d2a6f6366daf7234e35b4f1d6ad63476c6cd726f5991d697fc05b3a4e1fae6bf1d76ab400137ced04eb0a72ee4a8185d2174ba3dab8ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgUY.exe

Filesize
193KB

MD5
bffe040cccb957d5c64191eb9ef0e4ab

SHA1
92cff2f60818e77efa2c393d6ddf2e750fed71b5

SHA256
b1c097e849168ed35226abcdccf56f97e8555d0cf26ab9d944451bc6f4826e93

SHA512
b188c799f1edc8a9eaec57a9c05c82a009b496bf0b86457b3caa049d7184ef3de997e8b059c7c1830db03f1572ed20a20e9a40b679a9d1c3391c2fdb87e70e52

Download Submit
C:\Users\Admin\AppData\Local\Temp\sEAm.exe

Filesize
805KB

MD5
686f9636e046283e51ca23c1807a274e

SHA1
a0cce47b3a7ba478c041b4c378d0f9ddcb71e650

SHA256
d9e5102118c21413bddb6332cc7ec0a4e9efc13bddad30f4436d10fa47439b4b

SHA512
4bc927c1d0f5a78731c448452f32ba0abedf92af2ea46d44753ca469ce9bd5ba9d186971860ba67486ae024e719ccbce34da8ef6a13d9f29a2c6c53ea4dec414

Download Submit
C:\Users\Admin\AppData\Local\Temp\sMYo.exe

Filesize
5.9MB

MD5
cd6a6f51f1529aa364c1053061bf532d

SHA1
36bd17763010d151772a995e791340b5bed75d41

SHA256
fa26bcbc98cc78df8a7807bf4b3c14aa46108f8e093061a6d104cbaaf9dc8ae3

SHA512
0689a2ed9dd020e3b53b44f30cb663f9bbcf506bfd87b7da254ea51774be38095e5f5234d60c5e187cfe0b1af247c1c9e17fe2ed2ba5a50ddc5f731ef8fd7b4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\scMu.exe

Filesize
182KB

MD5
9c16d72e288c910ff54ff2f70d498472

SHA1
ab46feeb87adf7993a16bd3cdfc43ba80d64888b

SHA256
6f7697d6befc6a6093f7b4d52d6013f14521bf5ebbba356605be00226b1481c7

SHA512
892cff36726da0e46dee5b29f88718d91e5e5a907ae08036544c7ef05c536834d504ed87133fffac72c698f3bece85d591811ed819686bb6b4433eafb921b490

Download Submit
C:\Users\Admin\AppData\Local\Temp\swwc.exe

Filesize
197KB

MD5
b937ac89d3488a5f4e5efcbafd52efe6

SHA1
a73e285dee72460e0f526583e779560b19ec531a

SHA256
718c42e001af9349f5eef595804ddb5f54be2d1b48b489aa55eef597acf9ba6a

SHA512
07785c0330b4424be33c6737e19c1b59ad1a121f6613eec2318bb002e43d2cbbc98aa97f6cf47704cf915d40383a60a04da435ecd4b977004e04100b0b44655e

Download Submit
C:\Users\Admin\AppData\Local\Temp\uAki.exe

Filesize
194KB

MD5
e733f22f37cd663ca427b5f9c48d40b7

SHA1
3a18a25e9fb20b2f596b4a13be4ccd3d6422c714

SHA256
d40047f2d1f51c18fdb3d2c1cede0f21457d6983f98548350be3487c74d6c797

SHA512
dad78ef020f6871524e74769e28fcefc92d52ff8e0a4ebbcf5f0ae43245308a7b325df29e64f8e1d42fb496fe230185342a8f8ffda5009d1ddc80bccd0b52f32

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQwu.ico

Filesize
4KB

MD5
d07076334c046eb9c4fdf5ec067b2f99

SHA1
5d411403fed6aec47f892c4eaa1bafcde56c4ea9

SHA256
a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86

SHA512
2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\uYog.exe

Filesize
229KB

MD5
38aa98d008158dc43d8cafc995bc4235

SHA1
cc97d7e3582b49eec05bab7acf1830002d64d0a9

SHA256
51bae8328e985d525a2053cd6bbfee5baaf3535f46e119c49a44562881eb9e89

SHA512
27bfab6a58294266d0604b06401362d3f535c941ec96619c2ea5e3eb145e078eaef110d614b68d775e304e658871ba981178d070bf2ff79de9442e16aa5d1b91

Download Submit
C:\Users\Admin\AppData\Local\Temp\uYso.exe

Filesize
194KB

MD5
354e6d6b5dd9b88f4b2f51fbd21c67cd

SHA1
372a77013650ef31267fa441b0bba21d16088b54

SHA256
1fe5a7b3170edb585f2d4df22c78b86de4d24e9ec6115e2ab12bdb46a7bd6293

SHA512
3c87e31ecfbc5422a6d5d0cf3c3468d9168344684355b005eb763b804ed51ef708232f417843599e81012e292edf0dd6d8c216640635eec325ce1010121a343a

Download Submit
C:\Users\Admin\AppData\Local\Temp\uoUi.exe

Filesize
188KB

MD5
ea05c4e720bbd8a04f5e563eb87fd689

SHA1
a67d6c889e7f48d8f56b9edd10936f1b25508d2b

SHA256
6654ad1c5cc66d2507a2065692b3d14169e20dcfd4a83136e65d726a709bb194

SHA512
914f8904361475424bd83220437b3150e321ea07a0d3691ee0bda658c3175fd302976bb78148f317da203bb0fa513dd34f0db2b67df5cbc53e7c971c8a4a288c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYAy.exe

Filesize
203KB

MD5
d10b0af8ac3ba887cc82c6c44d42f0ac

SHA1
e8d36f1a67a9fed887fa2d26fd3c2bea1d481455

SHA256
8d4e86de85e402be16d23a7e216b4b2478d23224c291990dc8c15011737d103c

SHA512
46bbc4244245b9d83172bb3e86ed82441fcd34e9ec7abf9a8fd4100cd80a984dad24bdbc99390edc5c51172df427f4b429d514bee7fb306d342ee12aa357f94e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYQa.exe

Filesize
189KB

MD5
bf59aa488e136b4e8c1ae07b1a135770

SHA1
ccc9b260562dc96793995f59ba8c26e7226fc94b

SHA256
7f10dcd18c976d7f58fb9d2dcecbee2f9720597cbcb7bc0ad85413e921972aab

SHA512
7a3c8ac3dc56b44e96c07f0d3350e52cd0c89b0b420a65bbedb6ad5ed01493c7c8ac6da50ff94be3c2a744e2bf6e6d3f77af7ac629e3401d6f0ec1778ce9f7ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\wcsG.exe

Filesize
330KB

MD5
9745aeac305b019996381ac6656ebf13

SHA1
3a22c7a0da15614a8c9e3892f99412820aa8a368

SHA256
23a3272b0742c61ba9c1c18ffbca06f5c3dbfc2cf1b69cad9f6c02487d9106d7

SHA512
81c155d6b797096f9b489dc2986df343a7b4695ef7b3528149b81d0f183fb7a9759fcb218bbbf65df7536d66e36a85be52a631c623249ac52251fdaa55e28c10

Download Submit
C:\Users\Admin\AppData\Local\Temp\woUA.exe

Filesize
198KB

MD5
705acab62699adc6af83dbd7b81c979d

SHA1
7036c132e176234fdc6dae0409abcdeaf7c91cfa

SHA256
23ae82d05875744a6cc9ffd40a0adb3ee94775cb9e5e18938c21cfe70700a722

SHA512
14bcba98b0fb7e0f5d8c5d060fe04f3e26598ab4bf4d51b95d88b1cbff94210dc582c7ffdd49194bb80cc5f8b4d0efe098babb9ce9ce0e13c77aa1f9cb095543

Download Submit
C:\Users\Admin\AppData\Local\Temp\wwQG.exe

Filesize
205KB

MD5
a9755a70f95599a6ed247e6bb3669817

SHA1
04f86ddd19e171a6aafb68f8aeea342a037551ca

SHA256
b3581ad07691f5c37d2f6e77a0f3299896b09e4e8bc622658e1da93b1ac6d34e

SHA512
2684511db71983eda399d04dc7f3e3fe3b4e3b680f3d58adc5e11a39aa53683ca11f3e15c726bc514b06666bf1e49b8c3486445c97c2da0613c57b57cc4ceb31

Download Submit
C:\Users\Admin\AppData\Local\Temp\yIgY.exe

Filesize
208KB

MD5
375c52c395d86ba185cf1dc4743b56c8

SHA1
e24e5805378ca8347af05398edaf6a2690540532

SHA256
eadbfd0b4d47cb26b5442bbfda7fe385567b5fea9662f689284858a4bb3ac2cf

SHA512
e25035a751b8871d3af12295b6602eed2eb5510ff67a79988c51dbe8794355033fc066646908f599b771587491115141377559b4eb00fb260418400496110387

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUIg.exe

Filesize
191KB

MD5
51dc0bada5345d15af9605b9ab148688

SHA1
2be6ec659666f3992446a9f03de1fc668fc9f5e3

SHA256
2107dde65de4421efd1f695ccf3ad563fdd84f246f06ea013fe0853a6929f52d

SHA512
5fcaaf463dd88c9e61c727521ae3a4d83a85823bb9b2287b6ec8fce46a18fde2efdfd2310c646ba2184bc9798e0dbe6356b95dbce73b22bebd545ef48b4bf55c

Download Submit
C:\Users\Admin\AppData\Local\Temp\yskQ.exe

Filesize
189KB

MD5
452d6fb3107c7f66997b30263429b4fb

SHA1
18445427ca4b335523e48075d22eabea8cf36b08

SHA256
a13393f5d6c22368d0e8e1fc8c6f5c9d0eb0be196f53267126c9419da259baee

SHA512
ce806cdab7bdd406d88d94f37bd0a4d8c917bcd986e344cb6261662e6605152a67b3e9a217eb515f3b9b4207f585f61d0f535b8cf3885bd046930b3ef4b5f876

Download Submit
C:\Users\Admin\fWscIIMI\dCQsgskw.exe

Filesize
185KB

MD5
1ec7bd91f1e3a374107bf1f5bbfcc479

SHA1
74e2686da962da43ed4869f37a7140cca2fd066c

SHA256
aed1a2f11d2d871f7057bbdfa6daeff291c91aff2d5293d8cb1f3a76f05b350c

SHA512
6e523e2b3dc4265af8f430ca6bac8fcc7811d156f642561a21b5a6c35b77b2ed5a80a6ae81bfaea13cf33aa62ff3cec61f64b789e02731299e87174b03c9d4fa

Download Submit
memory/624-184-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/624-166-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/868-334-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/868-256-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/868-321-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/968-330-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/968-343-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1104-278-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1104-267-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1104-482-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1104-469-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1224-444-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1224-431-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1228-93-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1228-108-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1444-493-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1444-479-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1608-15-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1792-120-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1792-104-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1828-389-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1828-375-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1856-19-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1856-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1972-233-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1972-406-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1972-394-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1972-218-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2132-379-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2180-204-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2180-222-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2300-423-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2300-435-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2556-529-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2556-521-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2720-70-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2720-84-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2900-312-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2900-325-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3000-510-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3000-502-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3012-208-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3012-192-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3136-57-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3136-45-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3168-34-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3168-20-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3172-270-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3172-255-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3224-12-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3312-545-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3472-244-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3564-353-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3564-339-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3624-553-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3628-295-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3628-283-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3668-473-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3668-460-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3672-171-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3672-157-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3880-134-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3880-116-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3924-556-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3980-519-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4020-287-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4040-96-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4040-81-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4056-69-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4056-58-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4128-145-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4128-370-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4128-358-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4128-130-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4316-537-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4332-46-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4332-31-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4468-398-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4580-415-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4628-490-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4628-501-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4636-296-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4636-307-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4740-146-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4740-158-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4740-451-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4740-464-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4792-362-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4824-306-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4824-316-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4900-183-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4900-196-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4920-413-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4920-426-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5016-440-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5016-455-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download