c02e1a73f36d717a7ad3aebdd64edb1b723d585138521c0a41ce019590bc3ce0

Analysis

max time kernel
150s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08-08-2024 11:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
Size

190KB
MD5

e9abc8025a9ead22032dd851ac7084b2
SHA1

f33271921b3645af0c584c3c71b82fc31f835754
SHA256

c02e1a73f36d717a7ad3aebdd64edb1b723d585138521c0a41ce019590bc3ce0
SHA512

a778a0bd89783b7c8bb273b800faa327e336b3ea95a0f7c52266ff2d056060d26999cb637d74ffadf596155455fed203dff6b926ade475ff5c296244bddba40b
SSDEEP

3072:qgWwh/4OjzH5yAdv2qTFVXF6xs8wy8NGrbw4mzOgcGtJG:X+8dbRzep3bwBOgcU

Score

10^/10

discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (72) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	RSMUocUA.exe

Executes dropped EXE 2 IoCs

pid	Process
2748	RSMUocUA.exe
1520	QWAkUAYo.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RSMUocUA.exe = "C:\\Users\\Admin\\ikYockAw\\RSMUocUA.exe"	RSMUocUA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\QWAkUAYo.exe = "C:\\ProgramData\\gsAUEgwc\\QWAkUAYo.exe"	QWAkUAYo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RSMUocUA.exe = "C:\\Users\\Admin\\ikYockAw\\RSMUocUA.exe"	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\QWAkUAYo.exe = "C:\\ProgramData\\gsAUEgwc\\QWAkUAYo.exe"	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell32.dll.exe	RSMUocUA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QWAkUAYo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
444	reg.exe
1584	reg.exe
3884	Process not Found
2900	Process not Found
3352	reg.exe
1224	reg.exe
4960	reg.exe
1300	reg.exe
1340	reg.exe
3284	Process not Found
3040	Process not Found
4500	Process not Found
4952	reg.exe
4408	reg.exe
1860	reg.exe
2304	reg.exe
3644	reg.exe
2816	reg.exe
1016	reg.exe
2544	reg.exe
5032	reg.exe
828	reg.exe
3568	reg.exe
4328	reg.exe
3192	reg.exe
1044	reg.exe
4892	Process not Found
2292	reg.exe
2608	reg.exe
4812	reg.exe
4824	reg.exe
3476	reg.exe
2928	Process not Found
2008	Process not Found
712	reg.exe
1860	reg.exe
2156	reg.exe
1628	reg.exe
3064	reg.exe
3780	reg.exe
1900	reg.exe
860	Process not Found
3516	Process not Found
3364	reg.exe
2828	reg.exe
5052	reg.exe
4372	reg.exe
3648	reg.exe
4088	reg.exe
1848	Process not Found
3208	reg.exe
2444	reg.exe
4932	reg.exe
2240	reg.exe
1716	Process not Found
4292	reg.exe
4404	reg.exe
4608	reg.exe
3344	reg.exe
2484	reg.exe
1456	Process not Found
436	reg.exe
2004	reg.exe
4872	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2804	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
2804	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
2804	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
2804	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
5016	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
5016	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
5016	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
5016	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
3692	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
3692	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
3692	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
3692	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
3740	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
3740	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
3740	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
3740	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
4264	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
4264	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
4264	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
4264	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
2252	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
2252	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
2252	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
2252	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
3960	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
3960	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
3960	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
3960	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
4256	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
4256	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
4256	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
4256	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
4544	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
4544	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
4544	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
4544	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
1876	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
1876	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
1876	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
1876	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
748	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
748	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
748	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
748	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
2260	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
2260	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
2260	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
2260	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
3232	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
3232	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
3232	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
3232	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
4032	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
4032	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
4032	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
4032	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
2380	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
2380	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
2380	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
2380	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
832	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
832	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
832	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
832	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2748	RSMUocUA.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2748	RSMUocUA.exe
2748	RSMUocUA.exe
2748	RSMUocUA.exe
2748	RSMUocUA.exe
2748	RSMUocUA.exe
2748	RSMUocUA.exe
2748	RSMUocUA.exe
2748	RSMUocUA.exe
2748	RSMUocUA.exe
2748	RSMUocUA.exe
2748	RSMUocUA.exe
2748	RSMUocUA.exe
2748	RSMUocUA.exe
2748	RSMUocUA.exe
2748	RSMUocUA.exe
2748	RSMUocUA.exe
2748	RSMUocUA.exe
2748	RSMUocUA.exe
2748	RSMUocUA.exe
2748	RSMUocUA.exe
2748	RSMUocUA.exe
2748	RSMUocUA.exe
2748	RSMUocUA.exe
2748	RSMUocUA.exe
2748	RSMUocUA.exe
2748	RSMUocUA.exe
2748	RSMUocUA.exe
2748	RSMUocUA.exe
2748	RSMUocUA.exe
2748	RSMUocUA.exe
2748	RSMUocUA.exe
2748	RSMUocUA.exe
2748	RSMUocUA.exe
2748	RSMUocUA.exe
2748	RSMUocUA.exe
2748	RSMUocUA.exe
2748	RSMUocUA.exe
2748	RSMUocUA.exe
2748	RSMUocUA.exe
2748	RSMUocUA.exe
2748	RSMUocUA.exe
2748	RSMUocUA.exe
2748	RSMUocUA.exe
2748	RSMUocUA.exe
2748	RSMUocUA.exe
2748	RSMUocUA.exe
2748	RSMUocUA.exe
2748	RSMUocUA.exe
2748	RSMUocUA.exe
2748	RSMUocUA.exe
2748	RSMUocUA.exe
2748	RSMUocUA.exe
2748	RSMUocUA.exe
2748	RSMUocUA.exe
2748	RSMUocUA.exe
2748	RSMUocUA.exe
2748	RSMUocUA.exe
2748	RSMUocUA.exe
2748	RSMUocUA.exe
2748	RSMUocUA.exe
2748	RSMUocUA.exe
2748	RSMUocUA.exe
2748	RSMUocUA.exe
2748	RSMUocUA.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 2748	2804	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe	86
PID 2804 wrote to memory of 2748	2804	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe	86
PID 2804 wrote to memory of 2748	2804	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe	86
PID 2804 wrote to memory of 1520	2804	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe	87
PID 2804 wrote to memory of 1520	2804	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe	87
PID 2804 wrote to memory of 1520	2804	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe	87
PID 2804 wrote to memory of 2156	2804	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe	88
PID 2804 wrote to memory of 2156	2804	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe	88
PID 2804 wrote to memory of 2156	2804	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe	88
PID 2804 wrote to memory of 1232	2804	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe	90
PID 2804 wrote to memory of 1232	2804	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe	90
PID 2804 wrote to memory of 1232	2804	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe	90
PID 2804 wrote to memory of 4492	2804	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe	91
PID 2804 wrote to memory of 4492	2804	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe	91
PID 2804 wrote to memory of 4492	2804	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe	91
PID 2804 wrote to memory of 4840	2804	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe	92
PID 2804 wrote to memory of 4840	2804	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe	92
PID 2804 wrote to memory of 4840	2804	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe	92
PID 2804 wrote to memory of 1488	2804	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe	93
PID 2804 wrote to memory of 1488	2804	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe	93
PID 2804 wrote to memory of 1488	2804	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe	93
PID 2156 wrote to memory of 5016	2156	cmd.exe	98
PID 2156 wrote to memory of 5016	2156	cmd.exe	98
PID 2156 wrote to memory of 5016	2156	cmd.exe	98
PID 1488 wrote to memory of 1016	1488	cmd.exe	99
PID 1488 wrote to memory of 1016	1488	cmd.exe	99
PID 1488 wrote to memory of 1016	1488	cmd.exe	99
PID 5016 wrote to memory of 4296	5016	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe	100
PID 5016 wrote to memory of 4296	5016	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe	100
PID 5016 wrote to memory of 4296	5016	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe	100
PID 4296 wrote to memory of 3692	4296	cmd.exe	102
PID 4296 wrote to memory of 3692	4296	cmd.exe	102
PID 4296 wrote to memory of 3692	4296	cmd.exe	102
PID 5016 wrote to memory of 2184	5016	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe	103
PID 5016 wrote to memory of 2184	5016	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe	103
PID 5016 wrote to memory of 2184	5016	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe	103
PID 5016 wrote to memory of 4044	5016	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe	104
PID 5016 wrote to memory of 4044	5016	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe	104
PID 5016 wrote to memory of 4044	5016	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe	104
PID 5016 wrote to memory of 2292	5016	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe	105
PID 5016 wrote to memory of 2292	5016	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe	105
PID 5016 wrote to memory of 2292	5016	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe	105
PID 5016 wrote to memory of 4080	5016	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe	106
PID 5016 wrote to memory of 4080	5016	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe	106
PID 5016 wrote to memory of 4080	5016	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe	106
PID 4080 wrote to memory of 852	4080	cmd.exe	111
PID 4080 wrote to memory of 852	4080	cmd.exe	111
PID 4080 wrote to memory of 852	4080	cmd.exe	111
PID 3692 wrote to memory of 1800	3692	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe	112
PID 3692 wrote to memory of 1800	3692	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe	112
PID 3692 wrote to memory of 1800	3692	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe	112
PID 1800 wrote to memory of 3740	1800	cmd.exe	114
PID 1800 wrote to memory of 3740	1800	cmd.exe	114
PID 1800 wrote to memory of 3740	1800	cmd.exe	114
PID 3692 wrote to memory of 2444	3692	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe	115
PID 3692 wrote to memory of 2444	3692	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe	115
PID 3692 wrote to memory of 2444	3692	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe	115
PID 3692 wrote to memory of 2300	3692	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe	116
PID 3692 wrote to memory of 2300	3692	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe	116
PID 3692 wrote to memory of 2300	3692	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe	116
PID 3692 wrote to memory of 912	3692	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe	117
PID 3692 wrote to memory of 912	3692	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe	117
PID 3692 wrote to memory of 912	3692	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe	117
PID 3692 wrote to memory of 3708	3692	2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe	118

C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Users\Admin\ikYockAw\RSMUocUA.exe
  "C:\Users\Admin\ikYockAw\RSMUocUA.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2748
- C:\ProgramData\gsAUEgwc\QWAkUAYo.exe
  "C:\ProgramData\gsAUEgwc\QWAkUAYo.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1520
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:5016
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4296
    - - C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3692
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        8⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        10⤵
        
        PID:3912
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        12⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        14⤵
        
        PID:4032
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        16⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        18⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        19⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        20⤵
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        22⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        24⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        26⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        28⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        30⤵
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        32⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        33⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        35⤵
        
        PID:444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        36⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        37⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        38⤵
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        39⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        40⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        41⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        42⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        43⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        44⤵
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        45⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        46⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        47⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        48⤵
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        49⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        50⤵
        
        PID:4264
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        51⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        52⤵
        
        PID:512
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        53⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        54⤵
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        55⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        56⤵
        
        PID:3156
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        57⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        58⤵
        
        PID:4032
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        59⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        60⤵
        
        PID:4152
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        61⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        62⤵
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        63⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        64⤵
        
        PID:4732
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        65⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        66⤵
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        67⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        68⤵
        
        PID:3940
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        69⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        70⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        71⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        72⤵
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        73⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        74⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        75⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        76⤵
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        77⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        78⤵
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        79⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        80⤵
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        81⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        82⤵
        
        PID:3884
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        83⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        84⤵
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        85⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        86⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        87⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        88⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        89⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        90⤵
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        91⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        93⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        94⤵
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        95⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        96⤵
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:3148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        98⤵
        
        PID:4068
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        99⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        100⤵
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        101⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        102⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        103⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        104⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        105⤵
        
        PID:828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        106⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        107⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        108⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        109⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        110⤵
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        111⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        112⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        113⤵
        
        PID:892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        114⤵
        
        PID:4152
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        115⤵
        System Location Discovery: System Language Discovery
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        116⤵
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        117⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        118⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        119⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        121⤵
        System Location Discovery: System Language Discovery
        
        PID:3960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        122⤵
        
        PID:3588
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        123⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        124⤵
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:3628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        126⤵
        
        PID:3648
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        127⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        128⤵
        
        PID:3440
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:3192
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        129⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        130⤵
        
        PID:4004
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        131⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        132⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        133⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        134⤵
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        135⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        136⤵
        System Location Discovery: System Language Discovery
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        137⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        138⤵
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        139⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        140⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        141⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        142⤵
        
        PID:3888
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        143⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        144⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        145⤵
        
        PID:804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        146⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        147⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        148⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        149⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        150⤵
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        151⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        152⤵
        
        PID:4712
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        153⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        154⤵
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        155⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        156⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        157⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        158⤵
        
        PID:2316
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:4192
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        159⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        160⤵
        
        PID:868
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        161⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        162⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        163⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        164⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        165⤵
        System Location Discovery: System Language Discovery
        
        PID:4840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        166⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        167⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        168⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        169⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        170⤵
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        171⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        172⤵
        
        PID:2132
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        173⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        174⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        175⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        176⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        177⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        178⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        179⤵
        
        PID:636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        180⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        181⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        182⤵
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        183⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        184⤵
        
        PID:4956
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        185⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        186⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        187⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        188⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        189⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        190⤵
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        191⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        192⤵
        
        PID:4628
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:1168
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        193⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        194⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        195⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        196⤵
        
        PID:5108
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        197⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        198⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        199⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        200⤵
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        201⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        202⤵
        
        PID:4068
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        203⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        204⤵
        
        PID:892
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        205⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        206⤵
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        207⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        208⤵
        
        PID:4044
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        
        PID:4540
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        209⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        210⤵
        System Location Discovery: System Language Discovery
        
        PID:4148
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        211⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        212⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        213⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        214⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        215⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        216⤵
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        217⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        218⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        219⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        220⤵
        
        PID:3928
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        221⤵
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        221⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        222⤵
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        223⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        224⤵
        
        PID:2740
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        225⤵
        
        PID:4920
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        225⤵
        
        PID:404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        226⤵
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        227⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        228⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        229⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        230⤵
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        231⤵
        
        PID:636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        232⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        233⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        234⤵
        
        PID:1012
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        235⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        235⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        236⤵
        
        PID:448
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        237⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        238⤵
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        239⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        240⤵
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        241⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        242⤵
        System Location Discovery: System Language Discovery
        
        PID:988
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        243⤵
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        243⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        244⤵
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        245⤵
        
        PID:996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        246⤵
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        247⤵
        System Location Discovery: System Language Discovery
        
        PID:4296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        248⤵
        
        PID:3476
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        249⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        250⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        251⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        252⤵
        
        PID:380
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        253⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        254⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        255⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        256⤵
        
        PID:3804
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        257⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        258⤵
        
        PID:436
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        259⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        259⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        260⤵
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        261⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        262⤵
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        263⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"
        264⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock
        265⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        264⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        262⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5092
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        263⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        262⤵
        
        PID:1464
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        263⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        262⤵
        UAC bypass
        
        PID:2892
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        263⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EYIgIoAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        262⤵
        
        PID:924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        263⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        260⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        260⤵
        System Location Discovery: System Language Discovery
        
        PID:1224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        260⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qWYQUEUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        260⤵
        
        PID:1812
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        261⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        261⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        258⤵
        
        PID:3744
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        259⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        258⤵
        
        PID:3196
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        259⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        258⤵
        System Location Discovery: System Language Discovery
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\COYgQMws.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        258⤵
        
        PID:364
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        259⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        256⤵
        Modifies registry key
        
        PID:4088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        256⤵
        
        PID:1724
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        257⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        256⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XmcMIYMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        256⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        257⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        254⤵
        
        PID:1192
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        255⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        254⤵
        
        PID:912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        254⤵
        Modifies registry key
        
        PID:1584
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        255⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XAAMgcYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        254⤵
        
        PID:4388
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        255⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        255⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        252⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        252⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        252⤵
        UAC bypass
        
        PID:3336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pcoAgUII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        252⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        253⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        250⤵
        
        PID:1984
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        251⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        250⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        250⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zKkIYYMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        250⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        251⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        248⤵
        Modifies registry key
        
        PID:1044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        248⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        248⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IWckwMoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        248⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        249⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        246⤵
        
        PID:404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        246⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        246⤵
        Modifies registry key
        
        PID:4372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        247⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EAcUgYUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        246⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        247⤵
        
        PID:436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        244⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        244⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        244⤵
        UAC bypass
        
        PID:3820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AMcMkYQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        244⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        245⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        System Location Discovery: System Language Discovery
        
        PID:2708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\feAcoocM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        242⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        243⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4400
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        
        PID:2024
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pCsMkUQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        240⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        241⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2424
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        239⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        Modifies registry key
        
        PID:1340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ryMQcAEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        238⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        239⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        
        PID:2416
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        
        PID:4900
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DkQcEYMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        236⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        237⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        Modifies registry key
        
        PID:2484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GIosgIoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        234⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        Modifies registry key
        
        PID:2240
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        233⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        
        PID:436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kcsEoQkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        232⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        Modifies registry key
        
        PID:3644
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        UAC bypass
        Modifies registry key
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SqgsAUoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        230⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OsswgYsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        228⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        System Location Discovery: System Language Discovery
        
        PID:2600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xkUgogYc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        226⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        Modifies visibility of file extensions in Explorer
        
        PID:768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        
        PID:1628
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        225⤵
        
        PID:712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zuwUIckI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        224⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        
        PID:3804
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        223⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        
        PID:4712
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        223⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\POAAAIso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        222⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2304
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        221⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        
        PID:2156
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        221⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        
        PID:1712
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        221⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KgIMgwAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        220⤵
        
        PID:2200
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        221⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        Modifies registry key
        
        PID:444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OkYIoAQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        218⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        
        PID:2580
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        217⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        Modifies registry key
        
        PID:4932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GMQYcsEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        216⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:4660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        UAC bypass
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bSwQAAgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        214⤵
        
        PID:2072
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        215⤵
        
        PID:828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1300
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        213⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        UAC bypass
        
        PID:824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VggIAoMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        212⤵
        System Location Discovery: System Language Discovery
        
        PID:740
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        213⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:4632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        Modifies registry key
        
        PID:3476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        Modifies registry key
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nsYkgckw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        210⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        System Location Discovery: System Language Discovery
        
        PID:2704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        UAC bypass
        
        PID:2484
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        
        PID:800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DYUYsccQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        208⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        
        PID:4864
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ausYEgcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        206⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:2600
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:8
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        UAC bypass
        
        PID:4728
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MUwUQMEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        204⤵
        
        PID:2864
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        UAC bypass
        
        PID:3028
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmMoQoos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        202⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:3612
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        UAC bypass
        
        PID:1340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sCUwYYMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        200⤵
        System Location Discovery: System Language Discovery
        
        PID:1008
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\racwwoow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        198⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4876
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        UAC bypass
        
        PID:3000
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZQMkcwkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        196⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        System Location Discovery: System Language Discovery
        
        PID:2456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:4376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FQoMoIEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        194⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:2008
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        UAC bypass
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZqIUkEkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        192⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:5112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eMEIgIYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        190⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        
        PID:1812
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        UAC bypass
        
        PID:3740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UqcEMMAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        188⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:4388
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        UAC bypass
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MOAEMMMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        186⤵
        
        PID:800
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:1488
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vAcAsIQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        184⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        
        PID:4992
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        
        PID:712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TMQAwoMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        182⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        
        PID:4544
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        Modifies registry key
        
        PID:3344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        UAC bypass
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hCYcQEMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        180⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        
        PID:1804
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        
        PID:3520
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\huwgQAAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        178⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SqMYYUIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        176⤵
        
        PID:680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1628
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        Modifies registry key
        
        PID:5052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GQsssMYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        174⤵
        
        PID:4372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:2152
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        UAC bypass
        
        PID:8
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WIQEkEoI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        172⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        UAC bypass
        
        PID:3780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gmgkEggk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        170⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        UAC bypass
        
        PID:4268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VSsEMYwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        168⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        
        PID:832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        UAC bypass
        Modifies registry key
        
        PID:4608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jyUkAosY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        166⤵
        
        PID:824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1584
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VUwgoUIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        164⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:3948
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZSEokEIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        162⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        UAC bypass
        
        PID:4660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YgcQwEog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        160⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3332
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:3556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CQUIgoII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        158⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AwkkQswQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        156⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        System Location Discovery: System Language Discovery
        
        PID:748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3228
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        UAC bypass
        
        PID:404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\icUcMgkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        154⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1232
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        Modifies registry key
        
        PID:828
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lcsoEUkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        152⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        UAC bypass
        
        PID:2324
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Jksccgkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        150⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4072
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bqQUoksk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        148⤵
        System Location Discovery: System Language Discovery
        
        PID:1416
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        UAC bypass
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JWccYsko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        146⤵
        
        PID:832
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mwIckEcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        144⤵
        
        PID:2136
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        Modifies registry key
        
        PID:3780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EYscQEIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        142⤵
        
        PID:3656
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        
        PID:5036
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        Modifies registry key
        
        PID:4960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        UAC bypass
        
        PID:3884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AMQcYYUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        140⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        
        PID:1648
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZOYYowAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        138⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        Modifies registry key
        
        PID:3208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fekcMAEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        136⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:4364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:1012
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tkkoQMsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        134⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5008
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vIsgEUgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        132⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        Modifies registry key
        
        PID:5032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hiUQEEog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        130⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies registry key
        
        PID:1860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cuIowMIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        128⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wcoYgQAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        126⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:8
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        Modifies registry key
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OKEcsoYU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        124⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        
        PID:4584
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TUMEAkIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:1012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        System Location Discovery: System Language Discovery
        
        PID:5056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vMEMEYgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        120⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        Modifies registry key
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TGIQMgsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        118⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\seYkwIsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        116⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:1232
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:4388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\smwcUEsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        114⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies registry key
        
        PID:4872
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uwkAEgkg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        112⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        
        PID:3612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CoMQIkEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        110⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:4220
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hwUcggcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        108⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        
        PID:664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        Modifies registry key
        
        PID:3192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XGQYIQwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        106⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        Modifies registry key
        
        PID:2544
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PMsQYQYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        104⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AcwAgAAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        102⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        Modifies registry key
        
        PID:4292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iWYEUcIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        100⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3116
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        99⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:2916
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        99⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        
        PID:680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kMoUAkAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        98⤵
        
        PID:640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ackscgwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        96⤵
        
        PID:320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5052
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        
        PID:3384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bSEIsAsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        94⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies registry key
        
        PID:3064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:1168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rIccokEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        92⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies registry key
        
        PID:4824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tigMogoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        90⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hssYIMUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        88⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OaoIsoYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        86⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        Modifies registry key
        
        PID:2156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:4632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sKEcEIIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        84⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies registry key
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KYAkksMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        82⤵
        
        PID:1992
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:1776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:4740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nqEQUQsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        80⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:4952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:2276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HQUkMkUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        78⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:5032
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        
        PID:4864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DaUUksoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        76⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        
        PID:768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PAEgYIME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        74⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        
        PID:220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        Modifies registry key
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EegQsQsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        72⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        
        PID:740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EgsAMMsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:4524
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        
        PID:4944
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ciYQcIQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        68⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:1008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JkcoUkME.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        66⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        Modifies registry key
        
        PID:436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FsAwwAww.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        64⤵
        
        PID:4972
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        System Location Discovery: System Language Discovery
        
        PID:4848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:4560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BqAYQkYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        62⤵
        
        PID:768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zeMgUooM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        60⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        
        PID:452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QeEYoAAI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        58⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WyEooYos.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        56⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        
        PID:996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KiwYAMEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        54⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rQcAMoAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        52⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        Modifies registry key
        
        PID:1860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        
        PID:1692
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nkcAocss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:3600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4976
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        49⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pekwEYIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        48⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        
        PID:8
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MMYogoYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        46⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UsYoUoQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        44⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wugEMEIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        42⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        
        PID:4840
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        41⤵
        
        PID:712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:1992
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        41⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gEYAoUQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        40⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\peIIMUsw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        38⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PuAEoYYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        36⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VCowsAco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        34⤵
        
        PID:764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        Modifies registry key
        
        PID:4328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OCgUAIkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        32⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        Modifies registry key
        
        PID:712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mKAYIUok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        30⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oqUQgwIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        28⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:1160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uCoUMsYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        26⤵
        
        PID:912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        Modifies registry key
        
        PID:1016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tsgQMQwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        24⤵
        
        PID:4044
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        25⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        Modifies registry key
        
        PID:3568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XcMwowQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        22⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:2556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BOIgAEoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        20⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:3820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\giIUsAIY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        18⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:1008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UyscQYYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        16⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ayEkIMoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        14⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mkUAwMAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        12⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:1228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xOgwcwAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        10⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        Modifies registry key
        
        PID:3352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bwMwkoYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:1996
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:2444
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:2300
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:912
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NGEIMMUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
        6⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:3156
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:2184
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4044
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:2292
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HwIsUQgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4080
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:852
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1232
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4492
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4840
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uoowcoII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1488
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1016

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv HTD4JHC5v0usp9Ai0qAhDA.0.1
1⤵
PID:1900

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:1684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe

Filesize
643KB

MD5
4077a260772a91ada909a2524c3ae6fd

SHA1
8bbf020bb80572f6f6b346f52cda22824e2a94dc

SHA256
c1207b7193f3a946bd00b04b2f43996e8e96910f98baf61981f00340e1b02bae

SHA512
fbe1205c2597079165d40f2d1075269969f0c54ef33280d2b066d09e65e725127522e0057e5a0a2d3f0e83393fcfc06db5f4e33f3ab33bd3921e2705b4399dc8

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\guest.png.exe

Filesize
196KB

MD5
fa88ddf2661fb9640dec88fc7492ca70

SHA1
17553096199cd4048158ba349712f2cc7a8718e3

SHA256
eb5170e53f6473bd2a9466ee01c204050ada084a7691c6cd98f25f1d26ce8e04

SHA512
bb72488afbfe4c26bdb368ba70b698d8ff1666f063d769d45099b09a9eb914bb133d99c3eeb55f8e164a63cb9db2e5e67561aa89a9adec69eddd310b904d5632

Download Submit
C:\ProgramData\gsAUEgwc\QWAkUAYo.exe

Filesize
200KB

MD5
3ee0f4863d915b783ee38f45a5ee6a91

SHA1
4af7d432ded9e120fdf338185a46f0832f935e35

SHA256
0b161db866b5bd87189caff38e5c5404445432e885b41d91cc06cb5c1368620f

SHA512
768635ca680341220065253c4b89029ace456622f7818d6baafbbe2f10b77bf303a0e5338a4d11fe70c992ffb37ebb4d68e408060f5269cf4ab9716856366ef0

Download Submit
C:\ProgramData\gsAUEgwc\QWAkUAYo.inf

Filesize
4B

MD5
4aa37922e2b3761aafa880920102be09

SHA1
d21ae6bb6ba2ab480d9f0ccc0c1992a923b51e48

SHA256
a7062eb98ce660e49771f0aaa6dac5ec666fbfdd1a6b23a5ee45b74a6a3b5168

SHA512
7fa27243017212c7d0ad31dcf9d3e6b12f44bbe0ad3be13fde28fd24c419f2c16c12fcc74bf4e0421060f5f167b5807d3c10e93e497b1eacb6db44bd9ba11d2b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.80.1_0\128.png.exe

Filesize
184KB

MD5
e9c407c414ddcec81999d194aa7c6a57

SHA1
0cdb342737d4f041538bb13fadadb1d3653472ff

SHA256
aa8e43bdfa093a3a3153e430cc90b845831386dae58ab49c9760370d9bc9e4d7

SHA512
0bac59f2cd61f37100cbed5f0015811ba792fb808e06e2b787319472ffa4a1c1117773f37c3585043953b9f529faba6039f6017adc3f37035f1f25562036fbec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\icon_128.png.exe

Filesize
187KB

MD5
82cd96e6cecc084f8f9f9f1828ec05ee

SHA1
fcc0fbc5ea25831b5429d726ab71aa09c95bdd0c

SHA256
5bb14924253926776a0d314ea5d44482cf1771ef2fd7db594d1120aabca80c4f

SHA512
2ecc7bc8b01873213fe6fdf4b4f2ec2c2964614b3c47dc86c8d0ebf938f0b2a314be5c40647f54b6340a93e5f874c73c2a919d1564e077185626882b14711fdf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\96.png.exe

Filesize
190KB

MD5
83ab7009a6d4a5287c5ea6e0070b26c3

SHA1
2e2281b93259cfec7a4ea2ce78291b66c9bf71f2

SHA256
1a3bd0b846d319b88594e8126e1a4e6dda246c630429c7f9bec398bba1faa3b6

SHA512
454784782df2b80731f6042e0c4edba84831f580caf85459bbf713698e66f276481f882c37cf8fe07f10773f3349736f0d78d0686e17803d92a6cd0189609c9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\32.png.exe

Filesize
189KB

MD5
9450be78bd53f0a31cad03ecc2b999a6

SHA1
08eefeff797c9f326088e34c6e0d5e8b6af745f1

SHA256
28f750904259fd216608ff5c65172b66f4e9e2eb54988dff4c9dc1656998ae70

SHA512
a6420e19253c9ebb34fe639df089419c7a09ed5c6a095093d3ba8792a30dcd406eaaf1d90b0007b3c4653430a4448c90b9582fd555148ae16e2a4c637f58f328

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMHeroToast.png.exe

Filesize
194KB

MD5
a7be381d60d63a50560b4e25435db45a

SHA1
675c92f4fb8f710e02a33192d2d8e873ba99cf31

SHA256
aa35bb1051105674101023f938495469014fdf5b8637ce5eb55296e96afcf363

SHA512
7acb0d8e9b7d165d32ec355d0f72f5ce7502c02a5ce41fa3c9f082036e6d303e4bc506e8f80bc734bf78b0d685be7ebbe2a5a8d417fc57f9a1a31ed87aabc30b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock

Filesize
7KB

MD5
84493bd0d57d42d16bd003b9a8e370c2

SHA1
0ff231be9db94b8d301942792314a5bce9724574

SHA256
333984d90a8468691313c361cd7f83179d45ab17643b51eefb3e4ac36cc1c7da

SHA512
b825de64ba3a85e2fbd199e89a987bef8ed4e95f50e7ba92a08ed3e8257da77b3fcc055d734521557709d401940b5d5302b51eeed196d162b00298f91bd1200b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUYi.exe

Filesize
577KB

MD5
e101e5f788b97ee8f3ecc9e93f9e40b6

SHA1
7531643a367fc35ec058bd229cce2b448fb35a72

SHA256
688123282bc73d649081eddfa6b2c9732be9bfa04776e15c6c24e72e02f0f046

SHA512
c15c40f460145385461a81d8bd986b70543afa01a7c0dba6c74e25c7610c321dd967c0573af809c03a8d7ef617ac8b3ab39955319f1c6fc56a48869934e9949a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AgIW.exe

Filesize
196KB

MD5
8c459c3ba9a5f7a11aa3371f4625fd2d

SHA1
e851310001af3d5673b7fce813fba81f0528361c

SHA256
8a96d1c5503e01b80290c3b698666b037f32296fcca99d7237abadeb870f0398

SHA512
8ac74380c77d8b718c0e287aa523d79491438e5408a3978043ccc9e2d9aed8c55882a41d26decf051781ca2654f6a298dc584888c98348490f12d79788113d6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AwEw.exe

Filesize
193KB

MD5
41b081e24884e7dc96d509062516c383

SHA1
6c35b95f3add75d27273d38ad77fb72521abef1c

SHA256
7a78c332da4ad1170a89164de6a6ea8c54baef62ad62111792dc5e4dab1c33ec

SHA512
1720c83d0df8cd1cb6c2ce04687ba4ea94ff4f868b540e04e6037380d662c728ac6e759f5a541762db8b32a9471b5181639b6387d995a0b33ff6c4aadf1f9c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQks.exe

Filesize
781KB

MD5
0aaa5f01305bd89f3ed982c76e22c6f3

SHA1
db003c620f92938c87da12153143006de23dd200

SHA256
a3658bc5a70c5da2380f5cd1b6389a939bed18663b8d20daf764df76d1b0a59b

SHA512
5c0feae971188a00e33ae5b13ced61ed6e9f9cd02e69c42d87229a6876a2bfa5559ecc8affb975c854eb5c02432e71bf9fca1647dfc59bde6f2ba30158162f99

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUcq.exe

Filesize
195KB

MD5
be0ea1412683f8a38e7caa57c180174b

SHA1
9e1d25b4f5e65ea206e5a7ed0d973bb30be90860

SHA256
1324420e86f8f4c49dd01d60c43e8b87b2237e6285e608ff56b81b4778204501

SHA512
c556c230689ea0e29232c60f0a02ac89ae5a82ae8277be535aa61f2a24242949d35002b7bfe93773aa4601acda2c424be606964694ca16ee1fdb9cd13bb586fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYgs.exe

Filesize
5.9MB

MD5
18379da38beb07c3affbd06af6d9d4a3

SHA1
c5330c503b1cfe02ebede785d6a9853aa176c8b4

SHA256
818947486bdee4ece5477d337e8a2c45482ed38209d71386d8b659bc8be4b2b1

SHA512
17230ca1cf2b0458fd514a410642b6d58bfa02b532223d240a02b0ba0691f4474cfce31476affc94fee307ecaab2e47ac75167afce26515500ad568bc924993b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CwwM.exe

Filesize
190KB

MD5
a50a68dae1042c7d590560c88dd5d58b

SHA1
fe6ca97e4357f025c50b02440ce68465dc20da47

SHA256
f9245e2c67bcf810d23025929c3a5d3555ad7c252543b71905e91836b9ee2212

SHA512
43a76c4b7c94caa6e9f1f7d53b467bd304222630cda475046642451bf50959071341c1f39ce8c93b7908877a50e6830a3824cc5d3da2bed88617e9fca7b50e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMwI.exe

Filesize
197KB

MD5
7a6b2fdea8ba0cffa468729f6d884b44

SHA1
f76d798635261832d267eb59c1d8151d3fd4abf7

SHA256
c13a42d7879eca2e1bedf18b26b4b68f7c0a7b25a87d6d0a77252970fc513618

SHA512
eacbd5af88e5cef695b5f4063b1f6ee4136976b75dd8717554774f053259389e839e6f2f4264c63153d830031e0f6d3b21f0d0f4434e76971f5e04b385043822

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ecca.exe

Filesize
199KB

MD5
1714b02dda58f79ab73002f9084e42cb

SHA1
47ea76c3b43b8c4362481604a43659af6410789f

SHA256
a84e7500fa5664648435abeecdf3fc81cf2ca1355d7f0c8e68ffa294eacd8c86

SHA512
f694af576762a951459144257d900f940a9db3c85f10f30225d3944b34ebb8d0df9c1ccc4af4ae07e3a87a705b0797b09685057368c1bb0e604b101e75c4f853

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ekks.exe

Filesize
524KB

MD5
e2ee2976c9d0d3c02739ec7ffd001b6b

SHA1
64513a4c82f794a3b14838b0825c1f1f367f051e

SHA256
d6d37466b480edf13273532e99122f36c472d8d65d99ca5a0957bed06241ba41

SHA512
1a2886b5ce43d673b4e0d262bb12ce76f8c466180d9ac195a35d75194ac04579607d5fd8713efae3bb6f9c74553cc38988de24b836ed6a83e6598c9c680124a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\EoAW.exe

Filesize
191KB

MD5
9872993709870a2401731f696eedcc5f

SHA1
2f3f22caff90df7dcee7760b72d70b83309ca5c0

SHA256
5ba3ed9d2d66482da3052c8c0dee308d2ae5fe31ea97feac514da4c1bb40d08f

SHA512
5c613dfa5acd9447d668bfb2b29485991a9cbc46eb3a148ef39b0bd47d0332ef149ec7b8f89a33c6b5c262521f253f8884568f978c16e6540e3619a89de001c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\EsIa.exe

Filesize
417KB

MD5
cc50221137b99f9999e30bdb66a4a377

SHA1
9a908a3c2e49cb41393e6ea93a40be903bbdbfb7

SHA256
e37cf79a05553768c9884efc569f4012254c92d2475eff1bb83c38657183b8f4

SHA512
9d3a55ebc6776ec9f34807ad3ae702dc8a24105e307387911985f224624eedfcfbb72c388604736eab87e59debf0283009b17433cff31258f7f3d6c521a7e05a

Download Submit
C:\Users\Admin\AppData\Local\Temp\GcUY.exe

Filesize
647KB

MD5
d19de863f3dda979e0171835ab82226c

SHA1
ce928b96659c0de5c112b107af06322442757db7

SHA256
7ca6adb8301e7764f3cc2144b101a2fc17c0fe2c332668243f57ad4723c0428c

SHA512
c31ae8edb6b0c7ce4fd46a7729757994928a15bdc0db5db5bf8904dff0ebdac8d58885995e3f31b38dd4274ce254b77f261b6f2d9d70bd458adb09bbc077787f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GgwK.exe

Filesize
202KB

MD5
bf45edd529a73de95492766976199d8c

SHA1
e583d7214e136e4dc13cf2b96dbc455946247c39

SHA256
2eb0893328d6319981f13a778250ddf0709e85e204243fabcb4f7d42f7db9966

SHA512
d41db3b5ce3011fc432677cfdbd9065d106e368d33f67e4af20c950ddd033e7b797b5d4923bfb04d94abd5bc2d2ce1ae2ac1e72e4c53692177b11098ef6218a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\GwQo.exe

Filesize
225KB

MD5
12a982482a4f6e1ee5065c749f2aba34

SHA1
c0bc425a31462b8283baa309ec5e513ca1720dcb

SHA256
7159a7d2a8fd699ee8d232d37cfa2fc53d89553134f1bf1092ad1531ec65b747

SHA512
62bb4487ac80adae170a250c2b1595bbabdbe62371b442225151b080e433260e69332c852ed87f4cc7f9cd7d2817613e862bfb989630727958d92c499de2ce61

Download Submit
C:\Users\Admin\AppData\Local\Temp\IAcg.exe

Filesize
225KB

MD5
e7bf215e9bc0e69992f574efa9def8ee

SHA1
42d831da07aace6d7f0ad12565222469b380f7ee

SHA256
19f37784eeea84805db34aeb5f0edabd1eaba35f43b3bc6185c20cbcd4193e9f

SHA512
a196595cf613ed2086312e8c93ff33e5059fab7be05c695a60e6f6581b96b4f4bbfdff742142ac027579318a64013c6bb824cce45b59541643e93a24649cf0cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ickk.exe

Filesize
183KB

MD5
8d5a47c2dc5fd339a7d72dcf64fd20bf

SHA1
381f54e2473e123057d48060c82edef54e6e8678

SHA256
f5880a9a0b6502b80832e8ff4751654da75e80326407091dc846ef90d498e656

SHA512
bf11028ff5a2f31a4bf552b6af751cc1117864d5df634e7b1a42add80ca50538ae8db0f4f5d3fa7e7a9ef942ddf3d1fe5f833a3f8b6315724f5e021c78d81e90

Download Submit
C:\Users\Admin\AppData\Local\Temp\IoIS.exe

Filesize
206KB

MD5
dbb1f2236432ca6a76596d400bfa6737

SHA1
9f05b6466878f7d48e99841a01d101a1373ec5b8

SHA256
f8a7d9e8802698072f3dba4f41f09c6650908498ff3813f7e82215c4b1fb79f1

SHA512
42df2f23eedf54b14fef108e34dd2d93be2bf9685a16dff4e83ee4ec6545217b446cede58b4ce4cf0baeacc5e1b0a9be86bc682c069eb3d37b6f387f735c2814

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAcm.exe

Filesize
637KB

MD5
dcbd09bd8506476474a3e27394701b4a

SHA1
56dfe357ba804660760eb95145bd23b3249f3989

SHA256
8cdcbe65e2ea67e907052d434ce3c77b92ec6ef93e3189732dca94cd88368353

SHA512
3592e840e7497e9bd166c38b26e0e511ab7e4931b98098593bd775d65ec5cc922b6f83e4508e948bf3eea3ffef2525de6cb0b61a594fbf2ef21c3b287e64975b

Download Submit
C:\Users\Admin\AppData\Local\Temp\KQMI.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUQK.exe

Filesize
203KB

MD5
6cac05b7d58f48c7b8194f146d838411

SHA1
d54feb54cc443108ca1c9f0fc76235e67f4856a9

SHA256
a33a27fabb7f7d3907a6dbdf1d9ac4f302ac938e3a01086db8f77e63d6883c2b

SHA512
df2be3527790d56903f3203e0e95e65d85a8572329bd77ee5b311078759c140ca1e66ff7575ad174130c3bdca63a159203194d4c93edf39fca8500f1fb224fb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\KYoy.exe

Filesize
193KB

MD5
16a4d183b2d6dd762194cac539d10cd6

SHA1
e2fe3a1d9f2478d64d435f6b60d3ef0127edeb00

SHA256
6ae52a42a22db1c7e71d76ab2ec953c816ee5a875599847d8cec54f1170097b7

SHA512
fe4d5fedfb13242bdaf6a4356711db67efc06219ed25f5406cea18c41c3eea6124675b921028efea2c6c15f058f8adc958aa59938b600e4cd27b23edb35eaded

Download Submit
C:\Users\Admin\AppData\Local\Temp\KscU.exe

Filesize
797KB

MD5
ca728b6b951f768fc7d4abc958352ca7

SHA1
33a8b99336644a0f6dda83a570a2f7973dce402f

SHA256
0c39b4a18a0ea34e6c7793ce0efd0df7f12014303ecb32421094770de8bb7b94

SHA512
0cb800c843b722a0966bc900f631e880e517186a716bd9457ce587819592e73a453cfde97788ae1bada26234aa6b0bdcfa5ebc0ddd611de635e2c428203bf791

Download Submit
C:\Users\Admin\AppData\Local\Temp\KwQa.exe

Filesize
319KB

MD5
20b3a51a09b4f9945ade559438bfcaad

SHA1
3d8bbedbdfd74394b0c25d2aa51d5a4be10d3a6f

SHA256
851c3de00b66cb9fe5a15bfe8cfb939196ec0dcd4019e84e8128b217da3429d6

SHA512
f8a00e274f61f2ed5ad21eef2f0003c7d51619be6f6493aadc18699c094b7163f0f519e65703933d3da34a9e5bbdad2d0e084ed40ff902204ab64a3137c00510

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIkk.exe

Filesize
240KB

MD5
07e8c140ea6ada04ed7175f781a72c50

SHA1
83f723d945bdbb7658b2613bf2ea39f58ddc9411

SHA256
f939a0ba2fbc58dfc3792aeff6a0090b023f3f9918ff3a11dce219270c504814

SHA512
b16eedd1d5d35f0bb3228db3c7828468f8d3029d38d29b6804cc6faf2c6a7632c77756dcabe57ae44468b8d78c0f6c02515ce3ea3abcbc10c1a876884036aba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYkC.exe

Filesize
202KB

MD5
6256dc1dbe76c3fe7c727aefaa35f3f3

SHA1
1beaf4489ca68f5f936d41a56619bdfd909cf145

SHA256
a2906d37751e7a24e9ee19d92581db39039337ab262d5834d39f8d501b3cc727

SHA512
1891ae661bbcd454b34ae1cfaf8cdd78d8e435e70297c8661df0a107e2fcba60636d157cc95dfbe97ac0c31f9afdd9c8572861d57291a18670483f0154471449

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUwg.exe

Filesize
323KB

MD5
bf18d078409ea2439126a9df4ca06cde

SHA1
e1335a8a444ae0ccbf2d85c32616dbaaea4c417f

SHA256
d9b037b0f90954bd1d28a1e19383a18a32224dd7669c4c8e5a8959f0438db5be

SHA512
7c0f82f8f8704651e045b61da6f9158a379fe2c88adf0ee1af4575704daf2eaa4dfb8a7a973cab25239f9daf9493be92ba272895b749247c59de68343cfcc743

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ogkg.exe

Filesize
191KB

MD5
31c3232d4449f0ffb16401aa980fe81c

SHA1
29793f1b24b29ec4b00fe2739f95fdb18bd24e6b

SHA256
4b3881bf5eb64e611fa10efd8b98dfb1dcae1c6f8f6c0d9207aa13023a65d09f

SHA512
087bd3526fee694b9cfaf7d7ebac1cb5caad3732e5e800e59cd311f6dae485310ad85bb3f14a464bb62a81a2ea62469d369a32937c1ef313f4b35e78f68ec61b

Download Submit
C:\Users\Admin\AppData\Local\Temp\OkQq.exe

Filesize
197KB

MD5
b66e3d04371bf11e409d5c94f15c3478

SHA1
7b5d08c1b6463d64a9795015e4ac3388a33f614f

SHA256
830ab9617613c8c5ed2cf01a2bf84f6746d25c4d09bb0b60b0f1ec5f28eb749e

SHA512
58bb42850dc9de6943221e61dbd20368c0323f35b7a1fe52e65c952faf5abfe3a7d1c8769898563cbb1c4ea7a04d1776629b70502fb646fde6236c96e6b58ff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ooci.exe

Filesize
213KB

MD5
abaed1e3418f653da9fdf10aab412ed8

SHA1
06dbb9c42ee9283710d32e99e8a9e98b921e6fe4

SHA256
732141686b1dbb284c22288272b96fb3f6b831aefe4eed09b0d723be1d3719ee

SHA512
b33d5ee90271798e1fffbf6b8ed3850781ee75cbef15901846ed38484ab6b49f77877e22efffcdb3bf3051361f10aa10602bfacc668fdb24a9aabc4cbb726838

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYsY.exe

Filesize
202KB

MD5
bd13e0a4823e73fcd8e8d0b86d859a3f

SHA1
0d6dd74784e0415d2614073cd83715c54a273c25

SHA256
429f28d20b1a58bc6bdb6ac5358b0ea74a0e97386a3b8cb16c2a66951662d70f

SHA512
35cc7ed7bdc52858645ff0673c6022579ba656ebe677bfd506d43a2041f75be42136fed8153508c54457a576479b0f7e4e562ac6221554334291039b78bfe9a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SEsk.exe

Filesize
200KB

MD5
df6655d49163fd59caab9ad42d1eb23a

SHA1
c264d1eb335a60498cb57f063327aad4e74f1059

SHA256
fc670b350675041dd50e8a038574255edc36c92cc71bc1d49cb4fe1c1f820670

SHA512
b8e00a823c82ff5e8391e43f0bb1d352d18a128067b69372131e0884b2eabc1765bbacb0eba655ece09d8195b1c703be08a383c1f793eb008ca76649e7ed710c

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMcm.exe

Filesize
660KB

MD5
67652e83dce2851e931c6bfe43e9b31d

SHA1
2539c03f7ea396dcf74dfaee19b378331070f52e

SHA256
c35374ae5f1ee82ce40487504795dfb6fbb4e1cd12fec4040ab6f1f9f9cae64e

SHA512
0c422754496689fcb0f2b4dde12af05871b35f5f8f0f47bce2c38ec486459c0cf06932675177d70a5fd153128cb4bd268b1789b690c09b9eef1eada713d0c893

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUQu.exe

Filesize
204KB

MD5
e8f8040c3c20ea017c88cd8d3b17c151

SHA1
a782a45cd6407d069790b7ddce5d3f687cf88fec

SHA256
93c589df7349126b5db356d0af999468bfeb7a4ee805608a398a4a04080f01b4

SHA512
93eb30f3efc58c1dee45e3d87eda4833cd4a1d15b1977c1bf78be155b3f706e3344aecd42b7a6c63a5ffcfba11dd39b2af1d223efea9556b2be7417558d81a86

Download Submit
C:\Users\Admin\AppData\Local\Temp\Skkk.exe

Filesize
199KB

MD5
4febfa27fb1ee5aeb4fb1b9b52510551

SHA1
961bb20318a01085b3227945a0d38e9b9b652353

SHA256
11beb5e01826ad699abd74f3eb6f99a75c836f262060a9ed985d7f113f7b0c8e

SHA512
9096b3457b71335d2aa30b4d153e64984f458d75ba0c22d53025d321cf21bb2b90598b1029c0ef0b52f377c5e9713d96194fb15d13fa4c8437c55ce1081aa6e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAkA.exe

Filesize
183KB

MD5
47730c325d3025318b1b96c412f4323a

SHA1
0384e1d79f772821b2d323e23574ca2e110ce684

SHA256
6bd79b6ef8e600eb83c215c760fa7be2e282a46aca0790f56f268a74a69cbf47

SHA512
96ba3eca272f7b12dcdf66098b427185adabd976bea8e3310e65ff9ddbb7d1c3a6364fbb58897eb1b0eded66874891ea99f1c8a83021cba1e98dc20f7d15c32f

Download Submit
C:\Users\Admin\AppData\Local\Temp\UEko.exe

Filesize
205KB

MD5
30412b46aafb404a834a94d4cbfb4012

SHA1
af41e83ef3a729d1e78418115139ff4e3352e9d8

SHA256
b475c531679d195b02c580fb10008b4f15261b1d2899b9e664e10e57bc129b77

SHA512
85be55c2359e0dd00e635b862a47410e1b1bc5ce94aa60fb96e96fe7dc2d233df562d6231ec0f73083555a9bf9364dd00eb64c80a6b392eda98d225b84be3866

Download Submit
C:\Users\Admin\AppData\Local\Temp\UkwM.exe

Filesize
195KB

MD5
41f5c84f99ccc8a5ad59f8c97aa53170

SHA1
adf6995e14e815ccf30d7718c1e89f2fcf8f29f6

SHA256
f3c30ed4bc24dd9607576f60319f9ff59dd64ed0408416022e416367b2adcd28

SHA512
5433ac373e2eb1c475fc598b55ddff04e96f40e9f26dd847d75b7b28499100820919103a8f3e53ffee82073cca6fb1ed25024d0fe62e601a47d331a97a081a08

Download Submit
C:\Users\Admin\AppData\Local\Temp\WIEk.exe

Filesize
255KB

MD5
07dcfee76e4aaf021eb593255710d9d8

SHA1
426b1c67101f4d421f93854538f940b75cc0ea07

SHA256
c5b4c43be890c3ca9a737ed844b814c9e2ddeff9cc81b991c5d7bafe72cd10de

SHA512
7338fc46a338f86d4e1f51ab56eb7bfca13e6f50e528f75f21261005800532db4e2184ff5ae9c0ce8c7fddbdf279db77de3de982f78c04125e688dce0526f611

Download Submit
C:\Users\Admin\AppData\Local\Temp\WcIQ.exe

Filesize
208KB

MD5
2905b5cce462e3eb703e5c96233a7a37

SHA1
a0d5854fe3e6d5e321d413790f288cc7c2895b3d

SHA256
855efed0abbfa79aa3bf85cb636345d8cff46d49b9d2355948bc970788c67f3d

SHA512
cb55ecb11fb5e30ce6a19f8d6e01e776b2d3a2c7a9f20c4175f6a1b648e811f3ca9dc6272eed8ccbb97f76a887d55a025599f31fc913e1b3cd282c29ddf6f59a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WkYK.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\WswG.exe

Filesize
198KB

MD5
daecb6e341bb66ee2fced1b6993100c6

SHA1
b17172b30afdd88d06ae142ab186b9788c5af5e0

SHA256
6c983dcac0f6dc09d1827badce0acfe50b7766d14edb4d1723d4646ddf122dc3

SHA512
a7193ad9064cc3d368b9de951cb9910fc7de04449e0a5e5007b3c18324d064af524f2cdf6dec3bc8da0268a4ad990ca72ec85d149251235be34c236478f5f7df

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wwkc.exe

Filesize
237KB

MD5
f397e51113250497192f095fb6c28780

SHA1
b2b68c76f278a60f10ce20e22ff754f655151acd

SHA256
f94c579ee1ae385860ac8fa8bc092a5a4f483a40f662344b3c9c3a006d40aca8

SHA512
72d26d03cee71226de3e6e3c21b60a9fc8b326325ecb15f5c4101307c28a683c61099e8426524b23d0cbeb0bb3d4461dfd29a3ae1b0029c1385b3818072f0a87

Download Submit
C:\Users\Admin\AppData\Local\Temp\YAMg.exe

Filesize
201KB

MD5
9bc01bd2320d3ff49246789be4533646

SHA1
715e08988be0374088603d5f2532e2cd1c99dd65

SHA256
9aec79f49a7853596981001b4e9961d1321b8f8af6dd3a99c6b0a8b67c7f9505

SHA512
796bc61b7af911cda92b4b6cb68af3b3ba08b55554affb7e3b00fb6bd702dfc4fc6760570afbb4b088158ffd39be34ab6058dfead5d5456c8f526b4a7453f793

Download Submit
C:\Users\Admin\AppData\Local\Temp\YIEi.exe

Filesize
195KB

MD5
accaf53e5061f293e7947500f8178ca8

SHA1
81eca0ae457023aa1261a1ce429721d12fc95590

SHA256
6ab5aa674a557b812131469e560778bd8dfe5efaf980addb80466d5879ebfa5e

SHA512
e1edc0f5e59d44eeed687c38ea88e6f2cb3a7b823f7f03e6ae82146e0eff3fc0d396c792bb08d8127c3cc8b575dec88c451f5c96c39eda845dd1b0c447dcc270

Download Submit
C:\Users\Admin\AppData\Local\Temp\YUcW.exe

Filesize
326KB

MD5
39d889e16afcb8a0b3cc86d772cd2699

SHA1
021c64b0d4eb8b2da4ec4ebe1a1896c2ddf4eced

SHA256
2fec2a82dca36ad68826e3366f6b7b72a9c22f026134a42af01badb56bcbf13b

SHA512
8ec062e6b2b014506a6cde9ed3c1bb6aa802bed6188b8000c06a08711cb366e56c0e6dab90465984a440d8c27c724ca4963129f4fbecc4bd02520bcc376954ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ycss.exe

Filesize
203KB

MD5
3025eaa8c81e069e7dd0fb193b09ca91

SHA1
09687c4d411f35eb6a79152924d113a1e0a1389c

SHA256
5b088f791cc3fba973ca1a6a9f29c314b707909035c277ea826111e9ec34bda4

SHA512
3ff9232e7d292532d6ed075a55b48a7b46998409e1f0ae56fea0381a97b3c85926ffaf7de86a03dfc2299c2a16850e06637018d2f44c7f9059b24f6860728052

Download Submit
C:\Users\Admin\AppData\Local\Temp\YkkY.exe

Filesize
196KB

MD5
712b89a1626c092061cd1cfc31a7c166

SHA1
8b8b45eea0c5a61ba06244aeb7f7208f0fe27fdf

SHA256
3bac9db6b1e88167225fec262d6cdcb7650e6e75bf3e71d54831b8b1fc2e6981

SHA512
746913e4e5f7f26eb2a0404fb9e513eafc5aafcf5d70c36b8e23db6e14c7c9567cd029ba17ac35d9cde1ed171f8b702209c9cf2ebf2cb6181b71232ade66827a

Download Submit
C:\Users\Admin\AppData\Local\Temp\YoUI.exe

Filesize
183KB

MD5
87a64c16c4d1bb4464db7076ad92db02

SHA1
44f8437894f45a77cfc2f417eb22b74a2eb069b5

SHA256
2322287dca3290f521a5b2e54ab2a9bd806e7d2db430b2208024dd4e8407b518

SHA512
1fdd5522f180fa418430008ec01fe32717b580014f6861dd5a4ac0a6b3bcc4cb2fd732efd03fc98b50ca098d77d856b11aeb52419ef2674db407e554c41967c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\aIIq.exe

Filesize
206KB

MD5
6076e610959fc71146935b2d538f001d

SHA1
6b8c2450ee39b1ad18f9e2034d5ae556b1148079

SHA256
977e4f08910a631d18be1c4d6715271d4457a1809db1dd27c6be2610cec84730

SHA512
fa3833b9710e2e3a5eae3a91b65c2a74937333d62b4626b4111d868a7c6a00ed20720c7b4248aa87d19913b1415414523a9d5e6f5cab36d1e54f8003c0ea17b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\aIgg.exe

Filesize
200KB

MD5
917f23b0c84c29396bee3d2b4922d7ca

SHA1
065ad9874e23a67029fc6a74550a8f5bb3c7cd00

SHA256
ba237dbbc58341444a288f1a5d9f40e9aaf8c9e14a3a187cb51e3168b5d42a58

SHA512
9028961b2b702ba4a967a439fd0a5526d376de61e106fe9b297e2f34659b2e66abbaf638f122d5c2f815f4a5ff7e19c0ab8eea4d03b775f51a01015df66c0b2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQgs.exe

Filesize
205KB

MD5
5665925cd897149761333e9f4b5cb895

SHA1
fcaab85779e9f1ac80f1f0a96ab91f0859eeba33

SHA256
b6d72cd337dfd2f25fd0613f210ee2c869a57780494c079c89727491fdd5a99c

SHA512
b28b3514ab3f8ebbdb892072d7f812623a269909093846ea68eebe111504de7738d848a973e653420ad2a1e43dbc0cf38c3edbf3add34ae92d11ee2295471461

Download Submit
C:\Users\Admin\AppData\Local\Temp\aYMk.exe

Filesize
941KB

MD5
29a3562c00a386d5348a1e8c5bbba027

SHA1
b451d39626e910ae9287c16feace8c81bfdaf807

SHA256
2cba722d4e5916a39eba4ffedee75de03c79ab3dba34d3777f59727cf05d3d73

SHA512
5a8859df9ccd681e452b8421a51e61eebba2fa844283fe47ddf21cf6e564c059d818573f6edcdea348dd15dc0a5d9595c85a5c1d2b8567e65c82dcd3b7eb254b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cEMA.exe

Filesize
638KB

MD5
507936627f1a59842a06ee5badce64eb

SHA1
683758612fca6d424789175ee12dff7f88ee785a

SHA256
1135da029c5d36e10095e786ad6a624e25c136f38e8a7790515f556ec941e167

SHA512
7ab0a5d18c82136cb0beb66db3679e382518c5c4657f13fa83e8fc51fb994b1e279c200a2b8ce84635c2956211223f66a866932439d95a31ca6f549614a58b30

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgUK.exe

Filesize
213KB

MD5
79dc9ab2bf33cfa2b737181066d33124

SHA1
89f2b49c12a784d138025290c3cdaf39b9073874

SHA256
cb46092b0054ba12bae893a21b62dd3e9c2a59bef0339a20b202676574949277

SHA512
3285abc7a80f997772b8917b2551e748a12549a3f2788ef99dda6ecffc97212260d2408cc70c3ab76bcc62326cedda836e63943633cb60e5bc979c8fac804d4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\coYc.exe

Filesize
204KB

MD5
d7819766ba950eb6d1b9fa45670127ef

SHA1
be66061e64d8ac2fcb24d1b5141c39f9d727ef03

SHA256
2a9a46678b84098800ff2cf03186adc0d22fb325827cf67e423bafb3affe1da7

SHA512
e7ac7c3d558bb596160843c7e2193f0c3c565bba89e4a2a535fa88923d006c6a6f871e8f14ceb20e395b88ca32ca6f5ebf9690e643d84b39e1ea457fdb6aceca

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIwQ.exe

Filesize
189KB

MD5
b637794fa3cbb51d036bed09c5b11497

SHA1
2326ed17d039d1ae76ff410fad62813c80399604

SHA256
1e37b096c6c2cda519f5c419705972d6fed3f6622e52051a181c79364a3fea28

SHA512
7db7e868afd1ec2f15e5eb49f28f15a82f141daccd1b229ade212108d211ac459af2544b87a5e7cff6b9386e0785d1f1b48a5ae1a8d806695cfe9d317fadf547

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIwg.exe

Filesize
200KB

MD5
057d614e220f0502587c81409b9a4b29

SHA1
5950888f4df112df3a84f62d5cf33c1c850dae11

SHA256
3116efe9dd71fd7bca496ab92d34d2bcafb7d50b5beda788f584708bbbd4d84f

SHA512
d348666e273ee85a67ee3e8c548c7163e972799db996ee1c8c602168b02ca2d9c58ae7682a0769a7f8d8ebbbc0af42437a29f910ce1c878d3be7bc92fe2fb7d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekIU.exe

Filesize
211KB

MD5
912594cf459ef8ec7628ab741d6a79bd

SHA1
a4b40eeb926743f9980120bfc7fe6ba53026e2ef

SHA256
75d0959db0b2b172ac28093c0b12c818a638e67a956a6ef79b1afae2e9794341

SHA512
5b08cbeab0e0e4dcb4ec6767f18199dea5c67b69ed1e600d6736330889b07c8ae558e8ea82c92ee515d7fa0542a3dd688321cc1b352e22de98f60c7a7499fbc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\esIK.exe

Filesize
212KB

MD5
55f459251b8a3be5483e0b84fb05051b

SHA1
774356bc22ba6c64131ade1ca469a8ce58e2a7e0

SHA256
3748a288d12a458ba6cacf8229893257e46a2198b93fdbd4a2fde4e89f45d6e2

SHA512
4bfb9fe72a1974914d4032a2700ea1c4019cedb0715c67ab8d70a1b8ace41b3fd2b792d416752bdf9bb5a62fde07f7232b8a19e757c1e5fb617f1b08554f447e

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gAwi.exe

Filesize
202KB

MD5
9c507f6de92d8bedd2388740378da41c

SHA1
d71a2b04c7f0be569a683d02e206bc9825a6f787

SHA256
e8a57c336be6a889e89b3cd31ba2ddd2f71fc583acf7496d105eb130e2542952

SHA512
5b5590b1fe40b302424ccd65d51024ec65d78a989cbe3f5ca8da53c9c28319ee273252f624b3f03c18e2768b25cd85b585a65eec205dadeaad20eb7ae898b761

Download Submit
C:\Users\Admin\AppData\Local\Temp\gMcS.exe

Filesize
186KB

MD5
120b83b42ea67a3a549d37d7e3ace3ba

SHA1
f57bbb6cc691a4a5804518dd3f87bf45fa764f63

SHA256
e1ab5d7629da0341376182fb2d9a055604852f927bcb29fd016cc56671f9b712

SHA512
c023782ebca6ed1b62082910c97f14dc8b7ef975ad4526624c3d98125604dcc73a8b4e927fbaf26b4d268aa040513122d8e55df41886ee4245f80e957d372662

Download Submit
C:\Users\Admin\AppData\Local\Temp\gMcm.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\gUoi.exe

Filesize
820KB

MD5
cc3df02fa57796f9cc4f7467e7747efe

SHA1
92babf8e6a853e45b332902abdc208690c8c5f5e

SHA256
66c3189e55d8042fa2a4b7f6ef44c82167841d7c60cd866ecf23ad7b20994e9e

SHA512
c99ecb143e6f08dba75f28d53699a15b34890a8d32d0b782c0a2cd76027ff1bf7b9bce4cf184483571f0ac8c8e38792fbbd1298fb48e1bd8f3fab2658c1393ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYUC.exe

Filesize
222KB

MD5
aa629e8a7a5677343bcfb45c0b10810d

SHA1
d301a1b3008f93090756096f290e18f57040baff

SHA256
dc397315bbd75c074ff9e5eb1c535c07781e499677c96d88a0b69ce70e514b7c

SHA512
f49a369be23be91a086a428ccf332dda1647044a1a91d3579a8370dcba184a0f99a0005003a427ced7464b6a357c41bcfdea8eb730d67f09510596da067eda62

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcMe.exe

Filesize
218KB

MD5
d1928a835f90d5b915e66c92de71a84c

SHA1
2a9798d00484062554bc556fdb4d58341ec3d3ed

SHA256
cb407e37aaf7f4f295217b765a7539b0be28736431a75c455c7f73b971f2f55c

SHA512
d919cedac31331d08dcdcaa28791eb940a218423a218c484e5b84866737c6c3e39de631889c07962a18e6e29feaa89537a843daaeae48d3aea67c718e7cfb79e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gsgI.exe

Filesize
192KB

MD5
13eb9416ce1af88be6def22e479dbaa8

SHA1
c3422b4c6e78a17ab54a4ac59596823a1e4cd1b1

SHA256
e6b58463a9965e0af4dd41f77bb51e18c815071846f8d67505e23a5e52525805

SHA512
82b2a2871a787cfb8a1ed3b2cad915c9358eb71cfd56ad2c8428e2682b4ede12c50bc5094466a77b6f17973ed47d8955cf80ef231473f989de570f60ded02de0

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQgO.exe

Filesize
1.7MB

MD5
3874289742e13a29851d25743789f728

SHA1
7e41d2d90b8ec6bd19d414b8a1e9163d4180b7d6

SHA256
216e2f9401a9a447607d4e59636a0e50a2cbd8aedbc931c6feb1a63c5a35724f

SHA512
458ce64ed82af62c358e228c55eeb4aae874ea9d61e2f182f530d8bc4dacd49df499f012af0d7929b79e60b580cdc5cefab05170cf5f6e8e852c2ef211f34908

Download Submit
C:\Users\Admin\AppData\Local\Temp\iUYS.exe

Filesize
814KB

MD5
1a46f8115d8f1fc04b2b9aa60694944a

SHA1
da0478d50a7533fbab0e2d82ccd60d60bd887a18

SHA256
7d75e6434c4a0e29719e07bcaf298659cec4bff2a1221ce1921498b35f1c77fd

SHA512
73755bfcb780b71fa1390df40fa2b28561431d301f434a194750a30b19b6ff4faeb3fecb34354e2547bcd81b1a74fb04d935c4503a518c69aa22f1c804f01745

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEkY.exe

Filesize
193KB

MD5
5de7b9ff72ce4395e43fa318d7ee22dc

SHA1
a9e4e8173a9ad7181fe9c250e3ce4c14cf852a27

SHA256
f95e94e6314243ae8c6f30b6e8c8b1abdcf00a0e8d7ca2b7a4ae13e8444d9c5a

SHA512
285c1f62cb4a009d0a3e3c9cbf798d398e1c6a22cd1cff7491750c8976f010fc874fae0cfce07e9e32473cf757353edb3ced1c608b4164017ce39665bfa8995e

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcgU.exe

Filesize
802KB

MD5
db5ce400e46a7077025a8bbecf82522c

SHA1
d6550856c65cd4483719de4d8dd9cc24291347d2

SHA256
da46e3424316800065f4b0cedb172674f7da9a3c883ac2f862e6ff65df4478ef

SHA512
e4459cbb63b132e1aa98b779e571b07ba570c624b0255a2960ca48836168c378b4ddfa1c8fa59f2a9482ffff57a8e6e637225065f0f04c8b533b22c88b8a58a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\kggu.exe

Filesize
195KB

MD5
b46e4543057dacf98ac4a3d62a3ab2dc

SHA1
86b394646d85f29dc0c35be70673853064a44136

SHA256
0e1bfea395b948326286027d609a4bf81c058f99fd5b836dc65b5b63ed68b5e2

SHA512
86fb4649317253a86420a3e217c23e172f8d0623fd469724606ac8bbe74538376cc34479fa9e43b722f018157b16aff19a04fb1900e5f7966895e236bd9a5ec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\koUa.exe

Filesize
308KB

MD5
68018ed836860e0f614ba187ed0f6a44

SHA1
9138570d23a3806f6e258dc1a316ec9346150dea

SHA256
eca6acb1f933e146c6f99160ad3d0dc2028659e2813c282c582f8114c239c9e2

SHA512
d988b8aeb15dbc3bbb5d75f4edabd8e13972721713abb7eb3936d23faa769530cf36e03d68f141cf02a7f437d1b8976634cce5cc1b90a3ce759dec0b8522cd92

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMAc.exe

Filesize
198KB

MD5
9d97f9c1ffb48881c76b8e62dcca40c4

SHA1
e9a07386b06ab7668bc690ea62ffd76e35902074

SHA256
766e3c980e81b1e62f0c5701165ccd5aefce2ddc88ba8c59958fce593f71c2c7

SHA512
75501930a75033b84822b5ae0903237fe523a7c794934a6843ec869a7ab2724f2e1c545161f4ffc3fcf1dd01a69aa8b5088eb12e4bc41399d471042b941e3395

Download Submit
C:\Users\Admin\AppData\Local\Temp\mUgg.exe

Filesize
192KB

MD5
b5723da237c054334727abe9603b99df

SHA1
124f24afd0e4d7723ba0b24f9c93914e64a81bd7

SHA256
29f72301092d4517d20a374c941c763193427844e8abcc3802b8028f8a4ebd17

SHA512
c45962dafd5658f07fd799959e316cc8464af1c13e83ad5407e28b7a370e93d183ef2a1982dd171f0c8591b6c56a983fd5d988eeddb90fa7882c768e5f60716e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mckG.exe

Filesize
205KB

MD5
b8f89241c28f97168f4872445a8623d4

SHA1
092320a4ce425a21ebff1d6c8f14a489181598c7

SHA256
6b6def742b2cde5d334282c70b261e2eba6786c33aded2458274add0c95a7702

SHA512
93223e7c3d7023bc5125b087c3498ae8dc8bbee8490ee1ed43c2cee1fa5e959a823a1f68eab397f49bb0c3e01378d1f0f5b41484575d6f6b3a0aa276e6f60b31

Download Submit
C:\Users\Admin\AppData\Local\Temp\moMQ.exe

Filesize
199KB

MD5
5e3984aa952785a984857672444a64c8

SHA1
b6eda69162c9cd77efbf77ad092c6232a471d784

SHA256
1fad6d46bd40e097e7774891c02b1e2812c2db451cc75b39beebadc9731184f1

SHA512
a6b9198e436ab068c1f1fe257c26b5d263ea6872889cce166124aeb5729fc9903d2813d7d1a3e8e2d8eb7f10c6f7f039b92f05fd44db21187dd489dff87adfbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUck.exe

Filesize
183KB

MD5
adf07ebc6ec9cb17055449fcec473baf

SHA1
08c5cfbc60d844b643699b8a7e43c9f4b5a59df5

SHA256
220d04224af5ed3ee181a431f41ace6a535a6328928389f33957528e2e2f6b08

SHA512
d5b805df755cd6b3825fafebe3751e40ed83bb287464e78b1eec5070d1605b1723e16901274a26aecfa34f7fe12a5c250d1aa2f7a33f299c55fdac98c2ff8d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMQc.exe

Filesize
198KB

MD5
17ef9764d2eeea4758713444858b8b27

SHA1
1cdcdd4a6647ac21acaec9848cd9cab19bea6028

SHA256
49735bcfa4999e1c15b9b59af49e65b4862795c60c11993c5444a150a57e8ca8

SHA512
d29c7b473b6dcc59b28a20a9c2d11e0e60ab9e8fa0c786f74906559a67e804f4f9092e566bef0bae713fa6f162e035d235bb4ac3b70a886e2d8b31a94a15f433

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMgG.exe

Filesize
809KB

MD5
85ff0e971ea9ebde9b0ccc186a2804e6

SHA1
088d8633ac4bbf186a576fb4f7c107d4756eed35

SHA256
4bc9895a06648287fb6fe5f035fce62461c0a1fa390d1654fde211bbf1ea4af0

SHA512
3be56d096e8550f129cbd3f821ca828245d66de8d70d890d2ee1364b491d965c58514ef2976754128cc4e5b91fb9cec07a4a2c656df0545d5e51ed8ba3379a15

Download Submit
C:\Users\Admin\AppData\Local\Temp\sIQM.exe

Filesize
424KB

MD5
bdba108abd8eab7317b73a7906567d38

SHA1
4d155eddf3472a5d08949c131f2edae0e2481cc3

SHA256
c7fa9424d5010f051ce2f8505519cefe424a528226eb4621f59048ff89f90c92

SHA512
182e37e921862fbd257339b832c4b4a050c32681dc9a85afffb491fce7100112185a71c9637ba6e8bd34c356c1c0dd87c4c15f952d24444874ea983b0ace7d7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\sMYI.exe

Filesize
191KB

MD5
117ddde25ea82afc6f03d8d82f1c02e0

SHA1
816420f7894de244be0545fc2243c2951f7c2486

SHA256
ee84d9353c39783c39b100ad6d95d8a2810fd39fa53d50d2d26a5970c155b72d

SHA512
f2313e9481bee58bdea3a11f9fa6bf3b435e14553dfeac8f798262329cadac2d5ba83bd45bbc546b0bbd2818eadae652bbef3f2165bf6c00e2f9dd2203d105b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\sUky.exe

Filesize
1.1MB

MD5
5104c0a3365d4f63cc5f2b0c1917662b

SHA1
4107d429e357e89798f80b070ba9056cd522613a

SHA256
f94665579daab080c9f1230e27f6f349e872613060d679e0fa1ac70ffe83a91b

SHA512
8a93288def90f3dc921a24e7ac0bc1bbd28c55db841e20d37129be7be073094db269d68736f26667a8c1fb20c522db39bac9c482b52606d132101ac9c0fc67f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\sYcM.exe

Filesize
208KB

MD5
63c5c0d0591c2a4520b07b08fc3b40d5

SHA1
7fe617085b9947318605b5bb040cbc06052ad8bb

SHA256
59f537d8a574727c1dc8575d69780f3fc09f1863849fe794fb3e4eaacbd6769e

SHA512
f3f2899bf59e7968bd91d292b7c5b0addfdb56e0fa21befb690b5ac503630a94e509e4d4deee566831ce4ceca66577163cda7270d8afde3596d2073473bbe61a

Download Submit
C:\Users\Admin\AppData\Local\Temp\soEM.exe

Filesize
829KB

MD5
f942e76c27ed37067c9507ab99f52388

SHA1
b9aca24dbe37977e3177e3238fbe97e3b7ff1301

SHA256
752914357e22a0d361f265b4c4868689969f47948fb57084917c9dc28badc0b6

SHA512
f5b742e8915ff0a002acf7fd444ff14b4b928366ca94cd4c853c42b24a68271b57e6d5892038d5f762397d1ad16ac0ef607bed3d637d30e8c1dc812d240692a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\uUQW.exe

Filesize
1.3MB

MD5
bf905011252fa9b854abcf93df9edd8f

SHA1
7d3073539d04b00e045c182c3cc9641f8eca8674

SHA256
a8c52e41317d7f3c5afd4349850d4056a8deabe4b928a5b584984c0e87ccbf59

SHA512
2bd39a705c23619533b92e7f5e9690c96b6d46fd5161fa49d7fdc3117c1722dbd1a17d56d67ed32d43d0c3e27ec4913c1bce95e52fc61ca1709177f43aae5118

Download Submit
C:\Users\Admin\AppData\Local\Temp\uYoE.exe

Filesize
193KB

MD5
e24ed370d49ebcde1edc1f7927296a31

SHA1
e213d1ca3ee5db900a95843351559de2bed2f831

SHA256
5aba021c98d4e32ef5b182d8be21cc9d7f3102b173cb399dac9c67bb6f172cda

SHA512
be3e592ece71a5c1820091a70f15a1b8ee51c58d700ce9623daf5002cc8c9d04dd3d4d3fc1bd28fe744f024ae2c5df6391af6e5ac02743fbaf77f5e6bff9643a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucwu.exe

Filesize
207KB

MD5
a8b8a6feaa5f832df01b0b38183b2c6c

SHA1
c8405683d9431beeafc6d6537c0b1091079dce94

SHA256
3de9e18b5d610f61a34be57973c98eae8448254888f15d18b92cda7d1e1138d4

SHA512
a62dd52f8b15b517caedb93672934af5b590f799f1d48b33bdb0aae1dc4c123c1e63cb2c4cc5e5671950374980a48a89e14fb548874bdf7f1740c9d8f90cd936

Download Submit
C:\Users\Admin\AppData\Local\Temp\uoowcoII.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\wMoM.exe

Filesize
212KB

MD5
5804c46b6deb59561c2c4dcc360db7ac

SHA1
cfea933a6c7080ce8208ca706d190d3348c1fa47

SHA256
920ee5dba01442e7db462feec7debce9d07637fecc289a4dbb590e446b96c168

SHA512
dc479cc263d2757ecb231245cb88d0ccc1dcfdf4584108d1fc9c6387783c9459791a0835adb5b31bfe1a34343cf8ccdb1447e17fccdecea34cc37fb56ba92a8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wogC.exe

Filesize
191KB

MD5
2c889352587233d609bfa218df2aa896

SHA1
123ce936e1ae6e6e34001c3ac53bebd8a37391d0

SHA256
e8dba49c9f80dd61404bc27c1eb65b7f6b7994582c8d01b51d90df06b15d1ce0

SHA512
3d4b88c40d808d058910ec33496564f25bc17519c80e1c51b4a37d0e057fb05f868df882adda19e62c4328055487c36d85acbc227dd3b937dac82a7ddec68235

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQwu.exe

Filesize
647KB

MD5
adae0b4adbf52b0796922cc8953d3e78

SHA1
1279ec91c809a911bbc935f72337d5a9ea607860

SHA256
6dd39237c09d045abd45bc0d4c156fa127c727580dc212036db3e05212120260

SHA512
58e03e1b6b093d891d3f110a7d90da4493038fe92f882109f9ca4c63c759e5fe92da84e17cd8decff55f52db89317d6f4e42633dbf4bb321f6f7b7c903504c26

Download Submit
C:\Users\Admin\AppData\Local\Temp\yYYG.exe

Filesize
769KB

MD5
df73ab51aa34152a837f276589d1d007

SHA1
d9f604fd821f14535e0026386e975023080c11cb

SHA256
4fd7ea423845b50eee9dea60d0db23a9c44ab5302eb5065a2103df0ab62fb761

SHA512
269c4bb24ae8936c2933b193691a268fa79b4e3c06e6d74cc169c54409c23d67805646699e5e06e63bae5be8206fa220439e6aed5f853b7aa02aa3c2c5f7e066

Download Submit
C:\Users\Admin\ikYockAw\RSMUocUA.exe

Filesize
182KB

MD5
764a704502616cfd173e3a3a7bb2214d

SHA1
2976500dd43c5bb030acdb2e72ad627766c8893c

SHA256
c67a4607a48f8d46779896b54345dd781d2523306a8beff270f6a72aa1a72fc5

SHA512
4b1170121ba4c52d5f50a4a6ef6320e28263372b43ccaa2ad1c3eb206404286caf7860cab700ad1a946b538675f8c3af7c1fcc1f07b871e0248a0615bcdf0201

Download Submit
C:\Users\Admin\ikYockAw\RSMUocUA.inf

Filesize
4B

MD5
a2ba8775f1e1b8ad9187160708348b0a

SHA1
eb0ea1f9f4b75dfd2a2bff7d2e615b3b661ad2c0

SHA256
af5603d869a8fb360efbb32c9950e42e4b7cd437c1b2cfae8df5150092d58656

SHA512
b05ed29dddfa7faac770b64da40dc2e6041fadefd1d1b4e1981c2eeb248d9101a08c8f2796bd8b8cea5995d52331960f3814b77b7cb99e5d74ca99565c831cc3

Download Submit
memory/444-230-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/444-219-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/748-144-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/748-133-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/828-558-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/832-205-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/832-189-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1012-323-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1012-313-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1016-427-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1016-436-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1368-362-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1368-351-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1464-456-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1464-445-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1496-312-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1496-303-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1496-257-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1496-238-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1520-15-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1876-120-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1876-132-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2152-490-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2152-503-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2252-83-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2252-69-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2260-145-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2260-156-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2280-432-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2280-444-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2380-193-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2380-178-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2456-549-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2456-539-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2488-370-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2488-359-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2748-12-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2784-548-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2804-19-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2804-0-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2816-391-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2816-399-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3064-242-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3148-522-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3148-530-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3232-169-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3352-452-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3352-465-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3360-332-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3360-324-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3364-500-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3364-511-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3592-378-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3620-304-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3620-294-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3656-283-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3656-275-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3692-342-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3692-46-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3692-353-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3692-33-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3740-42-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3740-58-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3860-538-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3912-266-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3944-473-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3944-461-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3960-95-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3960-84-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3968-407-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3968-398-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4004-418-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4004-409-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4032-181-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4156-333-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4156-341-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4224-285-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4224-295-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4256-107-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4264-70-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4264-57-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4412-521-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4420-379-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4420-389-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4544-118-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4544-103-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4652-426-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5008-274-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5016-206-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5016-218-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5016-34-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5016-20-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5032-484-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5032-474-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5108-494-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5108-485-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download