338148932ece144ab27de71918a610fbf2c249b0f7b673277e9ef0cd67b27b18

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 19:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
Size

204KB
MD5

70b44f5eef4df1621e863e49c01402c5
SHA1

dd3b50bf475c08766a72f668228d940f6ccdbb9f
SHA256

338148932ece144ab27de71918a610fbf2c249b0f7b673277e9ef0cd67b27b18
SHA512

d19b3ae5899aa07fa7179ec9df62368a3c62f28ed52f02b266c4e47f2aeea4e77bfcdc2a4218faaaa2511ea330f7faa64f7cf6fdb33e1059319ba6424e74e002
SSDEEP

3072:IWsoKycRpXJ1TH/feRWJhcnYajlENhhyiP8Gbv7WwZ7:hBKL51TH/fPhKYajlENDy0vKwZ7

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (83) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

GYkoQQoI.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	GYkoQQoI.exe

Executes dropped EXE 2 IoCs

Processes:

TqwogsoU.exeGYkoQQoI.exe

pid process

3680 TqwogsoU.exe
2796 GYkoQQoI.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3680	TqwogsoU.exe
2796	GYkoQQoI.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

GYkoQQoI.exeTqwogsoU.exe2024052270b44f5eef4df1621e863e49c01402c5virlock.exe2024052270b44f5eef4df1621e863e49c01402c5virlock.exe2024052270b44f5eef4df1621e863e49c01402c5virlock.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\GYkoQQoI.exe = "C:\\ProgramData\\FQMYMYwM\\GYkoQQoI.exe"	GYkoQQoI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TqwogsoU.exe = "C:\\Users\\Admin\\LyIkIIUE\\TqwogsoU.exe"	TqwogsoU.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OYskwcos.exe = "C:\\Users\\Admin\\VQcQYcIc\\OYskwcos.exe"	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PyQgcwkc.exe = "C:\\ProgramData\\uUYsUYsY\\PyQgcwkc.exe"	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OYskwcos.exe = "C:\\Users\\Admin\\VQcQYcIc\\OYskwcos.exe"	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PyQgcwkc.exe = "C:\\ProgramData\\uUYsUYsY\\PyQgcwkc.exe"	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TqwogsoU.exe = "C:\\Users\\Admin\\LyIkIIUE\\TqwogsoU.exe"	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\GYkoQQoI.exe = "C:\\ProgramData\\FQMYMYwM\\GYkoQQoI.exe"	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe

Drops file in System32 directory 2 IoCs

Processes:

GYkoQQoI.exe

description	ioc	process
File created	C:\Windows\SysWOW64\shell32.dll.exe	GYkoQQoI.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	GYkoQQoI.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1172	4260	WerFault.exe	OYskwcos.exe
1684	3412	WerFault.exe	PyQgcwkc.exe
4388	2112	WerFault.exe	OYskwcos.exe
2920	2436	WerFault.exe	PyQgcwkc.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
3220	reg.exe
3188	reg.exe
2732	reg.exe
3500	reg.exe
3116
1964	reg.exe
1436	reg.exe
2180	reg.exe
4976	reg.exe
3264
716
4160
4368	reg.exe
2180
2436
1924	reg.exe
1992	reg.exe
4000	reg.exe
3952
2912	reg.exe
5048	reg.exe
3484
3684	reg.exe
4864	reg.exe
1196	reg.exe
3392	reg.exe
4316	reg.exe
8	reg.exe
1924	reg.exe
368	reg.exe
4708	reg.exe
716	reg.exe
1724
716	reg.exe
3588	reg.exe
5100
4376	reg.exe
3536	reg.exe
3356	reg.exe
1760	reg.exe
4816
1000	reg.exe
3836	reg.exe
4656
3672	reg.exe
1148	reg.exe
4552	reg.exe
3484	reg.exe
216	reg.exe
3204	reg.exe
4796	reg.exe
2468	reg.exe
5100	reg.exe
3952	reg.exe
2140	reg.exe
384
1012	reg.exe
968	reg.exe
4580	reg.exe
4160	reg.exe
2132
5000	reg.exe
1860	reg.exe
3940	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2024052270b44f5eef4df1621e863e49c01402c5virlock.exe2024052270b44f5eef4df1621e863e49c01402c5virlock.exe2024052270b44f5eef4df1621e863e49c01402c5virlock.exe2024052270b44f5eef4df1621e863e49c01402c5virlock.exe2024052270b44f5eef4df1621e863e49c01402c5virlock.exe2024052270b44f5eef4df1621e863e49c01402c5virlock.exe2024052270b44f5eef4df1621e863e49c01402c5virlock.exe2024052270b44f5eef4df1621e863e49c01402c5virlock.exe2024052270b44f5eef4df1621e863e49c01402c5virlock.exe2024052270b44f5eef4df1621e863e49c01402c5virlock.exe2024052270b44f5eef4df1621e863e49c01402c5virlock.exe2024052270b44f5eef4df1621e863e49c01402c5virlock.exe2024052270b44f5eef4df1621e863e49c01402c5virlock.exe2024052270b44f5eef4df1621e863e49c01402c5virlock.exe2024052270b44f5eef4df1621e863e49c01402c5virlock.exe2024052270b44f5eef4df1621e863e49c01402c5virlock.exe

pid	process
1760	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
1760	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
1760	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
1760	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
2912	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
2912	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
2912	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
2912	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
724	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
724	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
724	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
724	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
2572	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
2572	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
2572	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
2572	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
2732	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
2732	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
2732	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
2732	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
1452	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
1452	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
1452	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
1452	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
3452	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
3452	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
3452	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
3452	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
724	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
724	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
724	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
724	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
3324	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
3324	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
3324	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
3324	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
752	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
752	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
752	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
752	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
4544	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
4544	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
4544	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
4544	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
2988	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
2988	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
2988	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
2988	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
1176	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
1176	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
1176	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
1176	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
3764	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
3764	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
3764	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
3764	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
1672	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
1672	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
1672	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
1672	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
924	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
924	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
924	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
924	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

GYkoQQoI.exe

pid process

2796 GYkoQQoI.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

GYkoQQoI.exe

pid	process
2796	GYkoQQoI.exe
2796	GYkoQQoI.exe
2796	GYkoQQoI.exe
2796	GYkoQQoI.exe
2796	GYkoQQoI.exe
2796	GYkoQQoI.exe
2796	GYkoQQoI.exe
2796	GYkoQQoI.exe
2796	GYkoQQoI.exe
2796	GYkoQQoI.exe
2796	GYkoQQoI.exe
2796	GYkoQQoI.exe
2796	GYkoQQoI.exe
2796	GYkoQQoI.exe
2796	GYkoQQoI.exe
2796	GYkoQQoI.exe
2796	GYkoQQoI.exe
2796	GYkoQQoI.exe
2796	GYkoQQoI.exe
2796	GYkoQQoI.exe
2796	GYkoQQoI.exe
2796	GYkoQQoI.exe
2796	GYkoQQoI.exe
2796	GYkoQQoI.exe
2796	GYkoQQoI.exe
2796	GYkoQQoI.exe
2796	GYkoQQoI.exe
2796	GYkoQQoI.exe
2796	GYkoQQoI.exe
2796	GYkoQQoI.exe
2796	GYkoQQoI.exe
2796	GYkoQQoI.exe
2796	GYkoQQoI.exe
2796	GYkoQQoI.exe
2796	GYkoQQoI.exe
2796	GYkoQQoI.exe
2796	GYkoQQoI.exe
2796	GYkoQQoI.exe
2796	GYkoQQoI.exe
2796	GYkoQQoI.exe
2796	GYkoQQoI.exe
2796	GYkoQQoI.exe
2796	GYkoQQoI.exe
2796	GYkoQQoI.exe
2796	GYkoQQoI.exe
2796	GYkoQQoI.exe
2796	GYkoQQoI.exe
2796	GYkoQQoI.exe
2796	GYkoQQoI.exe
2796	GYkoQQoI.exe
2796	GYkoQQoI.exe
2796	GYkoQQoI.exe
2796	GYkoQQoI.exe
2796	GYkoQQoI.exe
2796	GYkoQQoI.exe
2796	GYkoQQoI.exe
2796	GYkoQQoI.exe
2796	GYkoQQoI.exe
2796	GYkoQQoI.exe
2796	GYkoQQoI.exe
2796	GYkoQQoI.exe
2796	GYkoQQoI.exe
2796	GYkoQQoI.exe
2796	GYkoQQoI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024052270b44f5eef4df1621e863e49c01402c5virlock.execmd.execmd.exe2024052270b44f5eef4df1621e863e49c01402c5virlock.execmd.execmd.exe2024052270b44f5eef4df1621e863e49c01402c5virlock.execmd.exe

description	pid	process	target process
PID 1760 wrote to memory of 3680	1760	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	TqwogsoU.exe
PID 1760 wrote to memory of 3680	1760	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	TqwogsoU.exe
PID 1760 wrote to memory of 3680	1760	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	TqwogsoU.exe
PID 1760 wrote to memory of 2796	1760	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	GYkoQQoI.exe
PID 1760 wrote to memory of 2796	1760	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	GYkoQQoI.exe
PID 1760 wrote to memory of 2796	1760	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	GYkoQQoI.exe
PID 1760 wrote to memory of 3452	1760	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	cmd.exe
PID 1760 wrote to memory of 3452	1760	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	cmd.exe
PID 1760 wrote to memory of 3452	1760	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	cmd.exe
PID 1760 wrote to memory of 536	1760	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	reg.exe
PID 1760 wrote to memory of 536	1760	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	reg.exe
PID 1760 wrote to memory of 536	1760	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	reg.exe
PID 1760 wrote to memory of 4504	1760	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	reg.exe
PID 1760 wrote to memory of 4504	1760	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	reg.exe
PID 1760 wrote to memory of 4504	1760	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	reg.exe
PID 1760 wrote to memory of 4384	1760	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	reg.exe
PID 1760 wrote to memory of 4384	1760	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	reg.exe
PID 1760 wrote to memory of 4384	1760	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	reg.exe
PID 1760 wrote to memory of 1056	1760	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	cmd.exe
PID 1760 wrote to memory of 1056	1760	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	cmd.exe
PID 1760 wrote to memory of 1056	1760	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	cmd.exe
PID 3452 wrote to memory of 2912	3452	cmd.exe	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
PID 3452 wrote to memory of 2912	3452	cmd.exe	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
PID 3452 wrote to memory of 2912	3452	cmd.exe	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
PID 1056 wrote to memory of 4016	1056	cmd.exe	cscript.exe
PID 1056 wrote to memory of 4016	1056	cmd.exe	cscript.exe
PID 1056 wrote to memory of 4016	1056	cmd.exe	cscript.exe
PID 2912 wrote to memory of 3828	2912	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	cmd.exe
PID 2912 wrote to memory of 3828	2912	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	cmd.exe
PID 2912 wrote to memory of 3828	2912	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	cmd.exe
PID 3828 wrote to memory of 724	3828	cmd.exe	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
PID 3828 wrote to memory of 724	3828	cmd.exe	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
PID 3828 wrote to memory of 724	3828	cmd.exe	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
PID 2912 wrote to memory of 1012	2912	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	reg.exe
PID 2912 wrote to memory of 1012	2912	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	reg.exe
PID 2912 wrote to memory of 1012	2912	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	reg.exe
PID 2912 wrote to memory of 4864	2912	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	reg.exe
PID 2912 wrote to memory of 4864	2912	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	reg.exe
PID 2912 wrote to memory of 4864	2912	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	reg.exe
PID 2912 wrote to memory of 4272	2912	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	reg.exe
PID 2912 wrote to memory of 4272	2912	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	reg.exe
PID 2912 wrote to memory of 4272	2912	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	reg.exe
PID 2912 wrote to memory of 3136	2912	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	cmd.exe
PID 2912 wrote to memory of 3136	2912	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	cmd.exe
PID 2912 wrote to memory of 3136	2912	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	cmd.exe
PID 3136 wrote to memory of 408	3136	cmd.exe	cscript.exe
PID 3136 wrote to memory of 408	3136	cmd.exe	cscript.exe
PID 3136 wrote to memory of 408	3136	cmd.exe	cscript.exe
PID 724 wrote to memory of 3508	724	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	cmd.exe
PID 724 wrote to memory of 3508	724	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	cmd.exe
PID 724 wrote to memory of 3508	724	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	cmd.exe
PID 3508 wrote to memory of 2572	3508	cmd.exe	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
PID 3508 wrote to memory of 2572	3508	cmd.exe	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
PID 3508 wrote to memory of 2572	3508	cmd.exe	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
PID 724 wrote to memory of 1692	724	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	reg.exe
PID 724 wrote to memory of 1692	724	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	reg.exe
PID 724 wrote to memory of 1692	724	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	reg.exe
PID 724 wrote to memory of 4204	724	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	reg.exe
PID 724 wrote to memory of 4204	724	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	reg.exe
PID 724 wrote to memory of 4204	724	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	reg.exe
PID 724 wrote to memory of 3608	724	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	reg.exe
PID 724 wrote to memory of 3608	724	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	reg.exe
PID 724 wrote to memory of 3608	724	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	reg.exe
PID 724 wrote to memory of 816	724	2024052270b44f5eef4df1621e863e49c01402c5virlock.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Users\Admin\LyIkIIUE\TqwogsoU.exe
  "C:\Users\Admin\LyIkIIUE\TqwogsoU.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3680
- C:\ProgramData\FQMYMYwM\GYkoQQoI.exe
  "C:\ProgramData\FQMYMYwM\GYkoQQoI.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2796
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3452
- - C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2912
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3828
    - - C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:724
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3508
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        8⤵
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        10⤵
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        12⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        14⤵
        
        PID:3500
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        16⤵
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        18⤵
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        20⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        22⤵
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        24⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        26⤵
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        28⤵
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        30⤵
        
        PID:3832
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        32⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        33⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        34⤵
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        35⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        36⤵
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        37⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        38⤵
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        39⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        40⤵
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        41⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        42⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        43⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        44⤵
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        45⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        46⤵
        
        PID:3356
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        47⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        48⤵
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        49⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        50⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        51⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        52⤵
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        53⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        54⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        55⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        56⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        57⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        58⤵
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        59⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        60⤵
        
        PID:436
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        61⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        62⤵
        
        PID:4160
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        63⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        64⤵
        
        PID:4364
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        65⤵
        
        PID:452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        66⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        67⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        68⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        69⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        70⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        71⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        72⤵
        
        PID:3336
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        73⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        74⤵
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        75⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        76⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        77⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        78⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        79⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        80⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        81⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        82⤵
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        83⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        84⤵
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        85⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        86⤵
        
        PID:4724
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        87⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        88⤵
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        89⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        90⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        91⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        92⤵
        
        PID:1176
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        93⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        94⤵
        
        PID:3828
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        95⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        96⤵
        
        PID:2720
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        97⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        98⤵
        
        PID:2920
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        99⤵
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        99⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        100⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        101⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        102⤵
        
        PID:4724
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        103⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        104⤵
        
        PID:2224
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        105⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        106⤵
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        107⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        108⤵
        
        PID:1384
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        109⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        110⤵
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        111⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        112⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        113⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        114⤵
        
        PID:4368
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:3696
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        115⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        116⤵
        
        PID:4724
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        117⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        118⤵
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        119⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        120⤵
        
        PID:4764
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        121⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        122⤵
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        123⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        124⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        125⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        126⤵
        
        PID:2468
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        127⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        128⤵
        
        PID:344
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        129⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        130⤵
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        131⤵
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        132⤵
        
        PID:4820
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        133⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        134⤵
        
        PID:4396
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        135⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        136⤵
        
        PID:816
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        137⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        138⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        139⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        140⤵
        
        PID:1504
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:3308
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        141⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        142⤵
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        143⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        144⤵
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        145⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        146⤵
        
        PID:3404
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        147⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        148⤵
        
        PID:4328
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        149⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        150⤵
        
        PID:716
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        151⤵
        Adds Run key to start application
        
        PID:4976
        
        C:\Users\Admin\VQcQYcIc\OYskwcos.exe
        
        "C:\Users\Admin\VQcQYcIc\OYskwcos.exe"
        152⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4260 -s 224
        153⤵
        Program crash
        
        PID:1172
        
        C:\ProgramData\uUYsUYsY\PyQgcwkc.exe
        
        "C:\ProgramData\uUYsUYsY\PyQgcwkc.exe"
        152⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3412 -s 220
        153⤵
        Program crash
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        152⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        153⤵
        
        PID:996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        154⤵
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        155⤵
        Adds Run key to start application
        
        PID:4976
        
        C:\Users\Admin\VQcQYcIc\OYskwcos.exe
        
        "C:\Users\Admin\VQcQYcIc\OYskwcos.exe"
        156⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 188
        157⤵
        Program crash
        
        PID:4388
        
        C:\ProgramData\uUYsUYsY\PyQgcwkc.exe
        
        "C:\ProgramData\uUYsUYsY\PyQgcwkc.exe"
        156⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 188
        157⤵
        Program crash
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        156⤵
        
        PID:5100
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        157⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        158⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        159⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        160⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        161⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        162⤵
        
        PID:4160
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        163⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        164⤵
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        165⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        166⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        167⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        168⤵
        
        PID:3588
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        169⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        170⤵
        
        PID:4252
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        171⤵
        
        PID:640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        172⤵
        
        PID:3528
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        173⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        174⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        175⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        176⤵
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        177⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        178⤵
        
        PID:4908
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:3912
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        179⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        180⤵
        
        PID:732
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        181⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        182⤵
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        183⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        184⤵
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        185⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        186⤵
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        187⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        188⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        189⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        190⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        191⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        192⤵
        
        PID:3128
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        193⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        194⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        195⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        196⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        197⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        198⤵
        
        PID:1248
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        199⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        200⤵
        
        PID:3392
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:3356
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        201⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        202⤵
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        203⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        204⤵
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        205⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        206⤵
        
        PID:2204
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        
        PID:4068
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        207⤵
        
        PID:384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        208⤵
        
        PID:3364
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        209⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        210⤵
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        211⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        212⤵
        
        PID:1788
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        213⤵
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        213⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        214⤵
        
        PID:3280
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        215⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        216⤵
        
        PID:3596
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        217⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        217⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        218⤵
        
        PID:3336
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        219⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        220⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        221⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        222⤵
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        223⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        224⤵
        
        PID:4012
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        225⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        226⤵
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        227⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        228⤵
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        229⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        230⤵
        
        PID:4252
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        
        PID:404
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        231⤵
        
        PID:384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        232⤵
        
        PID:1132
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        233⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        233⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        234⤵
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        235⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        236⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        237⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        238⤵
        
        PID:4372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        239⤵
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        239⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        240⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        241⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        242⤵
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        243⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        244⤵
        
        PID:3764
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        245⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        246⤵
        
        PID:1688
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        247⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        247⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        248⤵
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        249⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        250⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        251⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        252⤵
        
        PID:3828
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        253⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        254⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock
        255⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock"
        256⤵
        
        PID:1032
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        257⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        256⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        256⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        256⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Uuokcwwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        256⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        254⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        254⤵
        
        PID:3040
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        255⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        254⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aQoAIsoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        254⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        255⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        252⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        252⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        252⤵
        UAC bypass
        
        PID:1668
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        253⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eKgoIUsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        252⤵
        
        PID:368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        253⤵
        
        PID:64
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        250⤵
        Modifies registry key
        
        PID:3952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        250⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        250⤵
        UAC bypass
        
        PID:4904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bqUQkwEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        250⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        251⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        248⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1452
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        249⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        248⤵
        
        PID:4384
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        249⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        248⤵
        
        PID:3004
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        249⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bssIAYAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        248⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        249⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        246⤵
        
        PID:4560
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        247⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        246⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        246⤵
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nsIwIMgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        246⤵
        
        PID:4548
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        247⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        247⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        244⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5100
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        245⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        244⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        244⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ycEQccIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        244⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        245⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        Modifies registry key
        
        PID:716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sOsYMAcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        242⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        243⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        Modifies registry key
        
        PID:5048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        
        PID:1892
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KqgYoQQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        240⤵
        
        PID:64
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        241⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        
        PID:772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kQMIEIQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        238⤵
        
        PID:1924
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        239⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        239⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        
        PID:3408
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pgskIMMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        236⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        237⤵
        
        PID:400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        UAC bypass
        
        PID:4680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vioIAUck.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        234⤵
        
        PID:4764
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        235⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FcAAIcQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        232⤵
        
        PID:2468
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        233⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        
        PID:368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yYAwEoos.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        230⤵
        
        PID:3544
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        Modifies registry key
        
        PID:4708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        Modifies registry key
        
        PID:3940
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        229⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        UAC bypass
        
        PID:1892
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        229⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cgEUEAwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        228⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        UAC bypass
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eEUQwEgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        226⤵
        
        PID:2168
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        227⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        
        PID:1032
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        225⤵
        
        PID:912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        
        PID:640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        Modifies registry key
        
        PID:3588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bsYoksAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        224⤵
        
        PID:4860
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        225⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        UAC bypass
        
        PID:1176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pQwoAIos.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        222⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        Modifies registry key
        
        PID:3684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        
        PID:3468
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        221⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        UAC bypass
        
        PID:2572
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        221⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JiAEMYEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        220⤵
        
        PID:3340
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        221⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        UAC bypass
        
        PID:4316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PgIMYQIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        218⤵
        
        PID:464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        UAC bypass
        Modifies registry key
        
        PID:4000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oAQwIocw.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        216⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:1016
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        215⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        UAC bypass
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EiksgsgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        214⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        
        PID:3420
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        213⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        
        PID:2952
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        213⤵
        
        PID:8
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UiUYssEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        212⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FcoMMQcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        210⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        UAC bypass
        
        PID:4364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pwYMsMMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        208⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        
        PID:2356
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        UAC bypass
        
        PID:4764
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xSwgIcsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        206⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        UAC bypass
        Modifies registry key
        
        PID:3484
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jiwQEgMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        204⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        Modifies registry key
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kqIkkIcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        202⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3004
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:3412
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        
        PID:344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AcYogQQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        200⤵
        
        PID:1436
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        Modifies registry key
        
        PID:2468
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:3408
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aagIQEMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        198⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        Modifies registry key
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        Modifies registry key
        
        PID:4796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dGAUYoAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        196⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:4544
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JAUgkwkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        194⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        
        PID:5052
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        UAC bypass
        
        PID:4688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BQIUgMUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        192⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:2916
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        UAC bypass
        
        PID:3392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oqQAkgoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        190⤵
        
        PID:8
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1788
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        Modifies registry key
        
        PID:368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        UAC bypass
        
        PID:2436
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MoMEQcEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        188⤵
        
        PID:404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        Modifies registry key
        
        PID:2180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        
        PID:3356
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wsEggoIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        186⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        Modifies registry key
        
        PID:1760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        Modifies registry key
        
        PID:3204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WGswUIAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        184⤵
        
        PID:452
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        Modifies visibility of file extensions in Explorer
        
        PID:640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JUUgsAEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        182⤵
        
        PID:2856
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dQsYEoAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        180⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:2636
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        UAC bypass
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NYckQUgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        178⤵
        
        PID:3544
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        
        PID:4524
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        
        PID:2720
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\daAoMooU.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        176⤵
        
        PID:400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oIgcMgAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        174⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\weAEsowQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        172⤵
        
        PID:3020
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        Modifies registry key
        
        PID:4580
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        UAC bypass
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GKkIkYwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        170⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:3596
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        UAC bypass
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tkcgYIUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        168⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LIYUIwQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        166⤵
        
        PID:3448
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        
        PID:368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        UAC bypass
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bMQcMQso.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        164⤵
        
        PID:916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:1428
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZSMQwQMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        162⤵
        
        PID:216
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        UAC bypass
        Modifies registry key
        
        PID:1924
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\amAYskwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        160⤵
        
        PID:548
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        UAC bypass
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KAoYIAgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        158⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YsAwgcMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        156⤵
        
        PID:404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PucQUYMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        154⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:2140
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        
        PID:816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bKgggAcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        152⤵
        
        PID:916
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        
        PID:888
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        Modifies registry key
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dmQkMwIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        150⤵
        
        PID:1164
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        UAC bypass
        Modifies registry key
        
        PID:3500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\joYooYgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        148⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        Modifies registry key
        
        PID:4368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CGEEYUco.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        146⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        
        PID:924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GyYsEwcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        144⤵
        
        PID:464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        UAC bypass
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YaIQEIAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        142⤵
        
        PID:916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        
        PID:2256
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        
        PID:2984
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nAksocII.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        140⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VGMcwUIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        138⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        
        PID:1052
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XiskIosE.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        136⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3588
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LYYQwIsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        134⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Sessgcgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        132⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ggMkkQcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        130⤵
        
        PID:2572
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        
        PID:4272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qYcMcsEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        128⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        Modifies registry key
        
        PID:216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        
        PID:3160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YMQoUwYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        126⤵
        
        PID:4868
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        Modifies registry key
        
        PID:2732
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FEcAIcQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        124⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:2112
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        
        PID:732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\roEEIQIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        122⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rCsgYIgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        120⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        
        PID:1924
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BcsUUsow.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        118⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kwIQAMIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        116⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        Modifies registry key
        
        PID:1436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QMwoMgIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        114⤵
        
        PID:4392
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        
        PID:4256
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SOoscgck.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        112⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:3460
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ockkwEgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        110⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        
        PID:1788
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tysQEYAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        108⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies registry key
        
        PID:4552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:2948
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        107⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VUMQUAoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        106⤵
        
        PID:8
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1892
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FwAgQYwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        104⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3696
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:3364
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        
        PID:3340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SCcsYsIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        102⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:3344
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        
        PID:3616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kCAwIUYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        100⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CsgEEQQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        98⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        
        PID:1052
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AEocUskI.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        96⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        
        PID:4544
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fkYssIQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        94⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        
        PID:2256
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zWAAUMkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        92⤵
        
        PID:2952
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tAkAEocM.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        90⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        Modifies registry key
        
        PID:8
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BeUcQUIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        88⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies registry key
        
        PID:3536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GoQgAgsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        86⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KcIMcwIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        84⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AEooIEQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        82⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies registry key
        
        PID:968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        Modifies registry key
        
        PID:4316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vkwYQcQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        80⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:404
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:3308
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        
        PID:924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HqIsAccU.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        78⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4752
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FEcIowkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        76⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4820
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        
        PID:3500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xgQooYUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        74⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:3264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oCoccwIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        72⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MCkAkMoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        70⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        Modifies registry key
        
        PID:3392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MCEUEoIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        68⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4544
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cQUgQAAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        66⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1000
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        
        PID:924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PaoQYgYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        64⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        Modifies registry key
        
        PID:1964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zWcEYcAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        62⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:4184
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dyYAMwIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        60⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies registry key
        
        PID:1148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lOccYAIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        58⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3188
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mMsAUsAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        56⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:3648
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        55⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OKIUkMsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        54⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        
        PID:724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WcggMIMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        52⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SEIkswQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        50⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:3248
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        49⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VYIIgwoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        48⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:3308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NMAwQMQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        46⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FMYgEYMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        44⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:2776
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hEccogAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        42⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:4504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KkQcMEQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        40⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        
        PID:624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CEUYAsMw.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        38⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sgkQMQkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        36⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        Modifies registry key
        
        PID:3672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\giMUIcUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        34⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        Modifies registry key
        
        PID:3220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JSsYwYsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        32⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lYwYEUEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        30⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:3408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RSsMgIQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        28⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        Modifies registry key
        
        PID:1196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XUUoUwck.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        26⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GygUIcwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        24⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eksAocQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        22⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uacYIcks.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        20⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QWsIYIwk.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        18⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        Modifies registry key
        
        PID:716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JGkscgYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        16⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VAEwsUgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        14⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\noEYgQUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        12⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EiUkUQgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        10⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CAAkQgMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        8⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:4168
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1692
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:4204
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:3608
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aqwwUEQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
        6⤵
        
        PID:816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:4028
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies registry key
      PID:1012
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:4864
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:4272
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AaUggIAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3136
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:408
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:536
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4504
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:4384
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dAYwkggk.bat" "C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1056
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4016

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4260 -ip 4260
1⤵
PID:4012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3412 -ip 3412
1⤵
PID:2668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2112 -ip 2112
1⤵
PID:2740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 2436 -ip 2436
1⤵
PID:3468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\FQMYMYwM\GYkoQQoI.exe

Filesize
200KB

MD5
8dc55e762167d1f8cc53605ba22a669e

SHA1
11c8de9278324b0c0983a50cbdf38187fa7d0b73

SHA256
88fe78708a86357d716a0b44cca376553ca4c8acedf2b19e34e3d9b1f1440946

SHA512
8b9e042e60b3270500624aa497351bcf608df3c30aa37ba550601e19d2d0f0a18392c4ffa191364ce1e72ab747ce50ff897125054fc9b5c9bd8fa605f8b76bfd

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe

Filesize
773KB

MD5
067a4cc9d0a9d10614df0db4dd44a773

SHA1
fb73321e7f4bb7e21980123b337b41cce7af0c2c

SHA256
345748f27c66c071ce13e9c877fabdbb41b060743c786d25a34bf9bbb398579a

SHA512
7cfe473a4459a1f44ed14c3bd542842da54808adda96a09ee262949870e98d39bedd8b027d27e925cb256b48a4a1aa0be6018d05b71c789dd0f038e8c7fe5d18

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\96.png.exe

Filesize
207KB

MD5
51210f584a2debccfac72487786d91a0

SHA1
44a52fdfa6c12eee7397790beaaa86e08ab7e26c

SHA256
94098d6c2df9b321a2f7f472ee08d60635a24194fece70b66a5d6665a97beb0d

SHA512
4a1dee923790bc56e0d57f82de87639a20e2c9532bce6ab21bb1768ed8b1ba4ef30315abf5f47c2861992f8a4f5371af167bc904ca85c7e3600bf1f627311200

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\192.png.exe

Filesize
202KB

MD5
50bd44e6dd999d09630f22891b18b5c7

SHA1
beeb0557bdc7480860d4dd55e97b06f90339d7e3

SHA256
596c0ab36266932793a2303649bc6379453b96bae36b734250ef19caad14a2bc

SHA512
7738c114183ecde6e337f3a1facdd3041364b6783e8e003fe505e89c522b43b5f7ef08844ca5e6ae4b4a783c1c9ad88ebac3ad84adb1d7e49270291f155c0c5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\96.png.exe

Filesize
184KB

MD5
85f51a1ddf33751a2f3cfad5b72fc4ec

SHA1
e87f4e83204cbcee57daf52e699162ad7778e761

SHA256
88ace49e78609c2d6ef5511f78e66b681ea1f697ce1a5e657776b69c6b6433fe

SHA512
830e4f2b7f353bac4773329f0d7fd07de797b6b8b45996298d70c53f9b7b527e609a4a28de0a3a28c4416bc811e195bfddc604facd292b1ed94991add0269c56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorWhite.png.exe

Filesize
211KB

MD5
51b3d1c735e75c5056c7342dabf0da28

SHA1
92e8e43ad89c68d4134ff5ab418d3ec641e06626

SHA256
64394ea676c293baa733452e258768b2508e957afbf192fb0dafeed4c85f349e

SHA512
ee1ccabed7c5b1cad22fbe4991b70c1f7710369ce26c76e08b78b3a33bb38a2ba11018f0c4618bd01628721c9611ceadaf4323caa6ef39ef22f3d2148aaa8684

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppWhite.png.exe

Filesize
185KB

MD5
7bf858e3570da5b7bffd6801d05cb9b0

SHA1
f1af4088dcb9e72d4842a8193d2bc84eb0fb00cc

SHA256
7648525894dba75a5939158b3ca3e9802d91d249de3b920014dfe3908b2e09d7

SHA512
2eaa9ec3ba0fc00037ceace11508a4431c7eeca54cf70b430c099a53b460c6614582b884220a6c5942a14aa80d5ff3e4c732723076377ba30008b8c15b8c7d45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMLockedFileToast.png.exe

Filesize
197KB

MD5
1b2ac0b8acc783cd90b4d270e2810df3

SHA1
52f1434b062a4b08a8153b08891d0672ceeb31cf

SHA256
5b958d366c393cf275c7cf69cafa0aace62440175d72256a2705d00fe472dbfe

SHA512
3ca6d926f6f186fbd0db467a2ff2f50fd74e04554098b01f5acb032ceed0e27d577635b7bdcd332a1015cbf602f04ab8c3a87b924b24600f44e9ac2e1a1a4f42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaNearing.png.exe

Filesize
207KB

MD5
65029e934503bc8379331672b8fba11d

SHA1
18022d0d5624be0a58384a47cc17129508cba251

SHA256
f1e5f2a38e8f56d69b5e1bfdf908697b4ae24a4a48b668b7c6db4af305e2008b

SHA512
36aa86dfd879752cd08ac0827e64ac48b414e8089a6f3c10d3d4c3441c61e460ab953e7c75e4f4c462b0cb902d1be6be449be49534ee395448eeec76ee86eef3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-400.png.exe

Filesize
192KB

MD5
0000d941240f2369ddcd512f276a46e6

SHA1
2c642578e4df6972c9905e333662a66d2854eb5f

SHA256
7614464ea7d4568db708d52c037f89a8c195f1330e5af8834ba0682cfd9cd853

SHA512
bf9cfb0dafc6eb0533eff2dbcab4df92c0c7083c7f5e734923976ac40daf089d89e56a5039f29ef84de9d3a4325d090fa3cf86e2c6f4c6d0aaa472f29cb0217b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024052270b44f5eef4df1621e863e49c01402c5virlock

Filesize
6KB

MD5
6df7065f01a6050fe6a0fc315cc1198e

SHA1
7b01a12035d29cde184590b08441c61c507a947e

SHA256
67a4ceda66f3abe6e0d18b08351d09c00e29f6a2ae3e55ad5e721218d6e45137

SHA512
6b42f9485501a09460acf5fd75f61ec0f92ed0f29a7cf26c11b9a13dabbb730f5f88f6a3e0a2f1bb20f984f8d0320bdc33e589100efb40c4fdea36f16a98db29

Download Submit
C:\Users\Admin\AppData\Local\Temp\AEEO.exe

Filesize
640KB

MD5
977dccc6f4fdeec36ebf8a5db599077f

SHA1
5075dbd14f47c4cef1f44171c37832c8af0c27b1

SHA256
45766c2bbe11283f7e9aff14c6e8c79e23553f240234c7d314c5f4d2c9e60a5c

SHA512
a89e110d931bd6746fa29e9f3032f1c9098cf76e2676c3d7abdb823d4b1be66197c9684f8f4db24c071ec7eeebcdeef15421c9032ff8dac18e26726b7d0640f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\AEcU.exe

Filesize
729KB

MD5
b5d755233f7cc80eb5e93a60daba78bf

SHA1
c64280e6cfea02b71cb2b9268bd89c7dd6f6e0a0

SHA256
e37d84ffa0f8e525ea913ad2ce6eac0c99e4783e2816f694c72ebbfa875e9d03

SHA512
7b7f5e86be1d7899172622128499b5c556bc41ede3620ed074db6e5dbaba4c0184d1def94849202671e5cc523fa100d41979d781bc3bb25fba2612f248933afc

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIcu.exe

Filesize
820KB

MD5
0416b3c6bd7f05ae134b711dfcbc97e0

SHA1
4f79f2dedaf4045d152344b9dde0e8b1d0034acd

SHA256
9ff252aaebefe806744e2b9aa7ba26154d9e3ecde9def7b84d7fd77971059aee

SHA512
fa35e72fbe1d20f8b16fc8bf631ca073bd58e89679319c1cd2fb3f7ee06d1fdc0c23e4e3516e1f64abf6e7290090bd7899b6a5e730dc8ad25fc0fe74de92ba5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMww.exe

Filesize
190KB

MD5
947cb817580c39141fec8a37bca5f4aa

SHA1
8aca93f190f33abbb070feb0e90b09b6fb7e133f

SHA256
578dea45a6e529e898cab4deece48b5221c769e6c8e7261f2feb5ded77a17bb5

SHA512
d34167821c8e66217d9a6917e046d327660a74b3ce6ae7833df3baffecbdb38a6c23ea0af1fadf9ecc45d4ece6a065bce4719fb48982c2c7fae7d07dc5a1d858

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUgC.ico

Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AgYi.exe

Filesize
208KB

MD5
9ea29029e5f579560a58369b7137790f

SHA1
ebb35ff287b6a6efc494871786463e2f15313e55

SHA256
7817b55b2c059448822c5d30f0698e18161a292f30f1c7afa4bafa41206fd44c

SHA512
b79d2dbaa7bdcffbda8cf20ff861d742a364eff3ff8120f6632e8a5b894d60c6704dc305969a6058a8a8074d22c1ee2e3a1a0eb230fdd790806c6e71d23e4efe

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAgs.exe

Filesize
792KB

MD5
0c5db8a1dbe2d67c48f6d09f8b418477

SHA1
0dde7bb3d3614d0c44470ee9bb09c69e3e3632c4

SHA256
80f67f4ce01c0b410bef47ae002d4564fd79c5849af0b6f3e633ec8008994426

SHA512
6c7dc4b93eb7776061cbe8adc680c53be04d3d7f96946396a7d4ebb11036e58662e4651c125459e79d9572f5e5fb9c8752afc54badae531c11fe372239cb12eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CEUk.exe

Filesize
776KB

MD5
2d1db3ea21898a6348351ab603c4219e

SHA1
0fe28aebaa9682b26851a972dd8911d949bf65a8

SHA256
e54cd225024cacae371c3aca614a830f42c03ca80d806422a7e67480a80e54ff

SHA512
b5f78392d22b7f10d22f5e964df54d9a7fa6d48f6756901a952964a7f3725973687bc4a5aef886c34cf0e08bf6ac06ab28298767c33cfad60074861032120fec

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIsO.exe

Filesize
201KB

MD5
d36b32a1e7c813e4d129faf1fc141500

SHA1
567c37bd2544965eba46b5f18ee487f485b5ad1e

SHA256
c15a012e0cf328d90c25e61341d3803f313fe34c5b00828ab95980586ac0b321

SHA512
9ca55b804fcf90f575f1688f5d96397a5256084bc20a000e268d7687a6912e4958a0ba6d17c764335c6dfde52794ecf9dd45f9d27706b03a4bc28f8a0521c5c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMgE.exe

Filesize
205KB

MD5
a96fe6deeee887c952170a16f5d9b04a

SHA1
6abe25065bb84109f3b01a82e32c8cb9b9370aa8

SHA256
867be27b53ddafee9160c6ddecc13a9e6a413323b91db84b5cbf0830d8699a11

SHA512
58e833240a85e0a862dd15b2c4d6f6e07086b69d9802931ba0d9e89a588ab08d72aefce6a0b5245bafa3574d8da7e74f9254cf1a2aae1d92bacd2fdb35843e0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMEI.exe

Filesize
707KB

MD5
f8728ba289578c7d67d6c6c5f78ba74b

SHA1
6399a2284324bff770afbcb4f31e0e6fd45865f3

SHA256
05d06d5a1e55f249e1498c7c1e04dde83e0d770c696a09bea9ac2f35b80e15ab

SHA512
d0f8f86b89073867dae28ff36691b3db72387c801669097414bab9fd8cdf98ac28c3070e6509ef8806f375e33ee0728dac4df022ce904c6b49164b0fb3dbfcb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMIc.exe

Filesize
202KB

MD5
8bb8d6bc1eb1eaa30419a812a24c8086

SHA1
ecf6d7f0b8446cf3edd1d60b3a5f8d7557237904

SHA256
010a3f7d5c4b768436a3f124c2513a097cc0b4979e34adb4ad17ecee517c5c0e

SHA512
46acb91c224123271911bcc4871dedef902063f0d366ae0086b5f5f9310ddf405e6910829bc08ba74eea76540bafdd76ce0f4e0a6ed54a3b9d550899309bf0b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMoQ.exe

Filesize
188KB

MD5
a0adf819634d3781f76b63847ac3106a

SHA1
4d46069d5da260c059527b474ae5f3ad9c017fff

SHA256
52d6ca94d70d044dd0f7004f201cd101b57f32285e051784ab2c968d5200f490

SHA512
759c1247cc166ec47a2bdec66e18f7ce724e41e1b45cc7ca60c0e7cc9ccf0f875b030df73b660025411ce07c2937af93f75b605c8e80fb1fa7bbb95a11b2e992

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUoe.exe

Filesize
227KB

MD5
77ea4fe955186735a8ee6f4bbe8a8ce3

SHA1
8801ec023b32b2bf63bd5fae95c57ae55e7be06e

SHA256
5639c119e2b278f74938feef0872aba2ee9ae52af30120d783f61cf19e5f69a2

SHA512
809935d7aed4d4829394eec2c8ce9ce26f1b2fa8a25e20c7a28574fa09fb64a09ddc6db7fa49db770f513928a70095d0c4c4b978e7f2d8da9f17c339adc9ffac

Download Submit
C:\Users\Admin\AppData\Local\Temp\EYEO.exe

Filesize
235KB

MD5
a344a541a32b9ffc9a34ee6c208e0cbe

SHA1
087dbfae4622120c53b5cdffd460e2da621eeed6

SHA256
06c2c1d7791c3fbcae1e6e8ff80dd1a1d8a59702d4180d1b02bad91f6b1693d8

SHA512
ed412e6069a0eaa7cc43c65a3c46dbe5695840c2ac9840b3b4614fe6a7596d627c7ccca549c7faf5980d404217c23a9736894471769930394ee75cac6c4bceed

Download Submit
C:\Users\Admin\AppData\Local\Temp\EgkS.exe

Filesize
440KB

MD5
d6dbca9cf602acf264c060eec79aab29

SHA1
2325f2b1fcc3a12aa3ddc14ffd7e3e2af3705e0c

SHA256
c8d953a3f4289f19fbd0c5501e58e4f42e57a23e8dfa22110c56da5ebf0dac9e

SHA512
b96341dba8c0f05866f2047c3e05b4494a3d2637550aa6717625dc2f4ce2964631f71b1f47d6ecb5e9e70b538e87cb8b5e942f656b5ec31c85af1962e903066d

Download Submit
C:\Users\Admin\AppData\Local\Temp\EkQU.exe

Filesize
196KB

MD5
19d67ea8223137ce55ce43aaf390f818

SHA1
5175438fa17b4c70652f66134fec29f85d0af308

SHA256
24f9b4e87d409bf5e8b2f0d8e9458ec11fa6c34b797efb03c01fac0475458745

SHA512
0562d2c2c713e943179cfa9321c8a1159710f05bf231edfe907bbc9a08d9c2f6eff14357d699aa0e03f2a226f018e31d230f8292df949dd2943972b5a692c868

Download Submit
C:\Users\Admin\AppData\Local\Temp\EwkK.exe

Filesize
621KB

MD5
497064b65c58dce0051f4676a22c299c

SHA1
fad4c546c8aec1d0a6d398cbf31128551f4e955e

SHA256
d32fbda542b3cd675e0f9f6b161238e473f8b935946076c0fd6ab2353de4aaa5

SHA512
0b28190caac28db571b88c179cee83b9a80b39c51419582d6586e37a2240eb3ba5ecc2c0adb5bb9a76940bde79d4752b724edaedebcf79ed8390caec2e90b52b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GAUc.exe

Filesize
321KB

MD5
2acaaa9333b0d95431ddff8b817688e9

SHA1
350117f825279c4e6b66d320571b2a51d509aa42

SHA256
501d0596f75f3a0b44913bca3a7c1a9b35a0c15f893b0243362f60b28d9bcc2c

SHA512
cc5f4c89798abb7ef42d36ce42586388871f0d6223c20f5ae616153100662dc4de9f9a6d5e76439827f939168099690f318071661beb85f3fcbf607f0071ee17

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUog.exe

Filesize
183KB

MD5
dcb45ce3d0eecaef997ec470bba285ec

SHA1
5e63a63416918541b07f2e0984f852ca0b15636a

SHA256
2df7cf0d2c49b746422aee6dfbe366f2c5b233bcab431770aea525642e522365

SHA512
6e23c0dfd61c116f68dd947445b6fd92faa35f75c003648727f98a38e6d07e8dd276c9081d02af18eefb4d17f90ddc4ddb336002a938d263e1a4ef76905cec44

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEAK.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIQk.exe

Filesize
925KB

MD5
72e9c59c93dd9a3a896e76cc8e4b75cc

SHA1
5025fbaa2232ca12aca022117246285afd4cf5a5

SHA256
d5da00edf01cef45da1375a83f0b2a85bd118d82b1fdd345d2c7f57919cd58d8

SHA512
7057abeee02373168701225091904b4f1697d5d5c77e03b03585bdf44124d055067c1885aab715c034558f337a63679bfced75d62196397c6c45a1b07ae79509

Download Submit
C:\Users\Admin\AppData\Local\Temp\IUka.exe

Filesize
184KB

MD5
b4aad38e519b06336d62c74e2ece5ea9

SHA1
b774e340e340a23577a4223ff6b259f3f027ea1d

SHA256
5eeaeb2495072af102df8b0da8fb4e39fe200ed7f4c28db35781afdb45a7c194

SHA512
f02d8f45ca15624a6bbcd215017af823868b2ea3b25ada513d8054189c10e158f4d2f3ab6904599f4e276a07886a869bc8de036c1bb432372f4d87d533b1cad0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IcIU.exe

Filesize
1.0MB

MD5
c59c428c7e8b7c92ebd190d88666fa88

SHA1
e4fb9e90a86aefb01e31f8ba683c9bf4ec17c941

SHA256
6d82ba9fd582ea0794718320a1f5ab0c85ddbf354ace81de71749e322ced6813

SHA512
e429f1a92574f620f847a1fa940f7003b3ade44ae8e29744b884a5c6fd7794fcac1bbce75b20901776552876a2900af41398a731100a400257ec66652d90da0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IgQS.exe

Filesize
639KB

MD5
d1e2985f34f95bb317b4b363da01438b

SHA1
df655c059255462cc592dd262f046d1344c65e0b

SHA256
14d086afef643b655c436ccbbb9983ba27a074b2141398b141347b2372849cb2

SHA512
717955f39c3be78ee18cd7a2df2fdaf78e55025d8571e18a09944d234df8120e0634163f685a23fb6a8b8884004d302da6e2eacded3526da35b246ee8e389653

Download Submit
C:\Users\Admin\AppData\Local\Temp\Igwa.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\Issm.exe

Filesize
312KB

MD5
f3ed81e50bc07642223aa19fd2d49102

SHA1
4382baaff662715dcd0678501b6cc7df2c73bcae

SHA256
ed4128fd9b06d6369da03c84cc6b0451760566595b8d6ed87dd3b7fe5c3a89fc

SHA512
9378f3f3f42a7d18172ce4766a949261a9f883879a0c0274388cde735393e89e217f9bcaf497adcfb902dfe7568093e0b2ad471a178581aa02f2ce593cc58cde

Download Submit
C:\Users\Admin\AppData\Local\Temp\KYQO.exe

Filesize
195KB

MD5
9c1a683daccc2382e111759e0f545d24

SHA1
ac9dd4908563cba7c3c72c17cb678b82c22dd4ed

SHA256
f9baa97b0604c5ea2f84bd2eb2add605fdfe2d7dbead65aeb5b9c1d0dc0c6632

SHA512
7797e55626de0ada907058e508ff4d61586093e6536e74cffa6aaf75540222d0300b0c5357c2baff94c89747498f7df5d3c1ddf7aa940617038453da82012926

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAEG.exe

Filesize
187KB

MD5
a929b5c0d0e4e8ed4a1745f73cd6739b

SHA1
e852aaacedcce9970d539c405df5b642cb6a93e6

SHA256
4a848bbcdf603287215a23948e5946646a91fa5c93d591710771fbd4397a06c1

SHA512
725100b2aa7ec55930e9fe081cb82927ce01426186241427a1070826aed5db98e2b4d69fcf7200a25dd657cbab4c4362d51db21f3920dd920b29f4e5f729eb68

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAIK.exe

Filesize
209KB

MD5
dd0948b404c8e06c51a72b33cabf44d8

SHA1
aa827e0482924a32127450e6a29fc9a2e10f21a4

SHA256
7e20dc20b882717413d6f6d8a5e29b6fa01aebac81a4184b457801975bc096b1

SHA512
cdd8acc2ca2406f0a90d26eb32a452a9e721b928ba20edeb283d430280425307e2b24854dd179c33212f2772dfaba0083ddc7f1392be2907565c0c84596ef8d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MckM.exe

Filesize
191KB

MD5
281ee2807efd1d7158fa5c6968e17fc7

SHA1
36cea70f2362ee4d2a61f6b50a1b4e3b0ffa3784

SHA256
dbf83487ab4f7580dd6f9d01f83d6fed81c10326796257a1d322279d8f2e0f1a

SHA512
27aa457b376227f53fb085e68decb27b20ffbe43ca8d30a77d17319d0489ea8c081164e8fc6d334bbec2bf7ee3c3d1195e153bd381d755679aae38f9a0e7aab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\MgUu.exe

Filesize
657KB

MD5
849667f6e772f6193051d185394a1500

SHA1
2b1f33cb39cacad0ab6d6d4a282d3fb73eab8238

SHA256
37a568dadbcbff02917a713f9b1c8cb60c5a84d08919997573859a70bfd4f8e5

SHA512
cd6b19241d457df971e82c4ce1dce8ad9647ca9a400d877412bdb2b467867fb8bc08c31082bc81a46a91e9db192d47f5ed9c5bd51bf66d809ce518290883959f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MwcK.exe

Filesize
201KB

MD5
59943ba544d878d076c354c5f0514966

SHA1
6653a7b080dc95f321ec4550a39133b31a29d67b

SHA256
321ec9b0ac7a83b284c6f216c2be4736c850affc8dae7aa010a3a21da20eb388

SHA512
ca671c11638ac71f9636b95ea201fa2c0b6034ed794977f4e5c678b58a130edf38174a07b62009860f20aee170bef9ac9cb02a10971e79b1a8c2f86780c16aba

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQck.exe

Filesize
216KB

MD5
82c2578b11a86bc6e16a5bb6d279c11f

SHA1
1615bee771737ef683a9434f895fee28c74a423f

SHA256
a5fbc457bd84957071617c28e9c1eadbcf205a199e1a12bddf974f41cbd0d780

SHA512
0bfbb632e9817fcef4314d77b66c4f6eeb5b3545cbde4424423dc43ff917d421de92a3b8e10329de3fe8b2ef874c2d6f955abc5ac3e1cf67001b5af4280ce3ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\OcIe.exe

Filesize
821KB

MD5
4f68d795c682759e2cf8175c9c9fc1ea

SHA1
d8e26a170adace14e184b60c53454f989583510e

SHA256
cd4dbe0c1d2cdafcbf537f99a86f72b949715fe23def2f8520f93872c3416e25

SHA512
f3a135d0ff6824b8ffabb12ccceea89077a1f2aa0572928d961afd3a45bca3d3b5e87cb101278ac26d8ebfd9411a9976dc2cc5b34cf648762c382351f0556208

Download Submit
C:\Users\Admin\AppData\Local\Temp\OsIw.exe

Filesize
196KB

MD5
5a35dffbcf93a5a13b6964394881e7b0

SHA1
f82dc369c297a65bde5d91d41991f4d8354a6777

SHA256
5619a893e61febe1d3cfa04ffadee3ff2d50a5953632fddd89d4ce5317780a39

SHA512
f48cb079e69b219771bd3fdb9ee0d90fa8fb961f18d245e063f38eed9380796be91daba749ae5216f8d3b7e567da41e125605c2d49cc69edcc8d93649357190d

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYkw.ico

Filesize
4KB

MD5
7c132d99dba688b1140f4fc32383b6f4

SHA1
10e032edd1fdaf75133584bd874ab94f9e3708f4

SHA256
991cf545088a00dd8a9710a6825444a4b045f3c1bf75822aeff058f2f37d9191

SHA512
4d00fa636f0e8218a3b590180d33d71587b4683b0b26cd98600dcb39261e87946e2d7bdcfbcd5d2a5f4c50a4c05cd8cf8ac90071ecd80e5e0f3230674320d71c

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYsA.exe

Filesize
189KB

MD5
cc87239b9f8eb165872c08524be2093d

SHA1
a29804b29eef6fdce77df8bbfc99a59058b9a2f2

SHA256
79cac3a6c98190172dadf6396ed2d8b9e2f5e13ee237050587269fd03ba07f91

SHA512
43f23323a042416931ac7ac779703882a72437a39cd16e136c3a63b51ae33038581406f6f14acda7c74b4a582514e43c6a3435b4c0ece8aac9ce70f5424cb285

Download Submit
C:\Users\Admin\AppData\Local\Temp\QkAk.exe

Filesize
204KB

MD5
ef9225f1fcaa5422dde79591ea893a65

SHA1
67daef153951f13ae09c313620e767937ccdde20

SHA256
80c937c844b5b66e7fb13a117e43a66c37533c53f41fc7005aa64cda4345e291

SHA512
f7bb2100cbbf6149ea0bc6310397c6113c50c518397f7fb8e2ac860f85d3fb942d1b281ee523de6871d637ba103b68ec81567266fc6554cf1f190d458489cf6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\QkUW.exe

Filesize
777KB

MD5
e890d839c0fdd43860a000f1425119a9

SHA1
5912563f77c02942648f1ef85ad34aca2b1ac1ef

SHA256
19bd2eb5e1dce9d9b5e41bf8048abba599c90e6e8464b902acd08b51ed70f609

SHA512
42924456d008b705a64c0928b38a0ad6a9d3328affb0eb25d70850d283c38f3867c74564c07357b323229fdc31c497b602d9e94d4f94e0ae6cb208eab40e1cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\QwYg.exe

Filesize
199KB

MD5
4a7083c22daa988f26ec040fc5d3debe

SHA1
f126ade19d3f6b950f334e78b255cb88ccfb8a72

SHA256
5c425464d202bdce9518de1d0f6b05867309651d65d5d3dd8aa96c5c69dab17f

SHA512
dc7b03afffcf11a447a2ac6b1d8b231cec317bc2080e595b8e49f10d869bf66f2543e2ae14e0fe00fc521a212c83961a38d19609c6c86c7589d5d4dd26d6fea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMgS.exe

Filesize
183KB

MD5
dce5368098251d385b2174ce19c65f0a

SHA1
e289c4dfe229f8eeea5f77bc02e16ad93d28b148

SHA256
45a1640ebe53570339f4bffce4ace5230d3b2b262679e0eb46523c8d26a3940e

SHA512
91d140a67403decd21d49920d783417f97305bd4e086f431059eeb9e0147030bae02a0696688d3bda8bd1071d2bad38ea4b9a9ba34ce9595f814a3927bc7a472

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQcw.exe

Filesize
594KB

MD5
9018088f71bd1592851a5c0efdedd712

SHA1
a5ae6e47fc78d268f3dadcad098b54e7bcf4264e

SHA256
1446363945b07f8ff1b971e5276b23476012fc39159a263bc5211d093d251f49

SHA512
e8969a08dc21c013fdfc7831e741fa7e123dc3ed0950abfc734eeb4427e8cda7bf396597dd5c141dfebf8f44687452e8ad2d54e2605f97c807952c2cc6c8dd77

Download Submit
C:\Users\Admin\AppData\Local\Temp\Scsy.exe

Filesize
207KB

MD5
4b202dcd6acc7436fa2553bc17be0b13

SHA1
7387b81db664544a6b10bd48d1d88890583cb911

SHA256
a714bc405eed5fe56bfa132a60fbb09dda661834b039fd9c2e9136155dc97a04

SHA512
4ab01b18f90f86bfb5a7ad00d828b0b7b7ac7360181f9aebbe6df9b983f443e11caf477ee2a47836466c5a64cfca785f4abe8d7ac0820ec2580b325743feb299

Download Submit
C:\Users\Admin\AppData\Local\Temp\SooU.exe

Filesize
204KB

MD5
e0c572580cc6e12a4acf9720f2e715c1

SHA1
8c58d9e3f527f8981c3d37f9c529c5feb55c3c71

SHA256
c4788c8735941fbf20ccde9cf602f2022eb24a70eaac5b8b3be8f198f37b1543

SHA512
3a8cf23ca035d2f4ef18ba13c54e0bc73134d40c1844bb70eb23932765552f1ab2761c7ab2664aa0dfef073e1d790a3913a74ccf395d9e80cd3f195c5cd19689

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sswo.exe

Filesize
186KB

MD5
b1b38fbaee2fab813580155e1d853c26

SHA1
61a0e089e9411fc7fefff023238b0fe9f481390e

SHA256
976d3b2a21997397ef5fece5fe42165e4819fa644e1439461b9f85c0c0f71e1a

SHA512
2d7e08d102a4bf8ee46fe683239f2e1c8318a0d6710b5c32cd9c750a759e653a43617b042ffb16995e12990502b56118527a05e88a7c07f75525e225baf400d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIkS.exe

Filesize
457KB

MD5
945e3b3bc67d149f8d90d35272988366

SHA1
b2b6fead3d331056b20ba96819a94b6198e778c0

SHA256
8a481dca3342266badc8694b45d252c4b5d82dd19a6f8c1c1bb981bbe2a9c7db

SHA512
fea4091ce0473aac3e8d050bb0dd0ef9fa8e5d54cb1b26c4e50c93d598a628737813e235e66fc25bade8189732ef4c86046faa23fe73d80bb272161dfc5e5373

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMsu.exe

Filesize
202KB

MD5
6727c8d6e4c56f95aeffe0d0238ae90f

SHA1
5f0e1376244ae742291fc7a7eef8013258f9ba85

SHA256
c0d9f0cbbaf509781baed880a5ec4537960e7f02d8f9ce688539527677b4ef2a

SHA512
2465e7c514d16fabd329489994d621531544aa2163cc2c20da6e9408dc09d474acb94a24c3ec517bb6a678c1e63f71098ea3680dd0ad9fc9b23a651b721016b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQUe.exe

Filesize
1.4MB

MD5
219b385b25675b408a49c37cfeb1d1cb

SHA1
30f7e88c753f2839355f4ff9d296a4f2bf29b222

SHA256
f7aa3200f9be2a336699be05aee6bd7dac68d731fd85be2f50e180e1907deb32

SHA512
53f5cb7a264e268dff7eda00b6e3bfa5648e0048d41f0471ea699ce72113489560f16a215a0bbbee65c88577f584097aeadaec03a6cf4511a3f696d5b8dfd8c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\UwsA.exe

Filesize
200KB

MD5
243d51ea39644103af04584a1ee7a0f6

SHA1
a2e6ffea90b8aff7c910da761cbf4e614d6160cb

SHA256
3cd4db204a402f7711e32347e7be932c80d08fa652128f5729926e0948c96513

SHA512
c0d395e05de77166cbad1755291e971859a880484e74012a39ebb7ca8e389a405d28f74386aad5eace7e214ddc808d65d6e7d3b5330cec5220d90a22b665a1f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\WIQC.exe

Filesize
216KB

MD5
d198310b7c55aa933c1d2f318e37a9fc

SHA1
47b350562dca88032260a98201fd071dd9806d53

SHA256
60066958f2ac9c3efdbf07bf89f207f32564c943177df9098f7c2f00fdd21984

SHA512
54e2448765c318bc545882dbc05e5e1f21acf6aa49f22b2be2bbf16e07f92f5bba36ffc33ad0e1b9b7b72321bc604fcc2ed2df8e0fc59979171fd0a68a0d8854

Download Submit
C:\Users\Admin\AppData\Local\Temp\WscM.exe

Filesize
195KB

MD5
62f3806eb65662ee5ad86a391f4b3a65

SHA1
8c2372e702918770f12c43441654cc936fb7a632

SHA256
e8a5d1b14f239f871cdcc168630c81d6285e19a2759ce018c0dc9dc04aa16e24

SHA512
83f8bed97453be3c30089295ad5bbe904d6348fab1d919c99847644389f122f48eb8bd536024600b3037db22c068d9a378cd2bc32f57db2c9ad8d669255a2e09

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEEA.exe

Filesize
797KB

MD5
6561177797a84c867ccabe497b3589ee

SHA1
6c26a22cd4d218550332abd7115e62b77b104bc2

SHA256
a540241c323407cb6a0b1dc3f444da7d3a6c6f5ff74a4bd760e9bb9ced9cf6da

SHA512
6785bf9b12c4fb3fb75f2cdee5a65040fc9513e4276e7b557d374310228977ce77df78a80b428b5cef96ab53f04ad364396bf43adf2a26936dec8ba4ac5fe008

Download Submit
C:\Users\Admin\AppData\Local\Temp\YgQs.exe

Filesize
183KB

MD5
d6f751ad2028bed058807f38c7b74a29

SHA1
2eb1b4dd317f063b2e79f0766f13f46fe2f417e8

SHA256
c48232c51409e573687b2d3a733f6428d22b956dcd9ba01fe5eec9cfcd3e9fe3

SHA512
cd438acb902c4067c6380f010b38a33e982582c430be4b14c2a87ccbc3f9ec2a439d431d069a58b65e36098723d825cfc4b35193b0cd1c738d31ee2fbfbb2780

Download Submit
C:\Users\Admin\AppData\Local\Temp\aEAA.exe

Filesize
209KB

MD5
21624ac918eaaff3cf8f460fa6627f0e

SHA1
153728c49d31200ac2ac2bd0134ca4e572e02958

SHA256
83e107a75381bae6343972479128ad26954352b91883d5c0337debde99335284

SHA512
a2fe9ec91db9190e27eb64168e4bba65f21a7868c9315f4cc95b92250a62cb5bddfc18d721940fe69426598544b81061f49ceb8fa97fbd06f022fadc2b42f6d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\aEks.exe

Filesize
208KB

MD5
dcc0068d6d9d4e336569ceedfb3e470d

SHA1
4af3c75d1ab92d724e6a2b2121b6e3e95cb65b4c

SHA256
a179d5a92e0af9dcebb8c65fb0279f0656ed8ffa2f29386e95662e3c29ba6dd4

SHA512
b5d57b80559400c87630cd3abc59e12bbf0c101c914a7049493e527f402478d0aacd3f0c4e75673538539d6a2f29bb0e4fd243a07b5b8b94812a88ba8407aad0

Download Submit
C:\Users\Admin\AppData\Local\Temp\aYsE.exe

Filesize
576KB

MD5
98682b83d6db10f9215e7bcc0054a2e2

SHA1
295f48afe3423602b2a3e51bb1fc996aac91946d

SHA256
6f1382f45814956eae7c4fc75d16b75a12db4a955c7cd9b5856bc476cfdb9d37

SHA512
c44015331845733a82e9c638ef0009871fb4ed8270dba691f096ea9de9d2d3c9655c366bb40f4fbaf0557b2b461c4329fbd4d555027fabafed1f60570449768c

Download Submit
C:\Users\Admin\AppData\Local\Temp\asAW.exe

Filesize
473KB

MD5
00db150a215ce944edd29c3970dd873c

SHA1
d130a7fc5e343dc4870d6ab5b2941aed6b98391b

SHA256
2d554131ec13a1ced10a4a928bb94cf4be90dd558bd019b406d4b1bac873c595

SHA512
77d1434954ae976179d92dcd061c1a21f70ed084f392d18328c24aecacf50b6dad952fe0bd9a6bc64218c09ea80ef22bb71396f528c20fea7f5a053d6f1928cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQUA.exe

Filesize
192KB

MD5
6104190803c4788cbf8a33c471d8786a

SHA1
b33db8fe541d52597d2b3399673a26f91591109a

SHA256
21239a1a9b88fa0d2d616566f06872d53fb0ecfc77f3a1e5ac18287c50a75a41

SHA512
ec3e7230639df6afd35c87b649352bf682151a85d064d65a427600011c7c561eac0ed508cc5baa1b875afbddaf36e8ba595d11d1a01a2a9f2b8063ce1658e6bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\cUwK.exe

Filesize
329KB

MD5
d3dffb15928375ee841ea4615b71dccd

SHA1
933e70bb2980a08103f05744a39f029c15fd4da1

SHA256
da88a66712e6f7da86c4cebc1662fea54f85502dac8d81839333121bd38ca78b

SHA512
9026db583e588a5c97c71f513f565b8d21c0db81d359ad1335c470814d8a41e441a2edaa98b6c55bcea2b29f5e92414b86e65de20a78e84b0815cd5d1b712905

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgcs.exe

Filesize
199KB

MD5
28171331a46161a7594b1da98d076a20

SHA1
e52e919c4391a6ae83abfff7d77e56a6bf5d2ae3

SHA256
81ccbec812272bf0edfac1b650a628195bfcbcd58e5809f5d1f92b0127b71241

SHA512
6a39af353259fb523e39e5ede76342b4b9d771069bfeea592ec891491b7bf13549ee4fa8771c94f6bd12edd66b3384d66a44f505c3c501eb46b2c9552bd338b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\dAYwkggk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gIgM.exe

Filesize
187KB

MD5
5ad627c51931261c6a5924f50d3df790

SHA1
511ba70187372dd91f7a16fd4001869a3a271d31

SHA256
525ce70de720f067b95fc3bef413254dd8a0a51b4fbd009c8a64c4a2010310cf

SHA512
4e85ae403fa345dfefd29585df372e281b7e8cd37443e8ddd411e6e61b84fb45362480ddc04234a242c86a8a5999cae68c9e4a80ce0f3c6f5e65d01b8644d35b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkgq.exe

Filesize
513KB

MD5
4f66069073956ce46c43355190d27042

SHA1
e985d28852555975e074941f00d6f267b09a7369

SHA256
2dd6c8f57e9d3cf94d13602b306ef4186a657fee8b177ce86ec457f5e2e0ff3a

SHA512
a7518d9081f17c6939238da07828b28f84272eee4fd80bb5d0fa306fd791c3d512c8a245860850131454c572bd5868827eb70521ead1776e605aab42fb2d05ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\goAo.exe

Filesize
240KB

MD5
63126641a43b3f12de777a147a28ab43

SHA1
576fa92a2e1edddbe40c364b60a3156b8666a4dd

SHA256
6d25fef48e1d062d20c75af04aa5d94d10307927b467edecedd5acdc416fedff

SHA512
e4687f97c308eeb0ab0a63d3e0206c468e5718664ee328292e2f92bf7155bc4388577faaebeffc154a66fd1b5e142463d360524df62f83570357f028c0fe58fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\gsku.exe

Filesize
188KB

MD5
a833475b02162364622a6f1d8efe35b1

SHA1
60abe7cbe168fef118155457af0b54bc65bd9337

SHA256
1ada339f9d0ff848bb679786e94c80b2bdd320c89f44bfd190e213de5c45a2e0

SHA512
f0cae301730f5ca3b2af05edb51a91447acd79c32d565a86850e07e3e64f002072e02f8c45c339c6fed076879531b094bf4424d82f03bad4993df77653b507f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwEM.exe

Filesize
712KB

MD5
32c3d5d16d153c2922fd0a148e52cc70

SHA1
796b0e2441edd1f1e118083086ad7cc7d7b8b9b7

SHA256
b1c9f20dabec2240693878bb19d219be9fb903dcd50f2465f85f5216e72c7158

SHA512
7dd6c8a67a129d4d879ee1d8373fa19ab01e17fb9dfe85bec0b0ab4860866a7eec47e93e248c32fbbc22e81c350812d6dbd46138806a9301c4d3a0ac2cbf7a9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIEu.exe

Filesize
192KB

MD5
cc914d7ade06fbb7952070aca21e1561

SHA1
b0038ab5419cc31202508257192c56b3837aa4db

SHA256
ffc3bb160e9aedbe2673e08c3d760d80d80b055f5c02cf86a1258501cadc7c28

SHA512
e8538cb5a619a4e8c6866030e815abe1ad03893b74405130633682175e07f8eb80d146515e56cb43f2fc20b5d6b090b9b6be3190defe8bcc5043cb5938639905

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYAu.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\ioUI.exe

Filesize
728KB

MD5
bac1de57b838e01edf595d853a36f64e

SHA1
5722767da0726b6a397154a288f08bc7f053fdab

SHA256
ad0bb7290a98cda3ec043d632cd20ba438fbf5da34fc4d8649a6d0f63631cbc9

SHA512
7da5a68a9d43abd32841aed77389723dfdeeace68463f98184829e3f135555b0767019a95a3780f30cfdb83346ca70435b6a99b2c79398f0d76b2c99acde3db0

Download Submit
C:\Users\Admin\AppData\Local\Temp\kQAK.ico

Filesize
4KB

MD5
7ebb1c3b3f5ee39434e36aeb4c07ee8b

SHA1
7b4e7562e3a12b37862e0d5ecf94581ec130658f

SHA256
be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742

SHA512
2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ksIO.exe

Filesize
641KB

MD5
ff70eea1a089179825e582bd9a8a8d9d

SHA1
d49474b2ff7bdd02b573c8e58e6e368fec88b896

SHA256
beec7dbfbec234d6838980eab40f47181217b48d6420d961272b25073f1e25b5

SHA512
f02f31257fa8336ed4342793869838c44f5db93287913450536c40536a568b4cb594955c761d833b9fa47217b784f988ec4ef92759e3095d347f121eefa0252e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIsu.exe

Filesize
1.8MB

MD5
d77b4f02ad4c901abd8bbf844fb93934

SHA1
cca90c0fa9290c865df37d89c3b17551288caad9

SHA256
64667e7efe541aa132d7287c4f7fd42c09ffe816c454ffd4ee4c0a6c88308580

SHA512
ee20a999af04996c740ebf968901bfe8bfe8bb9d0bd8f5a9c8c5907019862000f42fc0700f1d2c375e023254eceea938eca5afbfea7b025cd12923df13f2b6ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMwe.exe

Filesize
214KB

MD5
c1069d343397a75d1c57bcaf6ad28961

SHA1
5349e34cccc6e7d5776fc0d96c62ad42f4ab5b99

SHA256
60e436fd57e3b2a14901e239ebd947e68c9e97fa57e27ac2551b7605dbe95085

SHA512
365d6e9a422a45ac8df3e429caaae3bce4f29a059b2365d19b0d32979602d916a9686ac150327bbfb7a1e03f6f898e05ea6dc871a70423ae6a5c28ca8af29e24

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQEE.exe

Filesize
802KB

MD5
acf03a5e0afda473f09535d701ce6639

SHA1
f7b4ef05559ebba31b2de22d7e9367ab8c093123

SHA256
6bfbaeef316af36dfd666324f81dd954617646ebee683499b1203548962a3a18

SHA512
38c7251e1c2d102138bac86ba57bb9cafb0d472e08409640434dc65e67da818ca15686005ccd0ce237d8c001f5c5f2d392553d7b8b4c1ab59d2736fbab399bf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQMm.exe

Filesize
206KB

MD5
7be32e190c065b4d6931219855acd3f6

SHA1
cf0de24679b948d207cd053a82fda347958fd600

SHA256
77f7d84c37e99ffb6ec8e1eb5cc7ffaa45fa48af73f6112e84b7fffab8f6a341

SHA512
4dac96a0cc0896b98c5c6ee33dc953fc6ff216f9a4271657d1fc6b1d7d88fafba930bfc1b7ec91cbf6242f695c5a1a7cdef739ae46f3b6605aea7090df693ae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYsC.exe

Filesize
187KB

MD5
25b488598dea2ef4827d50eefdac3e01

SHA1
41d3ea27799db440bdd7a13bce495f6a1bf38625

SHA256
74826dba794f681bd094e8503440845d11511082b315538206d06f7d54c4abaf

SHA512
63cadc541181a12abd5f67f409d9a6d744ede70e04647af6ffeab2c9246cda11e82acb71382a2c1590be5678ec38e283675f5a34f6384959b5555723151ddff5

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYwY.exe

Filesize
209KB

MD5
941f2f4e2b536a883ad7a9a55ae11bf2

SHA1
29b9d20c340c46d86d15d16d4765e3d050fd83d3

SHA256
4bc7a8b078bf1a48432c5e59f8b8c44e676da2d74d86146b0920182a742b5820

SHA512
e79f66640369baea8c7f994c72fc6335da595639f74b35b9c479282bc353f9e4b8bb5e37e331d76c97d84860ec1182559cfd4fe81b2ec94096b6a7db1ce482ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkES.exe

Filesize
189KB

MD5
f389a9c2f588dd3d2af7e87a86ee048e

SHA1
2393963d97aa11d9f723a07f18911f56a0d0bd7d

SHA256
ff42b190c72002932b07fb5f57b1dc3656b316ccd8bd53afba2dac0e1d337315

SHA512
a5a886a4c36dff32bb46d3e593f1634a887c11f38438988efca3a276182415b7226f559c8c7082aa476ca60aecc7b7408639a068a4936347cdff53369c3f678a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwIw.exe

Filesize
308KB

MD5
d0094be12950485cb6bf28b60fbe2fea

SHA1
ed3e8e8e259b7dc567489fac6f90ffa1c019f66b

SHA256
4c39482b1ece4a8bd389f0c2df5e757868a6645ee25abc6961c1416317e3ed23

SHA512
2e8ef24858860229d47bd0d473b816644d272d0291e7561735ce4871b1c042966eb67d68479a40c2971fe2987fba1cb5cbeaf0830a5ade7fb3dbd111944b09e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYYS.exe

Filesize
197KB

MD5
a442c2f152d816faff948b095b9819ab

SHA1
7de7a28db25a29e8e2293e8d5940ba5c3b803105

SHA256
22ebb923a2a36ba66c4c34e756ac98637ab2d10a90d8ea66fe6c016b9fe3c3d2

SHA512
e6e9e7d8f2f449b17384476b7afeedf6dbec6c5c6fb2f306eb534a76ed99c8f397048d4f4f8a4185c3a7e40ecfe0050f135debf45d2af5de186dd4d9ac8a4c5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ocAU.exe

Filesize
208KB

MD5
befa5c66f1198e36a0e94fe0ad43e793

SHA1
3cb54c34294d933200eb42b56745050b836567b7

SHA256
477873eea5e0796b41eb9785d7cee1067e210a17e62386991c96571ab4803b49

SHA512
e69c7662ea9f320c179ed4ba19cc63d71f6fb92247f9cf7133169914fc93e602e6c81a389d47a181aaefe9854e5a7b69347380967cf70495041cb22f1a99772f

Download Submit
C:\Users\Admin\AppData\Local\Temp\okcA.exe

Filesize
189KB

MD5
9ecd0a6765c7019766899112411f7898

SHA1
485b1e93c74848e00b3e5b9ea5397f1973464c6d

SHA256
d025eb45b93408619a5015f4dfc3b753d3c22b7b2f315af118d23945e5303ab7

SHA512
71098b8939cf0358eb689e58557bb0d169546a79ad9cd697444bbf36fa989c02b07ae80c801307f2c5b25c738cd0b539d81a265352b6c1c14d55f8d2e07a97ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\ooAi.exe

Filesize
5.9MB

MD5
0f04dd2e6e2405b0864410dc10c8d22d

SHA1
023cecfb102d03fa0f738de531d121ac5c19058c

SHA256
cbe0a1970a95a61050158a1a8c24299cd959639f3bfde6860570a2c244d0f0ae

SHA512
4411586b6a5d361cdfad19f9076a29f6f1fd4bffc0666dcd89b0bb1a026c3c81fae1e2d8822711ab5c423ac032739ebffd7fca127a0608552badf19bd0b47683

Download Submit
C:\Users\Admin\AppData\Local\Temp\qYAK.exe

Filesize
198KB

MD5
015e34ee994480c1bdb3d519ed96a21d

SHA1
d1241656cf021536ca61372a1d4911f7e4923328

SHA256
7baf9a125af2fbb3444b846cd72e3daa398561f71eaccc39260722e1fd734a2c

SHA512
45c20667a143c09d2e03d765f5456d2f8df63a0591a8b1d8ef08865d73faad0cf39e512fa11767147a0e84b518e46b180a266b83d575d4aa4230f9f8460c44bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\qkAm.exe

Filesize
233KB

MD5
d78b646734b18b23b235b856230f61a3

SHA1
7bc432400f98b8970b980e8cc88d1ae965a43f54

SHA256
b02acf5997654b9315ef22f54ba826e4c48e0d36dbb48773637f900ff86b25ce

SHA512
589fd2f8666ffa33961fe1c7a685bb9414c49468e1394e9dbd4fa9593460bc1d0e498f408591363efae2799b65c8d2f9f15d99377a4459375254e2d1b3f18712

Download Submit
C:\Users\Admin\AppData\Local\Temp\qsEW.exe

Filesize
262KB

MD5
b055f14e701cd0610dec328338621b4a

SHA1
61aec5d9652923831f8b3e5bfb2e3b2e582e7f91

SHA256
0d5277c9addbae7ebfe3438870f06dec9a0dd7e5ec14ef9196889af833a3517c

SHA512
a03c7b420bc4af386745d7297f9201ae9e871407a83695b4a72c9b3b2803bad7cbce0cabedec972181b227f3b9cd4db165e8c6bba6188db43dcf8e015febc2a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\sMgg.exe

Filesize
182KB

MD5
2483edbe25156f609d64f95dcd924314

SHA1
31b17b66bbfd2a6b177107860b535dd51d062a62

SHA256
f7b008d6c207c952a346ff7c5dbb2f5c904e3f2610d8b8d77f60ff3d76a123b9

SHA512
e292529ce5caeda78053992e7d9ea2f16b36712802551f1e8d72dd9cf4291f4f33b76a82c3324a6039f3bb1c48604c3d7e505c1405cc32a15a299f85af0bbf78

Download Submit
C:\Users\Admin\AppData\Local\Temp\sUoK.exe

Filesize
450KB

MD5
01b446ba4b15b32fc14569a2402725ee

SHA1
75f92e0431be7dad7f5ce2069bbf837ff4dd9d00

SHA256
d01bf4a262b9eac2d4429e2e4e2b23258e7133da23f2b8334569b870896c7b8f

SHA512
d325abccf4d9ef6883943b60c43f1e3b335e8eac1f7b545ec40f8e28aecd11fe5bb7db25a1593ee69ac86ebdc88d6d07e39138744033097dd876363e889a342c

Download Submit
C:\Users\Admin\AppData\Local\Temp\sosM.exe

Filesize
189KB

MD5
9289737396d5b50391111f198db97759

SHA1
b1a2c53fff0591a9378702e9f7da6b97ec948a1a

SHA256
44737109047ad87fd0f377b4eb5e3db901841735f06df6c306a61e9e5233f317

SHA512
01b8c91a4cdd39fc40133c4d2cf590889f2a799e78f19bdb52e4476475dc7796c2f0fc3b2599e1b8484e5b777dc8b02efaccec26b139d144080e4f22787b88cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\sowg.exe

Filesize
218KB

MD5
7b13e06a16775d4dfe2dc547a75ae0c7

SHA1
50936334143d47669e3611d6eab897baeda6b48d

SHA256
089f771d7044a6f7fc08a32e0b7ea50879af9780b37fcbf6dd091f15c787b091

SHA512
b9266f21f215fc9b4efe2b7193db3fa766f3aa159bd41771dea7f27c17fd8d7bb237633f9a58a82a82f8c64e0c87b2419d650e823cabf76c3c275762c5063521

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssgi.exe

Filesize
219KB

MD5
f1b74924fd9c8b597eb683304b8bc228

SHA1
8360f82197c9c1e22cea42179d01fbec4786c959

SHA256
1f3f8e45a4f038656c36e25e41328e063df5356898fc723afb383989f31169c7

SHA512
7384149c749f3e4fab3b849c4092eb01313e0ba14a0ccc5a52b9620434a647dc146c45b648bf59df4e94b28c991af5665b17daa9b65413a8b49c5fd431f875e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQkQ.exe

Filesize
804KB

MD5
08f783abc9056cc6cc320fdb4f5d0d23

SHA1
9c0c887c71e77e588ce0850330b764cb53d819fe

SHA256
7c5ba5231f1063ee477267c28004bc7fc866723c02ee6bb8a961703ac92d27c1

SHA512
38dd77e09c2e104e6584b00d145ff7840b806d74f7175d35efa6db307e475defe3cd7f8663a78aedaa1558afb4eb32ff53148252919924af076ef3ea8ea493c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucoM.exe

Filesize
195KB

MD5
5b6b0a28c481b3e360f030694c8908ab

SHA1
e890d4ae17d1c5f38cd4ea88068a1b11b6a70e0c

SHA256
6337eda3a6e24e497756ce202fc58d263b85d7762313d8c6387d5596304e2fb7

SHA512
0c57c12800c797caedfaa1c347c75e53bdbc3da8d19ac0e0d44e0d04f93eb3ad3356be54ab3ef988272a694635ddafdfbb7d8f0546cddb8dc38a58fca3883581

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugIe.exe

Filesize
212KB

MD5
051165b2960cd062a23b7e18c0dba76d

SHA1
3ae683da0b5ee4c2696c4dc68e080ede3e58b91e

SHA256
b8bbf20297bbfb1a1b81408ccc53578fb178c192ffb7bb8eb148d645cf2deaa6

SHA512
902f688dc12fd7f795d54237239442abff855cd0ca14c4238818d9288bfb0997707c8ab57aba68ac455c222d0437774ed730c645d05585fb627745dd3abf86ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukou.exe

Filesize
182KB

MD5
4c613d10b939c6626a65f74b0868eb7d

SHA1
e443276a6a75e0b82df88eb0823b20d24ddac1b7

SHA256
564034cbaa7c2c32dbbdd25dd604d5a1d8fad2b114b68f2d816e5a41a553e6d7

SHA512
d953a6d68740a1cc5922e501838968980bdbf4445d0cbb48a8b2acd774763ea06fc4ae4e217eedee1dc8ad5647edaae488d344107c883d15ea2208d5234239e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\usYy.exe

Filesize
657KB

MD5
e52b13b35800d9a33c23be1b22cd8909

SHA1
ec306b2ffdf732c20d821213325806e2e133deb7

SHA256
3e07735888a997af44c1594c3ad616513bb59c88876caadc8f4ffb5f4e864e6b

SHA512
3b8fe570f0dfe4a9e112a76b5e6d9626f7ac6da0525c9b7c4e3f675d4dce88b2f85c5423f0bd9fc0854b1cd24f475a6b47e9a8cf393436af8e6c41bbfaa989bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\uscM.exe

Filesize
425KB

MD5
2ae277d067ac7aa51cab2ac03f426740

SHA1
c1610500ad7bc3437173fa34db3aec110fb4bdce

SHA256
61be3acac53239079d4fe59f566b64e3f5bb0cf53161223f65fb4d7aea40db6e

SHA512
5e2d90614503be894e657b2606fe2b35cbdeb4da48295e616312ed19286e83313e4a4201c82c6047280bd69cd404aca857406db0b0cb493458cab0640e42dc65

Download Submit
C:\Users\Admin\AppData\Local\Temp\uscs.exe

Filesize
646KB

MD5
8696d300df3b7ddd311170ce2f076139

SHA1
c670de442121b45e47bd84f5fd743cbdeebe1525

SHA256
83bddba8036675bfae02b47da998fc645c02b26c8daa26345db20adf4eed364a

SHA512
15bdf91fed033e63aa26f0a67fbc766330511898bcc7755f21d7e0f6a8f7f1b099941d08b76a368b4b6cf375359f44b2ea7cded087b618419f3f8e67bbb1ca28

Download Submit
C:\Users\Admin\AppData\Local\Temp\wIAC.exe

Filesize
200KB

MD5
99c8d44dd44acae6e239e3726463eff3

SHA1
996c033e6037b6bec5efd74faa5e1770d4c065bb

SHA256
2aed5f15621af833c1df12cf156e75c63e744692abfd3b013820ee57f3ca4cf1

SHA512
456b09554751952ce50fe39d831343c57b92ccb1dcd182d322504ff4d009a2bf6bafe15dfdef2d32466ec5ec253b5f7ca2726c2eb414505b0857df315580a194

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYEM.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\wkYK.exe

Filesize
208KB

MD5
b54bf345be5c60bce9babca637386d28

SHA1
da5cfaaeda44583504826910590273b15da68c8a

SHA256
6bd79be063853759e7a33d82fa7a34d3227eeae8015215aff2cf8c0329de6e9c

SHA512
633c744903900366fa37be676389b16b9da23828cd16cc6c8f3714e327dc05fac657228230ac23a313408f2938ab9f9c4825ab9ee1071e0d6b15f513ff05ded6

Download Submit
C:\Users\Admin\AppData\Local\Temp\yEYg.exe

Filesize
192KB

MD5
54fb3929a7b0b97a2420447bf45d9172

SHA1
49da97c057552e3fadd8840b33810c9ded1ddf03

SHA256
64426b3095392d61a6fae207451dc9911d1b8eebcc845b6450d6c39b9f2c25dd

SHA512
ea2d0ac269e8d6c818b14aec5db392936e73e575d4b6b28805538c0bb13c8fff7a28d375b3e72cd11edcddf5dc94141897531084ae25af9dc4043ebd0658a5e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUsU.exe

Filesize
216KB

MD5
49995c999e7988ce38edb2a5c4d799a8

SHA1
36721626c66bcf185dfa795a3cabb110f0b86537

SHA256
3cc14461244bd12afbb0a46df14413c78569535774a7e38d8661431fb6817d7f

SHA512
730e5b4b70d3d0cb10849360e83bf8d7efa772146166a51dc0ce83348983804553e17973fe7c684cdf89af1c8bc9a50d35190e1919ffb45218e87323a7fd5e46

Download Submit
C:\Users\Admin\AppData\Local\Temp\yYss.exe

Filesize
194KB

MD5
51e1159a53b047937184d598a550a64a

SHA1
43bde87dcf75018ad874ce5dd01ed0bd5dddb0ac

SHA256
365b986be28a14a8b2e25f731502fcbe5d9cfa10525151a3a135e29aea3f1a40

SHA512
b595c00e6c1d49f23f3b08c39e1bfc91a8bfa167812652d34795e3331030fe42d629b0ec015e1e4a4c1220d2ce223ebb9ee11dd868cdee3f5ec3a0ccfb3dd57c

Download Submit
C:\Users\Admin\Documents\CopyUnprotect.pdf.exe

Filesize
822KB

MD5
dccd45a676f9152e381e1f1a95fa7803

SHA1
8a8611e3408287296494963d72a93554903e001e

SHA256
ffbc9a410e179c9e9265481c76e70f479881b37bc2b282c7a9ad991b3aaee4c1

SHA512
cbb4fb8c0a769e3355ea14323e292ac54bb36ad071a1ce6dc200fda64a8d013a820da4fe28ab63b3ef247e429e07de703e25a88e124a84e663b675711a92fad0

Download Submit
C:\Users\Admin\LyIkIIUE\TqwogsoU.exe

Filesize
199KB

MD5
5d9686fb389d2da8a290419a953fe2dd

SHA1
d0f1e8f1fc6e3cb3ebc3393e3d17299d36df151d

SHA256
cd8e9477310fdf772e7764994cadc4b49e0e214cb677109781ff9778fd9f9e1f

SHA512
47c4d43db086b8b62ad8b9842beeae35ef07c443e6f608f5f1f569d985ed1512a27a8418638f05d715343771689747906fe331a21bd9513f9c6790b8fc362cf1

Download Submit
C:\Users\Admin\LyIkIIUE\TqwogsoU.inf

Filesize
4B

MD5
653bc07d615ae78e5bf3f127eb81fdfd

SHA1
904367703b3f559773ac273361fa09f133667178

SHA256
2d269d4139a407dff279ee79d07caa4fa235022a82fa610cb6a2131a9a5c5997

SHA512
d12e4c2441ff5bd4bc35f7b039f84407ea624b9f799c133df49a3298c4f9cc082781c3e521161005b0e38deea1113d480bfa2cf2199b822632ba83afe08e6469

Download Submit
C:\Users\Admin\Music\InvokeDeny.png.exe

Filesize
1.2MB

MD5
a8a7c50ec04b3154cd4c7fc7e84c7416

SHA1
6ca2a6ae5c56872d907b90a53c7b9951fc726f6b

SHA256
97d58c976ebfa838177d3c5be54d306c5ef79e8ff2cc47995ae1ed315bdf00bc

SHA512
a33e067803793ad7a80ba0808eb8c4bac2476eff73213528355f5040f1184637f300f1f4cd8274433b07cd3ede77357c65b54a5a640405131c4d194c2a71cf8d

Download Submit
C:\Windows\SysWOW64\shell32.dll.exe

Filesize
5.9MB

MD5
52aadf962ea1523e4bcd18b00a79902b

SHA1
44fbc221c76426cb9172af3ce452ed94be0292e4

SHA256
f68f030568ed3632be085db9b85755bcbecce8411ebe06e0e8f92c314d62abc0

SHA512
df84b04962b42a69f13e6463dc237a966339480200dadbcf6aebc434199acc9bd2fb2868a49e36d5d91ad422983ece4f584937ea1cf89d60fa434fd389a750f0

Download Submit
memory/452-365-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/452-379-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/724-46-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/724-107-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/724-30-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/724-92-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/752-132-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/924-190-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/924-206-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1032-242-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1032-528-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1032-536-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1176-152-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1176-169-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1428-396-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1428-385-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1452-68-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1452-84-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1624-256-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1624-239-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1672-194-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1672-178-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1752-388-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1760-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1760-19-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1812-276-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1812-264-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1860-356-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1860-473-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1860-463-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1860-370-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1924-454-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1924-462-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2008-488-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2008-500-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2088-492-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2088-483-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2256-553-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2572-58-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2572-43-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2588-281-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2588-295-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2732-54-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2732-72-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2796-15-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2912-34-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2912-20-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2944-313-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2944-305-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2988-156-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2988-140-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3040-219-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3040-208-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3160-527-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3160-516-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3204-333-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3248-268-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3248-257-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3324-110-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3324-121-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3392-360-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3392-347-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3408-446-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3408-453-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3444-444-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3444-430-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3452-328-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3452-96-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3452-342-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3452-80-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3500-230-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3524-314-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3524-285-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3524-322-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3588-292-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3588-304-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3596-434-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3616-510-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3680-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3724-545-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3764-170-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3764-182-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3840-548-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3840-538-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3956-398-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3956-406-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4012-338-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4012-351-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4016-425-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4016-417-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4268-474-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4268-482-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4364-416-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4364-408-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4544-144-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4764-519-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download