3d0c82dfdbc63d66fbcbfbd7c130637473b293d7ff30bcf2b3304f9c19113395

Analysis

max time kernel
150s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2024, 18:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
Size

121KB
MD5

4c7959b55961a3859db47073ccbbbfb6
SHA1

c54a1acc69b9df04a6c53c1d930bdd7408bf0018
SHA256

3d0c82dfdbc63d66fbcbfbd7c130637473b293d7ff30bcf2b3304f9c19113395
SHA512

1301826bdcea85fe4ca2a65a800d159a4842dca29633c659ce65f39e3363a5368160ff665253aba11bc8ac885030d797bc6c40b6f57a5d471cc91689f90d946a
SSDEEP

1536:E6pvgqzlgqLub80E8RQhANXdGyUtS5S9Ej46p4NgnkOE1YCeJ1nHaYBxrz+Rm0R8:E5JKKPNXB50PNgkg6YHrsm044EKRJa

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (84) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation	DGwAkMoM.exe

Executes dropped EXE 2 IoCs

pid	Process
5036	DGwAkMoM.exe
3756	NkMsEAwk.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NkMsEAwk.exe = "C:\\ProgramData\\aUckYAss\\NkMsEAwk.exe"	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DGwAkMoM.exe = "C:\\Users\\Admin\\GMsIUEoU\\DGwAkMoM.exe"	DGwAkMoM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NkMsEAwk.exe = "C:\\ProgramData\\aUckYAss\\NkMsEAwk.exe"	NkMsEAwk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DGwAkMoM.exe = "C:\\Users\\Admin\\GMsIUEoU\\DGwAkMoM.exe"	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	DGwAkMoM.exe
File created	C:\Windows\SysWOW64\shell32.dll.exe	DGwAkMoM.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
4136	reg.exe
2032	reg.exe
1648	reg.exe
3164	reg.exe
1476	reg.exe
2528	reg.exe
4900	reg.exe
1940	reg.exe
4468	reg.exe
4692	reg.exe
1428	reg.exe
3264	reg.exe
3508	reg.exe
2192	reg.exe
3128	reg.exe
4660	reg.exe
2376	reg.exe
4688	reg.exe
3324	reg.exe
4536	reg.exe
4932	reg.exe
4048	reg.exe
2204	reg.exe
4020	reg.exe
4772	reg.exe
3036	reg.exe
1020	reg.exe
3340	reg.exe
4652	reg.exe
3328	reg.exe
1048	reg.exe
2720	reg.exe
2940	reg.exe
1936	reg.exe
1696	reg.exe
3516	reg.exe
4520	reg.exe
1696	reg.exe
2500	reg.exe
4468	reg.exe
3824	reg.exe
4608	reg.exe
4404	reg.exe
1840	reg.exe
4956	reg.exe
2144	reg.exe
3328	reg.exe
1180	reg.exe
4796	reg.exe
3316	reg.exe
4440	reg.exe
2664	reg.exe
2208	reg.exe
4380	reg.exe
3692	reg.exe
1680	reg.exe
916	reg.exe
1784	reg.exe
1476	reg.exe
944	reg.exe
3344	reg.exe
1052	reg.exe
4064	reg.exe
3516	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3520	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
3520	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
3520	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
3520	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
4060	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
4060	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
4060	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
4060	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
2752	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
2752	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
2752	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
2752	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
2420	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
2420	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
2420	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
2420	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
2960	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
2960	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
2960	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
2960	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
540	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
540	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
540	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
540	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
3144	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
3144	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
3144	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
3144	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
4468	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
4468	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
4468	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
4468	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
2936	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
2936	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
2936	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
2936	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
2528	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
2528	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
2528	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
2528	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
1172	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
1172	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
1172	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
1172	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
2360	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
2360	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
2360	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
2360	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
3280	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
3280	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
3280	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
3280	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
3812	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
3812	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
3812	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
3812	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
4848	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
4848	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
4848	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
4848	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
3040	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
3040	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
3040	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
3040	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5036	DGwAkMoM.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5036	DGwAkMoM.exe
5036	DGwAkMoM.exe
5036	DGwAkMoM.exe
5036	DGwAkMoM.exe
5036	DGwAkMoM.exe
5036	DGwAkMoM.exe
5036	DGwAkMoM.exe
5036	DGwAkMoM.exe
5036	DGwAkMoM.exe
5036	DGwAkMoM.exe
5036	DGwAkMoM.exe
5036	DGwAkMoM.exe
5036	DGwAkMoM.exe
5036	DGwAkMoM.exe
5036	DGwAkMoM.exe
5036	DGwAkMoM.exe
5036	DGwAkMoM.exe
5036	DGwAkMoM.exe
5036	DGwAkMoM.exe
5036	DGwAkMoM.exe
5036	DGwAkMoM.exe
5036	DGwAkMoM.exe
5036	DGwAkMoM.exe
5036	DGwAkMoM.exe
5036	DGwAkMoM.exe
5036	DGwAkMoM.exe
5036	DGwAkMoM.exe
5036	DGwAkMoM.exe
5036	DGwAkMoM.exe
5036	DGwAkMoM.exe
5036	DGwAkMoM.exe
5036	DGwAkMoM.exe
5036	DGwAkMoM.exe
5036	DGwAkMoM.exe
5036	DGwAkMoM.exe
5036	DGwAkMoM.exe
5036	DGwAkMoM.exe
5036	DGwAkMoM.exe
5036	DGwAkMoM.exe
5036	DGwAkMoM.exe
5036	DGwAkMoM.exe
5036	DGwAkMoM.exe
5036	DGwAkMoM.exe
5036	DGwAkMoM.exe
5036	DGwAkMoM.exe
5036	DGwAkMoM.exe
5036	DGwAkMoM.exe
5036	DGwAkMoM.exe
5036	DGwAkMoM.exe
5036	DGwAkMoM.exe
5036	DGwAkMoM.exe
5036	DGwAkMoM.exe
5036	DGwAkMoM.exe
5036	DGwAkMoM.exe
5036	DGwAkMoM.exe
5036	DGwAkMoM.exe
5036	DGwAkMoM.exe
5036	DGwAkMoM.exe
5036	DGwAkMoM.exe
5036	DGwAkMoM.exe
5036	DGwAkMoM.exe
5036	DGwAkMoM.exe
5036	DGwAkMoM.exe
5036	DGwAkMoM.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3520 wrote to memory of 5036	3520	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	85
PID 3520 wrote to memory of 5036	3520	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	85
PID 3520 wrote to memory of 5036	3520	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	85
PID 3520 wrote to memory of 3756	3520	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	86
PID 3520 wrote to memory of 3756	3520	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	86
PID 3520 wrote to memory of 3756	3520	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	86
PID 3520 wrote to memory of 1424	3520	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	87
PID 3520 wrote to memory of 1424	3520	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	87
PID 3520 wrote to memory of 1424	3520	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	87
PID 1424 wrote to memory of 4060	1424	cmd.exe	89
PID 1424 wrote to memory of 4060	1424	cmd.exe	89
PID 1424 wrote to memory of 4060	1424	cmd.exe	89
PID 3520 wrote to memory of 3652	3520	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	90
PID 3520 wrote to memory of 3652	3520	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	90
PID 3520 wrote to memory of 3652	3520	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	90
PID 3520 wrote to memory of 4236	3520	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	147
PID 3520 wrote to memory of 4236	3520	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	147
PID 3520 wrote to memory of 4236	3520	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	147
PID 3520 wrote to memory of 1364	3520	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	92
PID 3520 wrote to memory of 1364	3520	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	92
PID 3520 wrote to memory of 1364	3520	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	92
PID 3520 wrote to memory of 5024	3520	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	93
PID 3520 wrote to memory of 5024	3520	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	93
PID 3520 wrote to memory of 5024	3520	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	93
PID 5024 wrote to memory of 4468	5024	cmd.exe	161
PID 5024 wrote to memory of 4468	5024	cmd.exe	161
PID 5024 wrote to memory of 4468	5024	cmd.exe	161
PID 4060 wrote to memory of 1440	4060	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	99
PID 4060 wrote to memory of 1440	4060	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	99
PID 4060 wrote to memory of 1440	4060	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	99
PID 1440 wrote to memory of 2752	1440	cmd.exe	170
PID 1440 wrote to memory of 2752	1440	cmd.exe	170
PID 1440 wrote to memory of 2752	1440	cmd.exe	170
PID 4060 wrote to memory of 4064	4060	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	102
PID 4060 wrote to memory of 4064	4060	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	102
PID 4060 wrote to memory of 4064	4060	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	102
PID 4060 wrote to memory of 2036	4060	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	103
PID 4060 wrote to memory of 2036	4060	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	103
PID 4060 wrote to memory of 2036	4060	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	103
PID 4060 wrote to memory of 4056	4060	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	104
PID 4060 wrote to memory of 4056	4060	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	104
PID 4060 wrote to memory of 4056	4060	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	104
PID 4060 wrote to memory of 4244	4060	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	105
PID 4060 wrote to memory of 4244	4060	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	105
PID 4060 wrote to memory of 4244	4060	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	105
PID 4244 wrote to memory of 4240	4244	cmd.exe	110
PID 4244 wrote to memory of 4240	4244	cmd.exe	110
PID 4244 wrote to memory of 4240	4244	cmd.exe	110
PID 2752 wrote to memory of 4260	2752	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	111
PID 2752 wrote to memory of 4260	2752	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	111
PID 2752 wrote to memory of 4260	2752	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	111
PID 4260 wrote to memory of 2420	4260	cmd.exe	113
PID 4260 wrote to memory of 2420	4260	cmd.exe	113
PID 4260 wrote to memory of 2420	4260	cmd.exe	113
PID 2752 wrote to memory of 396	2752	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	114
PID 2752 wrote to memory of 396	2752	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	114
PID 2752 wrote to memory of 396	2752	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	114
PID 2752 wrote to memory of 708	2752	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	115
PID 2752 wrote to memory of 708	2752	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	115
PID 2752 wrote to memory of 708	2752	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	115
PID 2752 wrote to memory of 4184	2752	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	116
PID 2752 wrote to memory of 4184	2752	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	116
PID 2752 wrote to memory of 4184	2752	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	116
PID 2752 wrote to memory of 4556	2752	2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3520
- C:\Users\Admin\GMsIUEoU\DGwAkMoM.exe
  "C:\Users\Admin\GMsIUEoU\DGwAkMoM.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:5036
- C:\ProgramData\aUckYAss\NkMsEAwk.exe
  "C:\ProgramData\aUckYAss\NkMsEAwk.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1424
- - C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4060
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1440
    - - C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2752
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        8⤵
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        10⤵
        
        PID:4364
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        12⤵
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        14⤵
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        16⤵
        
        PID:3200
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        18⤵
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        20⤵
        
        PID:1892
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        21⤵
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        22⤵
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        24⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        26⤵
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        28⤵
        
        PID:2092
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        29⤵
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        30⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        32⤵
        
        PID:3348
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        33⤵
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        33⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        34⤵
        
        PID:3860
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        35⤵
        
        PID:552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        36⤵
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        37⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        38⤵
        
        PID:372
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        39⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        40⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        41⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        42⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        43⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        44⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        45⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        46⤵
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        47⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        48⤵
        
        PID:4468
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        49⤵
        
        PID:4448
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        49⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        50⤵
        
        PID:2960
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        51⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        52⤵
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        53⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        54⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        55⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        56⤵
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        57⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        58⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        59⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        60⤵
        
        PID:3124
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        61⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        62⤵
        
        PID:4528
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        63⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        64⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        65⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        66⤵
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        67⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        68⤵
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        69⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        70⤵
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        71⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        72⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        73⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        74⤵
        
        PID:4380
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:3124
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        75⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        76⤵
        
        PID:4948
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:4528
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        77⤵
        
        PID:460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        78⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        79⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        80⤵
        
        PID:3268
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        81⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        82⤵
        
        PID:4240
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        83⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        84⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        85⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        86⤵
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        87⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        88⤵
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        89⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        90⤵
        
        PID:3152
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        91⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        92⤵
        
        PID:3628
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        93⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        94⤵
        
        PID:960
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        95⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        96⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        97⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        98⤵
        
        PID:3908
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        99⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        100⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        101⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        102⤵
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        103⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        104⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        105⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        106⤵
        
        PID:4944
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        107⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        107⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        108⤵
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        109⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        110⤵
        
        PID:4236
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        111⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        112⤵
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        113⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        114⤵
        
        PID:564
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        115⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        116⤵
        
        PID:3988
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        117⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        118⤵
        
        PID:4068
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        119⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        120⤵
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        121⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        122⤵
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        123⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        124⤵
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        125⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        126⤵
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        127⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        128⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        129⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        130⤵
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        131⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        132⤵
        
        PID:448
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        133⤵
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        134⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        135⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        136⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        137⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        138⤵
        
        PID:3132
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        139⤵
        
        PID:224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        140⤵
        
        PID:2072
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:3732
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        141⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        142⤵
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        143⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        144⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        145⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        146⤵
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        147⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        148⤵
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        149⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        150⤵
        
        PID:3696
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        151⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        152⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        153⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        154⤵
        
        PID:228
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        155⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        156⤵
        
        PID:3344
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        157⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        158⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        159⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        160⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        161⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        162⤵
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        163⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        164⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        165⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        166⤵
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        167⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        168⤵
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        169⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        170⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        171⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        172⤵
        
        PID:3808
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        173⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        174⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        175⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        176⤵
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        177⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        178⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        179⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        180⤵
        
        PID:4584
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        181⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        182⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        183⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        184⤵
        
        PID:4364
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        185⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        186⤵
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        187⤵
        
        PID:224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        188⤵
        
        PID:624
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        189⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        190⤵
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        191⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        192⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        193⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        194⤵
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        195⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        196⤵
        
        PID:3316
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        197⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        198⤵
        
        PID:2260
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        199⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        200⤵
        
        PID:2752
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        201⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        202⤵
        
        PID:2964
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        203⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock"
        204⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock
        205⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        Modifies registry key
        
        PID:1936
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        UAC bypass
        
        PID:1096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        Modifies registry key
        
        PID:2144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:3812
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        
        PID:4780
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ScUkUEEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        204⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        UAC bypass
        
        PID:4016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CyUEIgIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        202⤵
        
        PID:3516
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        UAC bypass
        
        PID:2472
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kCMgMowA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        200⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        UAC bypass
        
        PID:3164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EIYUcAsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        198⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        Modifies registry key
        
        PID:3692
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        Modifies registry key
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nggsUAwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        196⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2792
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        
        PID:2316
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bCYIgIAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        194⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:4168
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        UAC bypass
        
        PID:1276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RCEooIIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        192⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        Modifies visibility of file extensions in Explorer
        
        PID:676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YAIwkgUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        190⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:2488
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        UAC bypass
        Modifies registry key
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UwcckQsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        188⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        
        PID:1996
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        UAC bypass
        Modifies registry key
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\usYkEgAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        186⤵
        
        PID:916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:1124
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        UAC bypass
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yOUIIgkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        184⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:3220
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zMYkQMss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        182⤵
        
        PID:3624
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        UAC bypass
        Modifies registry key
        
        PID:4380
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lkcYwMUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        180⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        Modifies registry key
        
        PID:1476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        
        PID:3764
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ryooMYoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        178⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:2960
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        Modifies registry key
        
        PID:1696
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OWcMcoYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        176⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3532
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        UAC bypass
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kOwggEss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        174⤵
        
        PID:2324
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        
        PID:1064
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GGwskAcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        172⤵
        
        PID:2096
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        
        PID:2004
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:4168
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iSgQUsIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        170⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        
        PID:4356
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        UAC bypass
        
        PID:4940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tOoYgAMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        168⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        UAC bypass
        
        PID:3988
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bgkAIYMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        166⤵
        
        PID:1268
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        Modifies registry key
        
        PID:3324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        UAC bypass
        
        PID:4196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TikcAscQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        164⤵
        
        PID:228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:64
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        UAC bypass
        Modifies registry key
        
        PID:4688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DwkAMgQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        162⤵
        
        PID:2332
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1624
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UqQEgMYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        160⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2252
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:4356
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        UAC bypass
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SAYAUAoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        158⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        Modifies visibility of file extensions in Explorer
        
        PID:460
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SasYgkko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        156⤵
        
        PID:4180
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:2192
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yAQoMIwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        154⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4336
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        UAC bypass
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HcEQsUEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        152⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        UAC bypass
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dCkAEAIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        150⤵
        
        PID:3340
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        Modifies registry key
        
        PID:4440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        
        PID:564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hogsUEsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        148⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        
        PID:2004
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:1372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        UAC bypass
        
        PID:3224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aegwYcIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        146⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:3764
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        UAC bypass
        
        PID:4804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OGAMQssE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        144⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        
        PID:524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tIAUAkkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        142⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        Modifies visibility of file extensions in Explorer
        
        PID:64
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        UAC bypass
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jEcUkkoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        140⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        UAC bypass
        Modifies registry key
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\puAowEwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        138⤵
        
        PID:2144
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        UAC bypass
        
        PID:4016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mekUEogU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        136⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        Modifies registry key
        
        PID:3340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        UAC bypass
        
        PID:4940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gOwksMYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        134⤵
        
        PID:1468
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2976
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        Modifies registry key
        
        PID:3344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        UAC bypass
        
        PID:3732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\caAkMwco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        132⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qGQQoMks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        130⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        Modifies registry key
        
        PID:944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        
        PID:4056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fmgQYcwI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        128⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:3532
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        Modifies registry key
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\feQsMgIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        126⤵
        
        PID:2648
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies registry key
        
        PID:3264
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:380
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        Modifies registry key
        
        PID:4900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jKMcsgsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        124⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        
        PID:4032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FKwIIkEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        122⤵
        
        PID:5072
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QmMMcoUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        120⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        Modifies registry key
        
        PID:3824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        
        PID:2336
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EsYgMcUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        118⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        
        PID:5096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IOEYIMss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        116⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        
        PID:4320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qKAAUsUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        114⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        Modifies registry key
        
        PID:3164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lacYIYkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        112⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4460
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VIYAgMIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        110⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        Modifies registry key
        
        PID:1428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hCgIkoYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        108⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        Modifies registry key
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UwEMIcAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        106⤵
        
        PID:676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        
        PID:1144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yCkIAwcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        104⤵
        
        PID:3020
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YSMgsscE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        102⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:3692
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AUQUQkUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        100⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        Modifies registry key
        
        PID:3036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        Modifies registry key
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jYYIsUIk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        98⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        
        PID:4368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FcwUwwAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        96⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        Modifies registry key
        
        PID:3328
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xqwQEUcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        94⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies registry key
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iSoYwUYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        92⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IUIsQMwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        90⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        Modifies registry key
        
        PID:3516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        
        PID:2968
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kyMQEgUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        88⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FeMcAEII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        86⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VYMgkYwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        84⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RmIsAEco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        82⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        Modifies registry key
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GSQoYcoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        80⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies registry key
        
        PID:916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        Modifies registry key
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kacssIAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        78⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        Modifies registry key
        
        PID:3516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MIQMEQgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        76⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        Modifies registry key
        
        PID:4404
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KocAkckU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        74⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        Modifies registry key
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DoEwkEcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        72⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        Modifies registry key
        
        PID:4660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        Modifies registry key
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lywYggEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        70⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        Modifies registry key
        
        PID:4064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZcsIYAYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        68⤵
        
        PID:1124
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies registry key
        
        PID:4772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nGIAcMko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        66⤵
        
        PID:1772
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        Modifies registry key
        
        PID:4020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aCsgAwgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        64⤵
        
        PID:540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        Modifies registry key
        
        PID:4048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QSMQcccg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        62⤵
        
        PID:876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        Modifies registry key
        
        PID:4608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:3504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\muggYsos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        60⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        
        PID:3860
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bYAQAkQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        58⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:2976
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:3988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JGIMQwUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        56⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        Modifies registry key
        
        PID:1180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\puoMMsws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        54⤵
        
        PID:2020
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        55⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QoUUkgIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        52⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SoIIEkcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        50⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        Modifies registry key
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ckAAEckg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        48⤵
        
        PID:524
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies registry key
        
        PID:4136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EUQccoYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        46⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:544
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:1428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DsMsQwkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        44⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DAwUUYMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        42⤵
        
        PID:3356
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        Modifies registry key
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oYUkMYIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        40⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YQgMMcIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        38⤵
        
        PID:4676
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        39⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        
        PID:3980
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GOQccckY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        36⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        
        PID:4136
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        35⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        Modifies registry key
        
        PID:1648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TUwkIcoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        34⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        Modifies registry key
        
        PID:1052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:2684
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        33⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lcgoYoUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        32⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        Modifies registry key
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PssccIcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        30⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LCsAkQgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        28⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4468
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        Modifies registry key
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GoMQwAsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        26⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QOwEgkcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        24⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies registry key
        
        PID:3508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MKUwQIgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        22⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:2488
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        21⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hwMgwQgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        20⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZmMsAkQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        18⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rMYAwAUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        16⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dEUIoUMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        14⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gMoUYEMk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        12⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EsEgcsAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        10⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:1268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YwMkoIkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        8⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:4340
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:396
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:708
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:4184
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kcUAoMQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
        6⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:1556
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:4064
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2036
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:4056
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MaoAIcQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4244
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:4240
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3652
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4236
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:1364
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jWMUkIkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5024
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4468

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:3312

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv ZH0o5Wy/mki7FaGmZwzK/Q.0.1
1⤵
PID:1476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\User Account Pictures\user.png.exe

Filesize
117KB

MD5
e749458245c2a8d5ced12e2cb98aaac6

SHA1
caa54058d3422ea50d2d9bad8172a09a358d9b45

SHA256
02efacf16c171cd4d7d7e9c0c530b5aed63e7fb785bd253b883e189e067604e2

SHA512
71904ff7c0ef0333dd408102cc9645aa5625056a6fdb2644ceea65c38b507b7d7387a1628795d4cb7ac894eddc3e822c4bc5f153a46fabff01f83ce8c8716e84

Download Submit
C:\ProgramData\aUckYAss\NkMsEAwk.exe

Filesize
111KB

MD5
7e81128e1f0bbf573e28141f0a58fd51

SHA1
b1fcccdf183a08636b9d0e7d24420b9064f3517d

SHA256
caa63ccc29d4e85cc20fc550176dda3f859d6a86090932593986b62469985674

SHA512
672d0eebacf1a87ed4198e41f4e0cc778ce4ebff50fea0d7bfb04e0682f250f678c10acb26685d9680139d8810ada79453c1fa59b2a5a9336553beb4abc97d47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppBlue.png.exe

Filesize
116KB

MD5
f15f726ca2335f83432b0baaa5622ed9

SHA1
a9649d5553ab3fc02c913b6586bf7ee6992f5dd2

SHA256
e6a676d907bdbd3d59d5d6da04249c762283cb4d7ea59170b9523536edf6fa30

SHA512
a20447c55c9b421aaf5a1dc00085dc1beb0623be7e152d926bb66e1b6b10a918fbd169b35a9f768515a7fa063c9e181ec87d5782197db4e0200d552892e56dd7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppWhite.png.exe

Filesize
115KB

MD5
dc048ea2ac1808de2b4d70561345e65e

SHA1
1aa24a551e0c13ad77f187f9517378cf4eb4aa54

SHA256
2c57a48020220f27e744b0f0fbbe8b22803e9d1b37831e3f849e18a2de7bac59

SHA512
dbbd3233ebf3f36e12bb74bdda09b3bf32685f0e8966370755fc877f6a4561b7aa25739b9d07e4a58dcab6d4b15edd4b0d524a6c0b09ad9c8e028c069de74810

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-400.png.exe

Filesize
115KB

MD5
6e46dd3f8e30cab622c32c949ffb2d3d

SHA1
9aa5699f4e8f1a12cb2401c287446c80734cfd19

SHA256
0e7f91c6d92999366ad8d0ece490213d802d98a8679fdc5e7567b880a64bb352

SHA512
d9794de58acb39c1a7d7b5560a752767a4f899cc15999eecd07bdb520d172f47844fe7cca3f5135d5ec2b977c6eb1ee0aff5a743b05d2ee81a1aa29115a01595

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-125.png.exe

Filesize
114KB

MD5
c408a90c633ec119c839b8107ca04d06

SHA1
f848a3dbe070719f6e8d03a7fa40c15dd1fc852c

SHA256
6920137429cabe6c64f633c54d8ccddb090df7c573acdc08159776ee64417cb8

SHA512
a86f41460d380c5b6ff4161ca9ed352a6bcb0ec9a9ca2e935736b8099813a6badec7ff3a4f627691fe9d4c3d874e9297da0e2570d7dca7cb4c284de2b7acdddb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-125.png.exe

Filesize
115KB

MD5
963759370a81b9f51e3604bf939a190d

SHA1
3d5fbc0f6d2130c11bad65d142ad3be3fdfef26a

SHA256
98bc3b1b3a81ee89fa3fca0bf9698c422d889e5d03e911e04ba6f74287d1555b

SHA512
c7f9eff5e40f2a06eae51b8b0e921421235acb057402073c0c1e97488bb62b208c770a3f8b0a7d98b5e5f4fb12b22e94df8f73be16f2b0c7ebb5ccb3aa4caaaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-125.png.exe

Filesize
112KB

MD5
11735750e4380bac460c9162433650ea

SHA1
b1757d2e9a4e3996af3fb5e60bdae0e6ab7dc5c1

SHA256
93f5de760fffd5ba0cc0e80c99084ff2cda2bcadc68ab6bedd30b29cb3e5af44

SHA512
54c0362991d511cf94bce00c8d8ebd528e4df6bc25f3f17b14c99ce448ef286e799c2e95d1d94f4eda6e194df7194ba2550f3a58a9ae5647ba732095df111fe2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-150.png.exe

Filesize
112KB

MD5
8032aff96986e3f932a2d16d1ab72a0b

SHA1
cbe0b42e7e1aec5cdaad59f44fefe32da2afd917

SHA256
75a5aeb52fdfbac93f08f5efe9dfdfc80338933fae9687b2c569c0b6f22222ac

SHA512
573bdc8da7be73206dc6798ea8eaf96d352350dc0c48152fe52b907e560a9d95e7bd72183368d9610b8c914e0dad7874f966d248453167e05ae52eefa87edb11

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\7603651830\squaretile.png.exe

Filesize
112KB

MD5
e8e4afa83354318bd61c367436409d53

SHA1
1c35253051869058fc53972256bd758126841147

SHA256
a56ae71eb9421612efb44a396659363f7277dbbc08c74b9bde71b2bd24a2ca8a

SHA512
321b6194789450ded274c81560e1caae6a849d5e7865978910f725fb5defaf88501991bbdc5a9a1646e348ba75edf9c3c9fb2435b13be7d8942529e454e9b068

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-07-06_4c7959b55961a3859db47073ccbbbfb6_virlock

Filesize
4KB

MD5
9b1114047709d50a558f2ea4f6dbe9ca

SHA1
03459f960b76feacc4642131bd65028b4226fe8f

SHA256
d752cf16a0f3cfc9d796fc8c53c83087ede2d5b5e28fa0591517870b212d5eb6

SHA512
47f122831e229d869c40131e5e4968e97838a6c99898e8b179e60047711a58b27231736a788cfdd852657e2edd38c7d9d6ece93c7de63f6f45b6f3163c2fa3f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\AEIu.exe

Filesize
110KB

MD5
1b062a034aec734b0d89b2abad64add4

SHA1
b12d8e7de0c0950247d59f9c3259a84a4b2a3ff7

SHA256
ac01e4e4ff3401f8676b5ddc6483311be56ad1b0af41dc935fbcd282fecf6d96

SHA512
1c0963960a8f189ca071c922dd06b0603a78e53a5f8ee126112520d43a687e2ebd476ba8090f3021d2602fb15ec59332cb71c340705a20c512b675d9df85bc16

Download Submit
C:\Users\Admin\AppData\Local\Temp\Agko.exe

Filesize
119KB

MD5
ef0f13d362b37a444b0b5730d1bb93ea

SHA1
6ada1a1b5097b55294c5b59372dc77d8c6c7bc26

SHA256
eeadc8c2621ac7553576acf9a3eefa8a1b0e8273564a4bfbc5ea3629fa25e5dc

SHA512
5cdedc8633fcc901954ed53ae51c8e08235ffc2867cd090016197bca8654ca6867b069dc7f764c4d42c886364f3d5d8b81f1c211f99d2ae6ccaa3f3cd672ccf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAcq.exe

Filesize
111KB

MD5
0ad54ac94e7ed41510650948de5129e1

SHA1
56fd3c3d5dba51d6dbf8d0fc384e886e4e6ea90a

SHA256
147062c1b9f999dd9113af2e880ac9281497ef71310f3f2b401006e5e25dc9e5

SHA512
efc1747f7df28436215728bda173643dfeacba257e634f9022ec9b5a4e725eadfc080af96a552a7b824852d58eada9cde181dba79dad1ddc1c1a74bb884cb092

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMMU.exe

Filesize
122KB

MD5
13ef48b6be15a07ca6e558bf1ee2ec38

SHA1
3f9d895eabc489f9c8c6dc0b12321d981bfc8fd1

SHA256
6b1f9afb4843474a67b70099bf05b7abbfe6db2acfad11a63dfaec5e049f422e

SHA512
00fb3e6633f73d8a6fb58689b38f5403d40bccdec243c572cd6cc0a54be2b9e85faf5388438237867e49c67131db73a663f3fbf996e230162d7e0fb53817a5ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMQy.exe

Filesize
110KB

MD5
c6465d756f0eca2047c9874e406713f2

SHA1
11753a90f79a5c79e33b6ba5e74febdf5e964cb1

SHA256
5cdd005a4db9d6b588770a14a5b292fcff4c270dca5c01b8756c0e7c6939ff6f

SHA512
6c0171ef05f4eea03615dedc461e46154b87b538a7bc69fe8691a0d5e8cfc3093dcfac99ab41595c891d1b54c918bf97afde82be5d4a6294872af8b447c735cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CsMQ.exe

Filesize
112KB

MD5
2e3f21f4e0e547ed37163d3f19d2a2ba

SHA1
3755179ad71028c19c2b17773d7cba8b00dafa15

SHA256
e5ca2d1b00250669e80d48b8328640d64fcb7ce0fd0a5567d026d303b9aa27e7

SHA512
8200b816f1692b2870320e6c03d5098d72296306f93406624f17cd46d52909b5616450a54ad3d9703136b6bc55a6e04c02307ae9dccbe73754e13d88525ad583

Download Submit
C:\Users\Admin\AppData\Local\Temp\CswA.exe

Filesize
111KB

MD5
2943f1570a47ae5b1a12cd464f7b40c0

SHA1
8d782e8ef3631b911aef7f190873eb5db0e70a94

SHA256
90cb3dc0666d9dade5ff6514335c8347f254e8cc0406c24ba893e4ad02687871

SHA512
5b4eb339072a369a31f5209bdf0282fc18fbc49d601a1f1d3adcbfe544e358cf923aa9bad599e737625ab81c316ddac074902926232631c5a6f92f62050b6d6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEgq.exe

Filesize
148KB

MD5
bda4abab374f13d7e06821ecb8b75c9b

SHA1
47b58c1ec5541d7b7ab899446d8b1b73b9d19501

SHA256
4bc2afba463eb3d7a91681a17989307d287f1800b90eb1555b3e5099ab4143f3

SHA512
ca7e9554c96c843b5b886f70b275589b8c49e4ae3e16d27c58580499fbb8d715876a5ed015ba77386213498b9fdc2e489ffd5368ae21f7b23a964ff530c0a9d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\GMAw.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUIa.exe

Filesize
114KB

MD5
75931153b7cde7566b1fa416406d02d0

SHA1
71186c0736748d00bf815a96ee6a649783ee9045

SHA256
d887876ab8f12a0b491c6e5cdfe278cde90fdddfc5525e4af7104fe0a9eda24b

SHA512
2907c8d1f95d0ed75f8c2c853f01e59a1a457eb1e001a92cd83c7ebd04fc21e0321d4025f56f83dc17ca7a248b52f097aaf61678b005824fe869135f626d2afa

Download Submit
C:\Users\Admin\AppData\Local\Temp\GkIw.exe

Filesize
110KB

MD5
5b662a905f058f8e3951160ee4ccac96

SHA1
79316e12a505d88616b2de731a59f43c532162ad

SHA256
0da1a167ec59a98ecc4948cab312526bea7b0f4629c6e35cdd497c3a3bd4129a

SHA512
e69d6da866ff8b1e2a830def4ab7755ce728d4bab28529e1fc94fa1b430f5aab03ca46b0eb3ac747678b4d5372e5800aa0085adb56d5cd64666e4602d7fe530c

Download Submit
C:\Users\Admin\AppData\Local\Temp\GwIs.exe

Filesize
114KB

MD5
1395963c914efcef97252b078647c335

SHA1
21217e59245b8f09a3279fdec229b13865debaae

SHA256
d264e84d5bedbdf3c0a5d508c2b037df61bab2d78d23a8e8c5168543104f0d43

SHA512
1ca82e609dd528cf5361f733b84e81cc1902333e34c5ac6003fc885afb33cc7ad4458607605f9905a55db1b1a3ac8e424ecf54fb963c35715d8dcd374c41745b

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAUE.exe

Filesize
110KB

MD5
99143c46e5d04fccc21e65d210f7eb71

SHA1
35eefc9a4458dbdf4a1a0e98271e4ade4edcda54

SHA256
d637dfc45d12628f8276d69d505cd42022fa011b6db46bbc5baa18d7d766ba60

SHA512
c1c7a0a1e6ac98af38b748ceb1069df1a6050d0d17ed7855367cbb8ec03df6e17e75eb51061792c2d4cfaf281870959ca2b5330bc37e17ffba106bb799fb9ed7

Download Submit
C:\Users\Admin\AppData\Local\Temp\KIkC.exe

Filesize
1.7MB

MD5
753604ef3eee84a15aa18d11f7aeae8b

SHA1
e6410f370c575e639b675880f5439c429e3fa94f

SHA256
e1efe9fb29cc12c0999b9d03e69e180f3cfa79a0a92e3317d0d0f061848ebb8f

SHA512
ae5804d51489f9137465f2dc1c919c7febe6a023ab05cbe8d047f4f0146ff9548ab826f38c382f856603f9fad66a4f8e2d6a51951d7b8658888e01b042e3e331

Download Submit
C:\Users\Admin\AppData\Local\Temp\KYkC.exe

Filesize
337KB

MD5
bfe96d36f2e3377560b27842b70378e3

SHA1
d0420bd9f52b342d925ae660778423dd14205aed

SHA256
ed05259e05b1140d54c86118584042493e309eaaa80f172c8212b3cb996ef83d

SHA512
2ede72da0d1298b68e17581fd883772349023aa0023f24a10b5494ad6634bd6e18fc34cca0024438219a8a9b1f36da522e73a1da07f01a746e674ff873082f7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\KgEk.exe

Filesize
720KB

MD5
0df81b36227b797d08e23c81c33bb3a3

SHA1
ccd6a22bb272846591a1625d47ce512e68f32f7a

SHA256
d4866b95c1ba0608a9cf2ad164d61f2c16fd6b2ad242bef27620a4bfe3ce751c

SHA512
dfdbd8b8be2f26e3ef01def38d6f1434aaf13a439531e353cb4d51e998521a0fe7fbe3979dd742a894814668e8a79d9e679a027759bdbdd845d5d4f38c7dbc2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEcI.exe

Filesize
114KB

MD5
0370d7f296a712921c75598d5e1e8eb9

SHA1
37cd27d1c7e1935575f3d32ab2db072e7fb012f1

SHA256
67e152313387e9bce33b1d947b65c2b857683fc931b610122a2d6990917abee0

SHA512
e698729f151f9db381ff76c1c51ce2d805e9271af678bfa07b4916e24ae0ff9fe299e28bf9c61d1d341e54f0be05418b396e9469ff0b442a4cc8e23939ae9e7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYQY.exe

Filesize
867KB

MD5
de4cff80edd8d172b6a7c1f03dce4797

SHA1
0349460a6ff7c0c6a633cfab55390b7a016f3afe

SHA256
ea3a8bf5a607506f561a2f77c94cb81a174bc10e5a849542df0bd9c8fa37b9f7

SHA512
1c5b73e4accf68f1379a07660c52cdf08fbd73bd2099677314315bebbd7db16c22d0fc0095ca5d1cfd63de99e969f3a4337c872eb6d2458bf8d35b8417fddb46

Download Submit
C:\Users\Admin\AppData\Local\Temp\MoEi.exe

Filesize
139KB

MD5
6d48ca268bb58aaea14534a5a721bef4

SHA1
0435f9b3174b023b2f60af979cd45d7812723301

SHA256
be15b915f3642c6d7ca3e3e56403f737128baf2a47adc41bb18fe732aad20de6

SHA512
97d51d47b5f15b9cc48e55a08cfde4918d1c617a97ec317100d06684a4bcac9b44d84210a0b27a82960682109f199cc905ed59bf3f6d9cb8f6e87000854bdcb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MoUi.exe

Filesize
113KB

MD5
8208febd4c792550bd1074c22d962865

SHA1
1db2228d70064f52d8503dbc4871c5cdf74e17c9

SHA256
7a39d8efd3c014fee9ba1b1700b44d93ef9cba559b3d4fb99ffd38f5286353db

SHA512
ceb212b183ffb30b1110f749be31f246ff517850a06ae0b1f66e8e1106397aa52f1bf951087b19f180bef699c591f13740f31d9d6b01738114779e936fd62f5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MokU.exe

Filesize
118KB

MD5
bf6f2dace8518b2df8c81290b1e53f94

SHA1
356719eee8cb929c69f4581ca560a983f51f156c

SHA256
c0bcff4d15390288e51653372a1ece53936fb270e12429ea0a463721cec34f95

SHA512
5c1f6c915c4ca469b689742254c279fe0f99b86a106107d13e1664718f75b392de631aa9ebd90dd1464ec6476358fdbe53c5555cf2bfab05b40fa24f71f6d084

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQAU.exe

Filesize
1.2MB

MD5
3795d9776bfd876c067f96a49b8a448c

SHA1
f418dc2ed5c68ae520d358945ed90cdefcbd980c

SHA256
47c30dff4c3fc696ae6ff6f47f2ff7e7c36be99d969ac23a2f6283c23d2c4185

SHA512
d486201f20cf24942acd96f149a685195560fcf2156a2368c34659671a69fe6e311a77a709c8c8d66211e20c709116c8b88a408304958a1d5a9927ab0ff0c379

Download Submit
C:\Users\Admin\AppData\Local\Temp\Oksc.exe

Filesize
134KB

MD5
f1883cf2b4ea0904012220acffc6cceb

SHA1
5ab28f269cadb9cd5746d533e609a48f4ff811ff

SHA256
5cb298ec6540aa0fab5ede4b7116580e85ee5dea131825bb64220f9e98c1730a

SHA512
52053a73140f2d45a738bee4e41249e1f9121bd64791a28bffde65b7517384bd8bfbdec98fc9e3779d5db61be6685ba4b0ad4267bd67bbfcb0dc2bda3d98aa12

Download Submit
C:\Users\Admin\AppData\Local\Temp\QAkw.exe

Filesize
5.8MB

MD5
80882ceca38d0b61144a84574dd59a29

SHA1
796118fe5dd54ae220654c411ab20bce86472684

SHA256
e013eb4c8e22a8053ca3d9a18f0613151cb09a82c6109d8ec5490fa3bc865160

SHA512
de745b15cb3ceec96c5016d66e699d6f638bc1989741b3f24ba6da64e8c97694faedc931bb0c1c92faab2fd2619f0075c471ed4aee456f0f1ef4dd4059c2ed7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\QEgS.exe

Filesize
554KB

MD5
75914662d9c5c4c6635f6c943068cf78

SHA1
f19ab7ec3d417b9bf22a8407703dd012f665098c

SHA256
61abe8de415e78dfd63705fd2b263fc44e4dfdbc2b83040c24cbb31a713509d0

SHA512
c58af3a880d3718fdf245e9efb649f3c89c9f63134012fa4058799c7345d54ac6bb29f674c977eb5859d519e69ff25fbec56ad574e019916980ef5800ed52642

Download Submit
C:\Users\Admin\AppData\Local\Temp\QEoW.exe

Filesize
109KB

MD5
9b3d8be4fff300f67b53b0f2a204d00b

SHA1
3e6f71cdf8b22b2a46de5b6e5ca00ba23447b048

SHA256
fbd8dbc136c7c6dbf8320dd5045505bd2bacafe0169afa66aa327b8af8faa64b

SHA512
60588b84c78f9ceb96ad746b9255120f979553d463a5df6e5c377fbad37df78f474e896ce59b672eac5ecc9206b6fed9806d877f10c096695a4ff626fcee0c69

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIcS.exe

Filesize
114KB

MD5
42efc05b1420f47a2ce18991b7bd43a3

SHA1
fc0fb6c98a8ad0796083bf42133b53501cc1746f

SHA256
52e3bea40d56d0efa491e642edb751db84eeb4e3fef27537455f338562e3182e

SHA512
90ebe6d1a02740532b60281be2d4c020b554f28b23d58f3f0603a702a01b1c997e8925eaa4e583320050241dea7a59c86ba78695ec9312865faf01d3ce3f1002

Download Submit
C:\Users\Admin\AppData\Local\Temp\QMkQ.exe

Filesize
112KB

MD5
9156f07b489cae75b2f4b0912cb0e042

SHA1
4a7d6b4f12684756e2593987abd7cca7d8ab9ec2

SHA256
c34fafc341a1791270dc88f0c51b11e50a501e38d4794576220920a86972553e

SHA512
abcdcb2e51abb332f51beb8d3c0ad45a148d91bcf0cad8ee301f4894cfcb075147fd5fd06adea853bb8b74defc28dbbf36742b0c47b6af681a33204b9c1c0e16

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQIk.exe

Filesize
119KB

MD5
5ff193692b317436ec7705a7370a8c79

SHA1
07df15236077ea3b3d19a7ea5ea3841de4d3fe23

SHA256
cc252b7588e510c16a50a18be6beb3a6d4e5b998c3c298078acdba8668a47acc

SHA512
d101d16ae28f2c0a7f585e1a0afb034cb323c8eb2e29e5a4f52bdca6ad5ebf9571df422f56838e6a9438d1445a53d07059b1d94133826183876e0e4a94886200

Download Submit
C:\Users\Admin\AppData\Local\Temp\QckO.exe

Filesize
112KB

MD5
88fc426b7b1c915830433dc508b9feaf

SHA1
c6dfc4e0d83b5c88a89d967fc5cfafdd7eee720a

SHA256
064f21267d0ecea3315bb4327c68e5805079f8c106644cd123039ac79dbfbe44

SHA512
ae10e68a165db672e2857d3dd3f8270b562b1452f7d8dc932c7b078c6a5d6b3e436dd18f23a1ab3072f34e1e7b3178dd0237cc3eb7548355cae7508b06791051

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qcke.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\QgEa.exe

Filesize
111KB

MD5
f9c593548876552fe3dee9396167836c

SHA1
fab1c87beafcd9f3336eccbe1e3903c254861384

SHA256
7ed359f19e58aecc488e33f48d974165609b3ed7f64e5c7d72115422fbed2182

SHA512
76235fc391323cf31be267494ab261836e9cc983085c6a4a03dcc57001e3b294b32a08d7f49bbb68e957e326d4b4a11fd8d993cbbfc323a51279235e2bf960f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qwgg.exe

Filesize
113KB

MD5
7a2863670fd8c852a260e8b69ff68ba5

SHA1
f7f520ef507ff1b548517f93a3697f0aecf66560

SHA256
131fc46949232971df929f2ca9ed6845af162e6c158cd311b91f5d8612773055

SHA512
0ed0a34fe0897b3c5809096247de057424e2bb3eca5d6bacc4e226cbb31c63ac89d391a7fda116b4fc9f4f83bfea2022a41083edac67a4b3fd794a36ef138e9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SEoa.exe

Filesize
112KB

MD5
5fbfe1358315899ba8d2b942cd83c024

SHA1
f34f9719a61da98202e7118cbc3aa22a674fbb15

SHA256
eb073103e65c153afadb04255af9f3e5c983852222c3f25d703f0469f4780a1f

SHA512
d8ed85340d68d12442833ab65a0c19d68bc37629e87107841427b35192ccc4c6881dad928ab421b9f90f53d48a39aac4281092943c768107fde5359b0f6fec83

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMwk.exe

Filesize
744KB

MD5
d3b8b7895178ec16974bc59c1d9b3d7e

SHA1
ea9e0bd459dd2089970302c3a22b91dcb17269a0

SHA256
02a2f4058a1971b7a2d70058df9db79cee19a81b6281dcda7750ab3e745e61a3

SHA512
76e2b6baba46c7de648ee762b486edde0437e9bb236277406e377196ae4bf5ac8550bfbd93afc54429ad573a83f1fa0c331966a8a9904033154dcc53bd043368

Download Submit
C:\Users\Admin\AppData\Local\Temp\ScIO.exe

Filesize
117KB

MD5
d32a0bd1097f5b6cd0b355f40c935ad7

SHA1
b11504deb092767a5cd970076c4c9fa260147c78

SHA256
e9faf3f3e526f234c3d4ae77d1c9064fd0da50bd430de3c290378005bb48ba49

SHA512
0595009d45fe614d53b36c6d0ec70b0f623e75181c8c7ee75f7c1b0ced521a4a5a70b0ca1af0df0b60f99f74b888ac6520c5efe574d015c2c6dc59bf73766955

Download Submit
C:\Users\Admin\AppData\Local\Temp\UEgi.exe

Filesize
149KB

MD5
353ea82e4089ce0a26e45415bbd67cc0

SHA1
c817dcf11892d6aca41d36a94b7330e467c4edf9

SHA256
b0e254177f343298ae1e999aafd2e8f3dc4fe1b5c80a8c01613b3933faaf8931

SHA512
71ff051c345c41aa371f97d834b271ff6925e5a38c5e7e836de70762c7e1d421337e90e9da788a90b50cce2590c634b9ad0ccac4eb802d2d6b41157c35435409

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMsw.exe

Filesize
486KB

MD5
ef0f59965d27b522cabffeba2ceb3c2a

SHA1
db9e138a768816d1512e18cb9cc1eff3f7e043fa

SHA256
49e2cfd3b525a7303e2fb8129303779dd567d19d5ae64b37804013c4c8b75a74

SHA512
bfa13db9c4af77ffc04fff04a8804d85ecb6e254c3298b822dc80111cc47b31b65cdfeed1731d56bd35d1296e313d64547c321566e559e3a566e0a16778baee9

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQAA.exe

Filesize
721KB

MD5
76f09e84eafcf1e5803028dfa5673f67

SHA1
91e12880c0a422154af3cc279a0797742985b3c1

SHA256
b8bbb9331cecb93bb8a283d75bd197804169ae2a2f293e8da5a3e556f41cb209

SHA512
9ca8b77edd714e64eeab75c2d9631cde1737a6fd272fa778b4ad0262179d4c86a674c0599cdf47c3b2b9ba0a690664d896486c992097282ae508a36319b37f45

Download Submit
C:\Users\Admin\AppData\Local\Temp\UwAQ.exe

Filesize
563KB

MD5
e1dd85d302f561b822bc1c52d6bc3b4d

SHA1
4efa263334520bc5651ee42c4ef994c710010dd2

SHA256
a108e0c644c22e5a253613eaf4e26ab803c3d0e7bbe7ac1b9762a2ec941958ce

SHA512
2e7efebe25904857f967fc55a4e404a9d72d44fb66199eb75cf60bf7a2dbb8475fd2cee35f3df4818eb0c75a9f83485630de53ececf91c1992cc708278ccf8de

Download Submit
C:\Users\Admin\AppData\Local\Temp\WAoO.exe

Filesize
711KB

MD5
4be4839668a0f4221060947f9a641556

SHA1
506a29cfda70c36f69c7440f6777483b6d794644

SHA256
dd3f30f1257a18dd061033625185b7263c8ec9fd376583421fcd8bae1ca605f4

SHA512
ea8106af8cd28e16d300712a4483d87453b0af549a2740b9c7d8219c67cc9b165dd2fa8b28768dd6d73e01e36833ec542aadc7e90a20326b14ecd806e167898e

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEAS.exe

Filesize
110KB

MD5
9563932d6088e47ff490ea1e6b502cb5

SHA1
d7ec41d4d1c3e113570847a2a18d3a6a34e4ea30

SHA256
004e80408f1aab9e1b4e9564612c5348b549662c269f6c81c8344427ab5a7542

SHA512
a01f77e830aa2b2ba993d839761c366778c8a62487def0c09ce9784d5b2413be3b0982a9544dcaed16ded416632c4cc9f30c922286d37357a85cc9d48885fb1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEco.exe

Filesize
114KB

MD5
c0760f2bf0de292e4c3c0e1151c75ac7

SHA1
75552f78dfb72d7c7e207dfd22368f68985bdbb8

SHA256
c131f46ed5867ddd58dd08adbf125446e41e69cb5397f80fe20f9895da83653a

SHA512
45dc8fe15d9c7a3ad2bbde96c31e36be377ab910278872e7b48e63de0d792341eb859fb6ae1f3ac19612f48811eb56d50b83df63a4bc77b09d4b87efd8e51580

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEgG.exe

Filesize
5.8MB

MD5
3638adeb7a81701bfe8bd4bf614460e3

SHA1
5bb7fdbce8aa47c85f5bc6c51fa5723acfdfc9ac

SHA256
6d7b643156d914cc25d7d6b8a8bc4b382b2cb9ae155ae08cb5f775b2f57570a4

SHA512
b12c340181d95bbb198a7a61e91b72403f394086cd5a3727a2df80081e0ade82513166070ba1fee424e69fb9520d2e9ed164ace6c942dfc318392bacefd37138

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQEm.exe

Filesize
468KB

MD5
51993cff0e7fbe7ad66199862adacc1e

SHA1
95de5e2efe23111e4cf87f670f7c6e603acf4a1c

SHA256
67ad3252422db5b8665429e919135042478bc97122e887bc80774eaf826192e7

SHA512
f4cc8e926fad066f604fd16192c63e7e283ed67b843dc58b82cb7507ab4be06d4b86a78fb403ef4e7fff22378b81b56cab8e4a06bbe53321fab3ffd2cf96194f

Download Submit
C:\Users\Admin\AppData\Local\Temp\YUwC.exe

Filesize
412KB

MD5
26c923353c43fed870746fc14310312f

SHA1
d8c4a2590a08cf6cb0e374cf344a5a3635895dcd

SHA256
e4ecbb306da826ca9e7cf06768855c8172af3abc5b9f42d0dc0901effde850d8

SHA512
88362223ca954a427c0c9dbe01aba055d8dd49f3594db07d5c4c5ec452b581989d755924abe549bd7181fdf2516808698fd8bca4261d4cf658c771cf970fc872

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ycky.exe

Filesize
141KB

MD5
1c18f2bbffbb855d5a7f9dc04289a610

SHA1
cb11651c76ef32b18f6044153f9dcb973d948e03

SHA256
4484cb1db068e02aa9b365b4e112efebec7600fbee452d8dcc47db2ad2fa5d2a

SHA512
841c892d1a7c92348456b8f025add68035f46e950cb509155c19761cf1d1bdb6eb12179942f1f0f365df7b3151a6d034159c993ceb503c448e8908fcf0820858

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ysoi.exe

Filesize
509KB

MD5
8660987e1972cb9a32aecb646f4f7a70

SHA1
ceac57ab9150f35accb9a07588a0d1580160337b

SHA256
7b1ac934fd41553dc61edc61652da1dd2773ea61cbfca4a6d1888d9b1d7961c9

SHA512
4c7d0f2cb0968542ad7a6bb446b7f0e39d54e983606403a64570e3eccc611f533ed76432c2e9f53e03826894e1397470667c6a421fe7794991439ec7dcfb1d4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\aEEY.exe

Filesize
952KB

MD5
972f1404b35e30355e638b502ea35ef5

SHA1
3e178da544a3ec5eb517062835287246aaa02c26

SHA256
ee3b06443f58597278233631061b636a206a8162a17b2a895e432398a005a672

SHA512
6424e8e827155ce701ec47555a2c21027151238749ae548fd28670f69fb46188a6334fc2626a270bfbaaf976050b499a2e0b126e3c9ec2d569af984eba75a57f

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUEa.exe

Filesize
112KB

MD5
e31f6a771fdccc9a4bae08c4dc59380c

SHA1
5d73a2f3a5dcde1a43291709d94680d38acd7626

SHA256
856dc240176f1dda70aac78a4825939ab85558c733ad21522312838f76e52e3a

SHA512
fc94aa7c708eecff11704db90c5d710d14d1f448328e1ac0ad6970a41266a81b6ff4acb8511279d6ce4c4c0a9d2d0223a85bc83e2e8b937e87a857e2b840a63e

Download Submit
C:\Users\Admin\AppData\Local\Temp\agUq.exe

Filesize
115KB

MD5
8eab03e3ee85b6faa515bf054c966d26

SHA1
6ce47ece7cdce4f70bfb4239cc59d455d7a65ce2

SHA256
ca7bae13336e8d922df61af94cc1cbca4242a641d146ea58629be94b7d52db0e

SHA512
f3a6d2c9765578333f260852d956358b856639f34a631f5b9236c4490997c7a5b378003982affd0d0c2bdb2c73a8cfc684b71c1deda83496aa6f50759166c1a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\asIw.exe

Filesize
563KB

MD5
50ed2efefaa5eee2b679e6e54c23322b

SHA1
4c793ef764a01e0f941458e2681f339caf66919d

SHA256
e26afaec3d288dc5167edefb83991685cb61d39dea5ea86487ec4df7c5342026

SHA512
e18a526f91bd283a5354705bca099109c059a051f34de554172d04088d4256bf5908d1014eca914513ee2a6a6e76ede68df5f34b48e9fbfd00599fc3f39e5093

Download Submit
C:\Users\Admin\AppData\Local\Temp\cMkc.exe

Filesize
110KB

MD5
13a7c2442ea81f5e869cdcea22c8ad47

SHA1
6c61a2473e2a23b78857b0fe314e25dc470d93b9

SHA256
862d51b8e8ab928038155e3d70b7ceca2ea22bd110247f86fcefb77dd4f32525

SHA512
6fbd5a7984ac298cbca95495e3a24e9a40a1fd153f6d9457051102d935cdf8ed46d5b6754434a7b6c5557114b436166ea8f37cf68966a3569ba0d6b2711c7080

Download Submit
C:\Users\Admin\AppData\Local\Temp\cUMS.exe

Filesize
114KB

MD5
4a1f5be5cf93feaa9e02411f2f4ebee7

SHA1
19f16f4d3d21634b5cd4cf4e64059023c4fa3a32

SHA256
f9f1e1cc1893d9300ca50582a4c395b939a88cb32c40fb9c07f85fae176d6cdc

SHA512
c2d0d7f6acb11602f0b95e5efdc7257089b782c2b2c09a7b9773aae595e6a03d7d351a6d4aa32fa9dbfc7680d67152f7111d3cb1ac18c73d1ed3d737e8f7c46f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwYy.exe

Filesize
112KB

MD5
028186511b4d06b6f1adfff830df00e6

SHA1
0629844c2dedccd40c6d6a1ce529bebe5d661708

SHA256
0be034820e844469285e775c79370e2debde7ec81852fcd7056f6e6666802df5

SHA512
4c89e961c56ae88ab4bbb2daf43ef593b26efcf6b31539b80963fe1058e0d375677b22d595aa10caed8a4fc11d9804c573e43df7ef0d030f961fff1697cf0bd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIMM.exe

Filesize
111KB

MD5
83bfb26f1e8eb5c0a3a04cfcca2c37df

SHA1
754db9a9b3c07eae516d51a2a6ac0b4886d495d8

SHA256
e8a5dd06d9fbdcbc5eb93bdfb8f11eb5421580f6e60e7e05ad5430198ba96c73

SHA512
b53c251a4604160c40ea97362c6110debe5939d2c4a8e3c23990852620a82875cccd2f017dde6edee88f5bda5af0034177f92634eb990becccf276a4c70f8d0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIks.exe

Filesize
237KB

MD5
57824603176805a7f361ef89bab59a49

SHA1
dfb74368d1ddeaa0132e1f8320a60634bc90dbaf

SHA256
6e9511b9120944af0bcfb380e6070f2f8935244701a041910e5a98bb559644de

SHA512
63707262d9899666a35553eaad7f26a85ee1f37c7b7f10d5ecf21ebcccf995deeb957b50b178726ab50007552d23aa54e65053f3d26e05a03015aecd91d4cef0

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIwQ.exe

Filesize
109KB

MD5
5fbf817b83b82255681f0e64f50e62c2

SHA1
d2d2d3861ff60c1ef27fa8f3e16ce61051e29c6a

SHA256
2e703c292e1e5f9f765a834807ba9f7c15e891422a5a9cf12b2e7cd1caff0ad7

SHA512
b13a674d994ddebb0539a4cce6fc2a4fa8b76f09f2dc2cfe5af99833e2ed299a33e46a8ced60070665fe7187365ab9c5193676c1cd22b0e4f392b2de593fa5b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\esQG.exe

Filesize
139KB

MD5
37c8cdbd2f8418c9e26c584794fc3c70

SHA1
c9d56b2aaed5764019925279e370ffe693718a93

SHA256
ac21ac9aa33c295c889345fcfa6ecf66060a2c482d199207d850007422e04b16

SHA512
012406f9ba59ffc993b0b0ecebb65de11c42b2d83ed782d210e88e1fa7ac3c912382dccd5a9102247d1c60a824b18fb50f3810f6b02fa2a09c8740a60edd49ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ggIE.exe

Filesize
112KB

MD5
6a1e16dbf034ac2d24a4a23049bdd7a1

SHA1
d3cbc6b441b9aa203d6f3da36b4073586857915e

SHA256
210841ecb4b469165713c0c2ebc73f883ce37bd87185374a9cd1873bc5525686

SHA512
1c141e93d8d4196a24b1a8d9264ba93665a7dfdd5c7f3266a50381bf42fdf50fe6a8842e684e39a56410006b94dc334f1ec3645ce2e9dce9e1ee9df4af341696

Download Submit
C:\Users\Admin\AppData\Local\Temp\goIE.ico

Filesize
4KB

MD5
7ebb1c3b3f5ee39434e36aeb4c07ee8b

SHA1
7b4e7562e3a12b37862e0d5ecf94581ec130658f

SHA256
be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742

SHA512
2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\gsUE.exe

Filesize
565KB

MD5
90454650e84789e3da36d02aa58c3f4b

SHA1
faab040076c7c7e4b0f3222e1d45f6eb29807781

SHA256
7dfcbcffcf127745b1605d082ad201864b9b14ffc96eca10088e7be4ed392e03

SHA512
5070d949f1f042ea262c4beffd8fe2634648195c445c88294effe9e1bebe5f97316f7d33e3563251161c815f206b5bd4f3190b9d1a2472dde43fd5aab0bd6056

Download Submit
C:\Users\Admin\AppData\Local\Temp\iUsE.exe

Filesize
119KB

MD5
cbb6ddca7ba377e3c0b6e4a14f0fb868

SHA1
016ce826ea90cd4d7a421b60f839cddf61cf67cd

SHA256
7ea8a7b755041b0756abc7f2bc09104e2b0deb57797ce10fccd8264617d82bd7

SHA512
2ed37732867c8aa4f8eebe3a727e8dec99dc38014013757180ae352825f99ee02673833602bf43f404b63851290a0b47703a1c765c8a9cf7fd0dde7564b679e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\jWMUkIkM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAsy.exe

Filesize
369KB

MD5
1d63a2697823822cf4ccae7d5edec493

SHA1
93cfd43c8a0042f1d3478347e7558b4c8a9696ed

SHA256
dfe0b4917da52be07961181c152859f251277cfb3275e485558f10d739dd3537

SHA512
a8f9fe05b065de5f98314a57f643e0e8b9e1f2ccad3f014d765620b22e5e1cf12b3044ffdc40510b0ffcb0643ebceaf64c606625a1c7b864b12898a23595fc56

Download Submit
C:\Users\Admin\AppData\Local\Temp\kIUW.exe

Filesize
119KB

MD5
07105a86504cc83dd901ff8c3017cfcb

SHA1
53220f1c1651eb18cd23fcb7c646b27324dcae7e

SHA256
869e683f95ee2a4ba6bd88ed49e94b3364674e2ccbab6efc9edc078267796af8

SHA512
ea1568666350b3c803037e6a32eca342d4c96a15c0aa236919baeadc5f4defe4e3212b439ef06ca86daf0a7cd6e267d2dbb807dcb402c5222382d14616a2fa34

Download Submit
C:\Users\Admin\AppData\Local\Temp\kIsU.exe

Filesize
125KB

MD5
5036afd860ce42fe7fc9741cd202a29a

SHA1
6561dd5a8ec8e73a22c817f71469efce23ea3f21

SHA256
dab38cee56d460896165fdf7a093a515fbba4fd77a8f789c6b260905ae0e0f9f

SHA512
8945bd6573ab157d98516be7c5b9c5488885c13a00442f9831f659d40be78b00ee755a5de4e63469f987b09d26e31e339e277071856825ea4ff12b55ed54107b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kMEU.exe

Filesize
112KB

MD5
39dadab5a4ec81f9ce959f32198be0ad

SHA1
64567cb94320d4b5d1cb9cb954c3ed67243c32ff

SHA256
e7d2545bce7ff81dff6d061413b17d6b10890e72f879dd408a1ad2869a5a0c43

SHA512
89458e9ff3acc34749cafc0df7f8196f441e61aa15875100528af7965ad54572a608452fa2161097c419fe550cb79a6b5df2c17fd564492025c6e36121f13124

Download Submit
C:\Users\Admin\AppData\Local\Temp\kMos.exe

Filesize
110KB

MD5
5ef4582050708b39634f4779ee451336

SHA1
2a19975a7ae7d179e6f4d08fadef9f3972062490

SHA256
3994b0066e144d1adca6b53979fb0714732541d930f002d6911bf98f92ac0df2

SHA512
0af5ba3dc308f9d85ff0395a5ef150437261deceb5cfbdf12aee5fbb415f249c2fe31f39994b3d34e9e5081ec19d34df98822b6598379ddd4fc519e0494f5f08

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcky.exe

Filesize
117KB

MD5
47bdd477cbbd1a57469451b0f7543149

SHA1
35af85b566783d3c093ca2d5b1c8d8af4b19eee6

SHA256
09e8799c0688656a14a0d3850f6970400e2284ca91e3d12eef3ae334f14cd9cf

SHA512
d8909fb5cb13287f4a0f216677f0ecf4b9d8e213e7d765a761dbd051e2e5dae87e2e92a02f9bc8112991436626aff3563e54870b84fcd0dc1cdef0194ed5914d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ksMM.exe

Filesize
720KB

MD5
3c196bb7bb6b04ed13abd92db94d4e43

SHA1
d34b088bea9ea84ec6cc725839e87f8842486c65

SHA256
a92353dd2a9d832adae62f5430d80fba81308128dbf03110ad34a04c8a17fdab

SHA512
c6b046822024cf46db4c147201ce3d3cca868fb65b453559ceda6fb265e261b5b8ab222101de88e22c3a8f1e7f7497d450728d75ffe2c231e98bd64d7d7c7455

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwMs.exe

Filesize
238KB

MD5
96eaa50e91fadf8126832bbe44a70f40

SHA1
eb01eb94ff0446e7a28ce89a4a51ded3b8c95510

SHA256
24a58d57b78636c0d80338adb86eeced26cc83b450c4f67cfc836ec3bec19df7

SHA512
135a63dec040298aeef92eed273a4ffce71165cf4fa3896c0001c6a95913fc203a9fae623b382c2b89163406d94dcef1ffc55388c41b308edee0f09073f7707f

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwsU.exe

Filesize
239KB

MD5
9a5b41043db6036eca2dc3c671828a5a

SHA1
eb5ed8f3b62ccc0853e391164d75a9c2697ff492

SHA256
0375db8c069a2e2a5f6c046c7cecff68ad467a9ca777648dfc838db8f2dd2b07

SHA512
20b97b3a9ab30e19169d7c5cec31af06720ca6cf9521b5b12b47961959ff7c8f52cf44abf4ebd5889f4792da72d29c05f19f6f8d62332e6ee9d41885673c465d

Download Submit
C:\Users\Admin\AppData\Local\Temp\mEEc.exe

Filesize
122KB

MD5
509387ea81379070b9d619d30c083df9

SHA1
7b762c3affabef4648354c8439dd3deebf967a0c

SHA256
a30fb5e3e09036629483ff81c786baef8dd5b7c9e10d4a5829084b7488fec6ea

SHA512
51289abc3d238a5677de95794eb911f4fbfe28a4733c099e208325cf6f273966b8b940940501c06712628e26a8c7e8450def67946f60712a17f60c9f0504318a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMsw.exe

Filesize
119KB

MD5
d057c6ac256567284d85ca2a51679407

SHA1
3f1fcfdcf68c77f9b3adcbf3d2a3ae2ffe01b64e

SHA256
db9e9f6f681e9fc0d25a3f11b6dea9e78ddeb53e5eb035c4c9c0728fe4f854ce

SHA512
d103538d52e633203bccc21e0aacae925f4426118aa1de6766e6eeffa7f083f43eba96b3115d09860e75a4b7979b78d8965bc45aa51523b2e31ec06c51e7a818

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQUe.exe

Filesize
5.8MB

MD5
1fb92db3833c44941aa7a2cd4e69e318

SHA1
bdfbceb91d1e8a8815088486de5258ca0eeecd16

SHA256
e3b666c0e7880e0364905b5dcb16ca2baaa6ab37ba6a0e3fe4055917650c5445

SHA512
1d5d0bb0d4233e10bcb1b064ebbd409c580d41fbd19b8e60f3d33b25433c3634126b77b98ab6eb0c140f6bdd779a03aa635c138b1232be2812869c98ac349e4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mUgW.exe

Filesize
119KB

MD5
61419108543ba57910d735d994a1188f

SHA1
159fa6ad4ed7c5074920180b45d49cde9e1f9613

SHA256
0938c4fb67b39ed5bdc12a55332ae80cce33225253db9b57406aa5860fb7fa36

SHA512
cd908fa245fcd1d26d20863d495ebc5c56d43c1d2c96a8ee72180399fd1bb3a47a52143471a1e34c64005abc8c44cb1516a927e02defc9ddea063f0da73dfa4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgQG.exe

Filesize
113KB

MD5
3a38e31822416a9d35bcd2c540c33b3e

SHA1
c476d6e43c73dc467c70ff52ebe962eee582010b

SHA256
44960abc1221e353932f8c38bf1d603d1d3d212ee4618e2c227d04c49251f6eb

SHA512
aea7d0d53671c507306ea7a87fb3faa1b16ae42eb6a9c181d01b59c4bb4dd9998253e544d3ccaaf04032f44aae502a09b152c7018b14252e089f7e79a4887c9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\oIMC.exe

Filesize
154KB

MD5
2a0208f1806ca29d6b2daeeb33d7e47f

SHA1
22f6f4e8d39209c03db5df5eb47f31b53872d96d

SHA256
6466fc3b1e208819354677a10dfdf08f6750a102d320b9d38f982d0f3c1a4f13

SHA512
f36489c2cadbd0e7a1d1d0ee6d095a3d6186d282150bd0bde2166c1a849b920d661e9a305b34ec4a89adb04d8fd094d17201f50aad15461b92e72e4f63ba11de

Download Submit
C:\Users\Admin\AppData\Local\Temp\oIQE.exe

Filesize
155KB

MD5
c757768743fec3371c6c25cb60011f67

SHA1
8bdf5aa3a58f0d962d9f880ece6e0ca6b166f7f2

SHA256
0bd4c246a398d0ccb107b3f6e64d1ea236fb1051c6be2a532eabd0d31609252d

SHA512
0f2fa8c9cf270d85042a04ea612d10258bd80ffb20c09bc9dc8340ede413e1a309dbe767118cb63491043ba4f860825a8dddcd04788ee0c3be622f0857c8596c

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYkc.exe

Filesize
111KB

MD5
ba80d434df0690ea8d9cf7a7a2f59fa2

SHA1
dcfc967d0e4543dfefdc9a224c45c22e68818851

SHA256
28672942a4b95ad607c1130085115dfd28b62598b9feb296b7ebbf667185007f

SHA512
6940b1177f77a22da621e8d62814561625836efb2408abd9532226848905053ce2fe0698ea320c2d4f27a194f1a9aed826d7f304df97fb231adb3233949aeb9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYwK.exe

Filesize
113KB

MD5
2911591485fa3abbf576d0ba9af4ace0

SHA1
373089de8a5da8f90a15eb4eb850f0045e377f4d

SHA256
f3eb31234d017f775f19920b51bd269508550d3ead6f3759ebcb8d1e6f80d67a

SHA512
843bc3670dddcc65dcea77b19efc49ee7d216dae404774a3b766f5aa31b89f77bd60e29aa16e51e2e64cb3de034e7c1590759d35fe5fbed2ade7412e68650238

Download Submit
C:\Users\Admin\AppData\Local\Temp\oggQ.exe

Filesize
111KB

MD5
f9000df96d1ff9cfda328389c40f557f

SHA1
2607055480da02330a25bc03693d0a32fea53fbd

SHA256
5624db47a2439d9f02a3ecf4afaca92cc5f1bbf6332997da912d32aab6389022

SHA512
5cd38eec6a269048c6c0d83e23954cdf465f2de63fbf61ff5b2738e2573ee78a0f4e9da4348b7939e568f7acb12abf95184a8b8dbde5a8be0d43b5560f3007fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\oocY.exe

Filesize
744KB

MD5
9b0fdd91924822a4bfae1aef06df4b31

SHA1
ec034c0f430bfb8317df16a7ec8fc699366e3f16

SHA256
210e3abc1607971b533d3511da754e18ecf171970184c26071c717b089a3afc7

SHA512
233e09749531f6678138983cf68b17b392cd80e16bc9402035fb12b5803bcb11533a9c55e3e06ab040903e6ed8325f1dc4da848d363bfcb80192d5958f6a0432

Download Submit
C:\Users\Admin\AppData\Local\Temp\owIk.exe

Filesize
112KB

MD5
3f80d8d991ffa46c84ddfb18eb436b08

SHA1
013a54082607eaa155a4ded3a8a7b0953b4d28c5

SHA256
de44503d2134a6a5f7a561c08a12fedb60d68224411072b8cc09d0b8c00c6849

SHA512
759e062ac58d82fe9a1c2132ee6566a2b606a61f028e44ae6b444533d804c1ae5cdfb864eddc6d342879bc70baf3bc8a8d81e8ce05938678d878858942c4a458

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEMG.exe

Filesize
669KB

MD5
3bc6b646f8e2ec2e1b51d66795f8890b

SHA1
7826d82ec7e318beb56c38277d105fdd65be7500

SHA256
1f0cbbb695b14519c7b62159cc790b3a14e1e17930ca8fd9a075c655d4061b63

SHA512
59ce184121897312dfde8ff08624f5da69980be111bb2aede9da4f04a2460671e2e64e89e0ba7859cb3e3aeba85d9c7b0b89bb27bcf6d80a2ae17e3c6b5014a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUoe.exe

Filesize
111KB

MD5
f37522350cccaca55948ec821e2cf207

SHA1
fa74f3b21220a3f15991df0ff7b5e4ef1682cf28

SHA256
43b6e7e4d6571f0653330ddd758366e8bd453802268a0f76074090bb0c890df7

SHA512
4901be45a02e117c5d820806eb170ecb22725b9c199ff4e0f73fbbb3f96b30d36372a5b9403c094581dd28f89be0a3e2d528031b94e706f5ed0d234781b51695

Download Submit
C:\Users\Admin\AppData\Local\Temp\qcUw.exe

Filesize
698KB

MD5
ba056e3009be76182460ec90e414ba63

SHA1
d78a3f2d1eceb91c3ed94ecbfc8bdbe94cda39d7

SHA256
a45e8d86e65549e03757e7f608578ef2047345528443fbe2ec9bf2ce982b2f48

SHA512
8b25694157fccf9bccebbe4f2bc115fcdc8b23b531bb913b723139140066715dc917560d75e96df004e056bf4f163a16ceba57ed504200d25195c191ec2ecda5

Download Submit
C:\Users\Admin\AppData\Local\Temp\qoAs.exe

Filesize
349KB

MD5
d156ee1c9f21d53c4bddf3b2133c6685

SHA1
19267b577c31b86507dcb3b9d526840c898f2885

SHA256
ec1783875f09a37f1db8d4a66ffa7d77a16984962f4e921ebd0b8dac814204e1

SHA512
1861d771cd4de39658181151f191d84ffd9a13dc617f2b52f4440709844155a7a9af3d973bf3feb95a7a9bed78468734895fe6e356f0c3b26971a834cacf0d1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qsYG.exe

Filesize
143KB

MD5
4a6c914144ffc48b96f1ec0aa7be2d52

SHA1
5d16d6faa1a8a0ccbcaa0c4558bfbd5bbc45d27d

SHA256
741ba44baaf65f1ed521312beb91a72e1927ba2281966e6e2d550ac9405e1230

SHA512
8e4144d5057e2b93f7ce8aa80b4c4af92cc8d51f44ab4343167d2d93cfc8427c08a393b0b5bd703828e6fd8b7c129fa87605946352722de282a656ceb2fad1c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwIQ.exe

Filesize
647KB

MD5
e8ffd46759905230df0fa365050b8a9a

SHA1
7a83b7fcad78f9d49f489333feb9f119ca91600d

SHA256
cf19c7b59a495ad25cfb5a07cac08ffa6b754959eb037a4b63524e777bccd55d

SHA512
b280f02dfa662ae71126105eb87e689b99ed1fe24cf613b45ab86cb73899b9a58cd09b65bbe7a705815903315fba45ba4de3d3d1503826665752b3d02e4162ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\sIoi.exe

Filesize
532KB

MD5
07551259a9131a220132b76b478dde35

SHA1
bfabcb460a98d2ba43450bcc272e88c1b957d517

SHA256
b18f92ad854084dd218fcf0252a2819a93198e8776ae99015f3a68b511264f1f

SHA512
1cab59e295b9682b5e214ee4189551cc76e05499cc6bc63c50bc6fc70912c2bcedd8b0c2119c1819013ec2dd64d1e5408aeda8de2e79b3097c9ef0a7b903b0b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\sUsg.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\sYAq.exe

Filesize
272KB

MD5
24f496f9b25f7aba8540878c9a25511a

SHA1
80808466a2f9d039ee3aab52ed66a45a81d327c6

SHA256
da1016b21f4f2ad03770e38d30e257ae3ccbed04f0ad2251adfab235a372b12e

SHA512
236613711988435dea0d9034169e8a125ae9931ef8253c5a641f21069dbf58b1321dff9d7e30eec1700b30ca0eb628431ccfe23abca10bdce6a2afc6cd449250

Download Submit
C:\Users\Admin\AppData\Local\Temp\sgko.exe

Filesize
1.7MB

MD5
3fadacc228ab95e2a4c396502c2d629b

SHA1
41db9252e3fa3b31d0b88a947038dc8f432b108a

SHA256
398af3b7bbaf9a3b2db13fdf9aa60e559ea97cad0ece2cdd909b92268477be8f

SHA512
ff28ec4855139dde07d731ba1b6f9dbf70d4fc891a6b721905339ca09b6dfd412f557de9078d609bd95c0a378e7958df6b215c40be0fa851ce93cce1daa4956e

Download Submit
C:\Users\Admin\AppData\Local\Temp\skcY.exe

Filesize
112KB

MD5
bdc59af296bf7e72b109842985715645

SHA1
69bb3e329d4930ef321bdad19fa0c4f5c20b9304

SHA256
51c7ace331f0a546a7959a13764a6495106356e019fb0d3756f41ab460d29c57

SHA512
94659779b7f2b7e39b97e40fe4e7c5cd9eeff4443e1752899d4bce345e4d981c25fca34637d16e5c6239e6139d8c2d960189ccea9085526ac0c4847b8f917181

Download Submit
C:\Users\Admin\AppData\Local\Temp\sksC.exe

Filesize
110KB

MD5
84c49aa1424192548100a19b06cc5ab6

SHA1
ac7e0c9b0ee944bcdd158d353ae412090caccade

SHA256
14ecc93563ac5a725e5408c9bd0ce089f0c3f0de8b4f0fe004d5f8f72edcdbc7

SHA512
f7cb5b978eaec1e8c2742ce7b673e274a05c528387660e4839888031abebbf63824a319f817f1bd42e3e0af01c7d1811741f2d5993b72e3a646c0e7eb721604a

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIkA.exe

Filesize
115KB

MD5
94dbdb00f45e18bd12e67d88617810d4

SHA1
eab876e0af437833fa2c54ff37e41503d64d8755

SHA256
b933e34b136a0c17422f0506300e484f210fe8aeb05ad5b36ee6888d0f6096c0

SHA512
109cb1fe8774c379b4f9fbb836380c4cce587d750989093917ca3476c04524f4ea3fca32e5d8613091b95234a42ff759b3a1b504667898f67c0f4131812347ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucQg.exe

Filesize
697KB

MD5
90d14c2bf9861162ef435f2f6c9ab6e8

SHA1
f644e3ffd6aef11b24d221677de2d93aaefecc21

SHA256
bb6199b0b7f855fc6977c79724286b0bddde18261c302cf483ab111fce4c25dd

SHA512
adbbf21ff7bae0047208dc8c0b9ef2efb583ff3b911cb579bf7fbcd7dee10fa10e1fba010adc6e55135c05b6e13588c261dcc16db72c8b63091b3aec202078f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\wIAk.ico

Filesize
4KB

MD5
a35ccd5e8ca502cf8197c1a4d25fdce0

SHA1
a5d177f7dbffbfb75187637ae65d83e201b61b2d

SHA256
135efe6cdc9df0beb185988bd2d639db8a293dd89dcb7fc900e5ac839629c715

SHA512
b877f896dbb40a4c972c81170d8807a8a0c1af597301f5f84c47a430eceebaa9426c882e854cc33a26b06f7a4ce7d86edf0bcfbc3682b4f4aa6ea8e4691f3636

Download Submit
C:\Users\Admin\AppData\Local\Temp\yAMI.exe

Filesize
928KB

MD5
30391cf4c12ada4c8d04603fa88f2b15

SHA1
6cc124b26e3836d49f3c4c63af8763b21404fcf9

SHA256
5c9dd505c5090ed5af2fe046333633f78adaf4f11e9cc5bb27bc754348d752a7

SHA512
1c6db0b958c6e673ade5350f4afbd99b078db9c86756bf3ec0f620363838899ea3b7452c9ee9b0cfff24ef1b14870ca20d639b52e4a6dea291e256a0e8c18011

Download Submit
C:\Users\Admin\AppData\Local\Temp\yEkm.exe

Filesize
237KB

MD5
ef4d73fef973394a121fee6f87b54967

SHA1
f3723815d7d5cc7a6e1d11ec716fc8378d055f4f

SHA256
472fa5a8735dcd92a54b49c0fe0b88f2bb9d17e4cea3c8fe68af5cb04e6fef17

SHA512
e7374853566bc329aa49f2636a8d61f6ee0450886b6822385e2c3ba25e42a95ac3d23a3e1a987f1a144f46b369e2c6baab583ee29d2bf5b3fed4c83f3924c2a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\yMge.ico

Filesize
4KB

MD5
d07076334c046eb9c4fdf5ec067b2f99

SHA1
5d411403fed6aec47f892c4eaa1bafcde56c4ea9

SHA256
a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86

SHA512
2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQQo.exe

Filesize
555KB

MD5
7a512cb60ab52c521fdfda7adc685885

SHA1
aad09d8f0ed82ca529d8ebf2b94b34999f109a4d

SHA256
a45d9c2a926e2705f7bc051fd9f877b457cb0d0552f7370073e36a8132d17efb

SHA512
1fa7f775e7e4d9e70a5c2bf765d1030ea7c7a65f90ddd1f890b3dc52b605f87c12e78172ddb0740658ea6820c75fff1487a66dd6a6c0e419047716da87bf61a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ycMw.exe

Filesize
116KB

MD5
42ff49c77e1effe4273fe6051a9ee857

SHA1
2028444e53cc7c58867fe41dd0c4613ef7f73097

SHA256
156785feb95c92ea2afab121ed3d31c8d878cf51f37b45ade963bcd7185b252b

SHA512
69b59c59bfe0e2b6c8bf34accfad04d1b4941557e03f75bec6ab168ff778677394b99c5068eccae66f2358f81a0b4612c68c08a89c55f0802ee04fd5d687a842

Download Submit
C:\Users\Admin\AppData\Local\Temp\yocy.exe

Filesize
682KB

MD5
bd94411cb940ea3c2aea108762132ac7

SHA1
33ea5d2cef6031eba0acd967ab2a086e3d460d9c

SHA256
203c45506f534fe0a63dfbff1be8117a0a968769b59acb32a63d15aab85f373b

SHA512
1eaabaafa163650ea00395a762e02c1117018206b63b4133428ef3add7715f072aa3ce4abb4594a873ccc5ccfa9ff01d839d46493bad97b888e627f092d0e9eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ysEI.exe

Filesize
111KB

MD5
5b843eee8efbafbce1593e18d97e3323

SHA1
b82fde817ca4013cb1851405a8f9eb0ea3ef29e4

SHA256
9508d8d26c531240df6fbb44b41b82e6405a6c8cf9e8ba296ea754afdd2494e3

SHA512
889ebd49b471cdfb3f116a594b51c6e2fe2c4c795190a8743d66e62e993c90ce39c4e36e1ea61cb9c0dcdeded75be7f78efc96b14f61a632c9fe0490754dae5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ysMQ.exe

Filesize
116KB

MD5
af9c836e7024281d9ceb640762ab5425

SHA1
e2b03710e792bb6de8ccb8e903aa7a3d7d224e23

SHA256
a1b8b74b320be0357067b3c1f5024406cae4c8b663d175718cc8181a05085033

SHA512
3c724e592090446466cecb83a3d8fc0d7bb7e7fb8b6a3596249945dbef0c04f9d56aee5333d713a34ad49261810857ba35eb88bbe1dfffcea24d37d0f7a6c05f

Download Submit
C:\Users\Admin\GMsIUEoU\DGwAkMoM.exe

Filesize
111KB

MD5
c2f3aa35abf55fd2d6e0a2a4a91a6957

SHA1
81e22e1210cbe84c5d7dc0207592dd43983dfdef

SHA256
40aa06e8b9e3d65d7f2a0f20e779c1a5749689762eb5d7ceb45b3a537509b43f

SHA512
7ed31d1ea5c68f7e359e8ea8dbfcb75ff70312558cf7fc86d228b0d38882d26527779875cf6df51109fd618ead0ab0fe63e46a35fa834d8d2e7b9e9bed4f5810

Download Submit
memory/460-414-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/460-401-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/540-64-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/540-80-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/552-209-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/552-220-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/860-522-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/860-590-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1072-334-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1072-326-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1136-485-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1136-493-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1172-138-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1172-127-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1576-422-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1576-413-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1728-468-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1728-476-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2032-309-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2032-301-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2360-150-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2388-668-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2420-40-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2420-56-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2528-126-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2664-458-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2664-466-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2684-258-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2684-265-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2752-28-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2752-44-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2868-370-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2868-378-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2936-115-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2936-104-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2960-68-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2960-52-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3040-197-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3132-440-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3132-448-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3144-92-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3144-76-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3280-162-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3280-149-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3348-431-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3348-423-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3520-20-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3520-0-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3520-501-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3532-317-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3624-275-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3624-283-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3644-669-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3676-351-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3708-360-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3708-352-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3740-439-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3756-14-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3812-173-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3812-158-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3816-484-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3816-475-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3868-457-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3868-449-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3900-325-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4016-300-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4060-16-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4060-32-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4176-362-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4176-369-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4228-335-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4228-343-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4376-208-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4376-194-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4468-103-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4468-88-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4608-395-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4680-221-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4680-232-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4780-396-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4780-405-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4796-244-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4796-233-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4824-292-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4824-284-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4848-174-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4848-185-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4948-256-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4948-245-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/5028-387-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/5028-379-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/5036-13-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/5088-526-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/5088-517-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/5104-267-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/5104-274-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download