0bf443c9da3577fc66ec7783f345c2f20821f20290f113cbd28926512272ba41

Analysis

max time kernel
150s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13-09-2024 17:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024091396152c464108ec733320913981e12c2cvirlock.exe
Size

868KB
MD5

96152c464108ec733320913981e12c2c
SHA1

351c7fb27d47c2970540c22c28447db8194c706c
SHA256

0bf443c9da3577fc66ec7783f345c2f20821f20290f113cbd28926512272ba41
SHA512

893a733fa7a38013651da7271afaeabdd98f9e94bf24ca7caae52f073c581e3b2e3ee00e39ada9fd043e6ad6131776431341ec8900150fad9d77f7f39f300a44
SSDEEP

24576:Lw853ghghXWAYYJd6ftMofj/d1chLyiNYJ5cLmwcygVm7:Mrhghxd6ftMw7dcLyOy5mmOgVm7

Score

10^/10

discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (81) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	DWMgscMs.exe

Executes dropped EXE 2 IoCs

pid	Process
4928	DWMgscMs.exe
1408	egskwEUg.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DWMgscMs.exe = "C:\\Users\\Admin\\HEEgQcEE\\DWMgscMs.exe"	2024091396152c464108ec733320913981e12c2cvirlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\egskwEUg.exe = "C:\\ProgramData\\JaQwYgII\\egskwEUg.exe"	2024091396152c464108ec733320913981e12c2cvirlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DWMgscMs.exe = "C:\\Users\\Admin\\HEEgQcEE\\DWMgscMs.exe"	DWMgscMs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\egskwEUg.exe = "C:\\ProgramData\\JaQwYgII\\egskwEUg.exe"	egskwEUg.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell32.dll.exe	DWMgscMs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024091396152c464108ec733320913981e12c2cvirlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024091396152c464108ec733320913981e12c2cvirlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024091396152c464108ec733320913981e12c2cvirlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024091396152c464108ec733320913981e12c2cvirlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024091396152c464108ec733320913981e12c2cvirlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024091396152c464108ec733320913981e12c2cvirlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024091396152c464108ec733320913981e12c2cvirlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024091396152c464108ec733320913981e12c2cvirlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024091396152c464108ec733320913981e12c2cvirlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024091396152c464108ec733320913981e12c2cvirlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
2692	reg.exe
3472	reg.exe
1084	reg.exe
4200	reg.exe
4732	reg.exe
2264	reg.exe
1412	reg.exe
2944	reg.exe
2076	reg.exe
3972	reg.exe
3600	reg.exe
3888	reg.exe
4552	reg.exe
4504	reg.exe
3848	reg.exe
4912	reg.exe
1236	reg.exe
2880	reg.exe
896	reg.exe
4300	reg.exe
5004	reg.exe
4956	reg.exe
4960	reg.exe
1636	reg.exe
1052	reg.exe
680	reg.exe
1724	reg.exe
3472	reg.exe
1560	reg.exe
1968	reg.exe
4276	reg.exe
2148	reg.exe
3600	reg.exe
3148	reg.exe
3840	reg.exe
4428	reg.exe
1824	reg.exe
336	reg.exe
1672	reg.exe
3524	reg.exe
2464	reg.exe
64	reg.exe
4588	reg.exe
3444	reg.exe
5004	reg.exe
2624	reg.exe
3964	reg.exe
2596	reg.exe
2728	reg.exe
1532	reg.exe
4540	reg.exe
2664	reg.exe
3888	reg.exe
2936	reg.exe
2748	reg.exe
4588	reg.exe
4412	reg.exe
4812	reg.exe
1448	reg.exe
4156	reg.exe
4708	reg.exe
4780	reg.exe
1192	reg.exe
3964	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2392	2024091396152c464108ec733320913981e12c2cvirlock.exe
2392	2024091396152c464108ec733320913981e12c2cvirlock.exe
2392	2024091396152c464108ec733320913981e12c2cvirlock.exe
2392	2024091396152c464108ec733320913981e12c2cvirlock.exe
2624	2024091396152c464108ec733320913981e12c2cvirlock.exe
2624	2024091396152c464108ec733320913981e12c2cvirlock.exe
2624	2024091396152c464108ec733320913981e12c2cvirlock.exe
2624	2024091396152c464108ec733320913981e12c2cvirlock.exe
4508	2024091396152c464108ec733320913981e12c2cvirlock.exe
4508	2024091396152c464108ec733320913981e12c2cvirlock.exe
4508	2024091396152c464108ec733320913981e12c2cvirlock.exe
4508	2024091396152c464108ec733320913981e12c2cvirlock.exe
2480	2024091396152c464108ec733320913981e12c2cvirlock.exe
2480	2024091396152c464108ec733320913981e12c2cvirlock.exe
2480	2024091396152c464108ec733320913981e12c2cvirlock.exe
2480	2024091396152c464108ec733320913981e12c2cvirlock.exe
2832	2024091396152c464108ec733320913981e12c2cvirlock.exe
2832	2024091396152c464108ec733320913981e12c2cvirlock.exe
2832	2024091396152c464108ec733320913981e12c2cvirlock.exe
2832	2024091396152c464108ec733320913981e12c2cvirlock.exe
5096	2024091396152c464108ec733320913981e12c2cvirlock.exe
5096	2024091396152c464108ec733320913981e12c2cvirlock.exe
5096	2024091396152c464108ec733320913981e12c2cvirlock.exe
5096	2024091396152c464108ec733320913981e12c2cvirlock.exe
3032	2024091396152c464108ec733320913981e12c2cvirlock.exe
3032	2024091396152c464108ec733320913981e12c2cvirlock.exe
3032	2024091396152c464108ec733320913981e12c2cvirlock.exe
3032	2024091396152c464108ec733320913981e12c2cvirlock.exe
800	2024091396152c464108ec733320913981e12c2cvirlock.exe
800	2024091396152c464108ec733320913981e12c2cvirlock.exe
800	2024091396152c464108ec733320913981e12c2cvirlock.exe
800	2024091396152c464108ec733320913981e12c2cvirlock.exe
3936	2024091396152c464108ec733320913981e12c2cvirlock.exe
3936	2024091396152c464108ec733320913981e12c2cvirlock.exe
3936	2024091396152c464108ec733320913981e12c2cvirlock.exe
3936	2024091396152c464108ec733320913981e12c2cvirlock.exe
4936	2024091396152c464108ec733320913981e12c2cvirlock.exe
4936	2024091396152c464108ec733320913981e12c2cvirlock.exe
4936	2024091396152c464108ec733320913981e12c2cvirlock.exe
4936	2024091396152c464108ec733320913981e12c2cvirlock.exe
2936	2024091396152c464108ec733320913981e12c2cvirlock.exe
2936	2024091396152c464108ec733320913981e12c2cvirlock.exe
2936	2024091396152c464108ec733320913981e12c2cvirlock.exe
2936	2024091396152c464108ec733320913981e12c2cvirlock.exe
2968	2024091396152c464108ec733320913981e12c2cvirlock.exe
2968	2024091396152c464108ec733320913981e12c2cvirlock.exe
2968	2024091396152c464108ec733320913981e12c2cvirlock.exe
2968	2024091396152c464108ec733320913981e12c2cvirlock.exe
4276	2024091396152c464108ec733320913981e12c2cvirlock.exe
4276	2024091396152c464108ec733320913981e12c2cvirlock.exe
4276	2024091396152c464108ec733320913981e12c2cvirlock.exe
4276	2024091396152c464108ec733320913981e12c2cvirlock.exe
4904	2024091396152c464108ec733320913981e12c2cvirlock.exe
4904	2024091396152c464108ec733320913981e12c2cvirlock.exe
4904	2024091396152c464108ec733320913981e12c2cvirlock.exe
4904	2024091396152c464108ec733320913981e12c2cvirlock.exe
544	2024091396152c464108ec733320913981e12c2cvirlock.exe
544	2024091396152c464108ec733320913981e12c2cvirlock.exe
544	2024091396152c464108ec733320913981e12c2cvirlock.exe
544	2024091396152c464108ec733320913981e12c2cvirlock.exe
64	2024091396152c464108ec733320913981e12c2cvirlock.exe
64	2024091396152c464108ec733320913981e12c2cvirlock.exe
64	2024091396152c464108ec733320913981e12c2cvirlock.exe
64	2024091396152c464108ec733320913981e12c2cvirlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4928	DWMgscMs.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4928	DWMgscMs.exe
4928	DWMgscMs.exe
4928	DWMgscMs.exe
4928	DWMgscMs.exe
4928	DWMgscMs.exe
4928	DWMgscMs.exe
4928	DWMgscMs.exe
4928	DWMgscMs.exe
4928	DWMgscMs.exe
4928	DWMgscMs.exe
4928	DWMgscMs.exe
4928	DWMgscMs.exe
4928	DWMgscMs.exe
4928	DWMgscMs.exe
4928	DWMgscMs.exe
4928	DWMgscMs.exe
4928	DWMgscMs.exe
4928	DWMgscMs.exe
4928	DWMgscMs.exe
4928	DWMgscMs.exe
4928	DWMgscMs.exe
4928	DWMgscMs.exe
4928	DWMgscMs.exe
4928	DWMgscMs.exe
4928	DWMgscMs.exe
4928	DWMgscMs.exe
4928	DWMgscMs.exe
4928	DWMgscMs.exe
4928	DWMgscMs.exe
4928	DWMgscMs.exe
4928	DWMgscMs.exe
4928	DWMgscMs.exe
4928	DWMgscMs.exe
4928	DWMgscMs.exe
4928	DWMgscMs.exe
4928	DWMgscMs.exe
4928	DWMgscMs.exe
4928	DWMgscMs.exe
4928	DWMgscMs.exe
4928	DWMgscMs.exe
4928	DWMgscMs.exe
4928	DWMgscMs.exe
4928	DWMgscMs.exe
4928	DWMgscMs.exe
4928	DWMgscMs.exe
4928	DWMgscMs.exe
4928	DWMgscMs.exe
4928	DWMgscMs.exe
4928	DWMgscMs.exe
4928	DWMgscMs.exe
4928	DWMgscMs.exe
4928	DWMgscMs.exe
4928	DWMgscMs.exe
4928	DWMgscMs.exe
4928	DWMgscMs.exe
4928	DWMgscMs.exe
4928	DWMgscMs.exe
4928	DWMgscMs.exe
4928	DWMgscMs.exe
4928	DWMgscMs.exe
4928	DWMgscMs.exe
4928	DWMgscMs.exe
4928	DWMgscMs.exe
4928	DWMgscMs.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 4928	2392	2024091396152c464108ec733320913981e12c2cvirlock.exe	85
PID 2392 wrote to memory of 4928	2392	2024091396152c464108ec733320913981e12c2cvirlock.exe	85
PID 2392 wrote to memory of 4928	2392	2024091396152c464108ec733320913981e12c2cvirlock.exe	85
PID 2392 wrote to memory of 1408	2392	2024091396152c464108ec733320913981e12c2cvirlock.exe	86
PID 2392 wrote to memory of 1408	2392	2024091396152c464108ec733320913981e12c2cvirlock.exe	86
PID 2392 wrote to memory of 1408	2392	2024091396152c464108ec733320913981e12c2cvirlock.exe	86
PID 2392 wrote to memory of 1412	2392	2024091396152c464108ec733320913981e12c2cvirlock.exe	87
PID 2392 wrote to memory of 1412	2392	2024091396152c464108ec733320913981e12c2cvirlock.exe	87
PID 2392 wrote to memory of 1412	2392	2024091396152c464108ec733320913981e12c2cvirlock.exe	87
PID 1412 wrote to memory of 2624	1412	cmd.exe	89
PID 1412 wrote to memory of 2624	1412	cmd.exe	89
PID 1412 wrote to memory of 2624	1412	cmd.exe	89
PID 2392 wrote to memory of 3888	2392	2024091396152c464108ec733320913981e12c2cvirlock.exe	90
PID 2392 wrote to memory of 3888	2392	2024091396152c464108ec733320913981e12c2cvirlock.exe	90
PID 2392 wrote to memory of 3888	2392	2024091396152c464108ec733320913981e12c2cvirlock.exe	90
PID 2392 wrote to memory of 4552	2392	2024091396152c464108ec733320913981e12c2cvirlock.exe	91
PID 2392 wrote to memory of 4552	2392	2024091396152c464108ec733320913981e12c2cvirlock.exe	91
PID 2392 wrote to memory of 4552	2392	2024091396152c464108ec733320913981e12c2cvirlock.exe	91
PID 2392 wrote to memory of 2276	2392	2024091396152c464108ec733320913981e12c2cvirlock.exe	92
PID 2392 wrote to memory of 2276	2392	2024091396152c464108ec733320913981e12c2cvirlock.exe	92
PID 2392 wrote to memory of 2276	2392	2024091396152c464108ec733320913981e12c2cvirlock.exe	92
PID 2392 wrote to memory of 5060	2392	2024091396152c464108ec733320913981e12c2cvirlock.exe	93
PID 2392 wrote to memory of 5060	2392	2024091396152c464108ec733320913981e12c2cvirlock.exe	93
PID 2392 wrote to memory of 5060	2392	2024091396152c464108ec733320913981e12c2cvirlock.exe	93
PID 5060 wrote to memory of 1652	5060	cmd.exe	98
PID 5060 wrote to memory of 1652	5060	cmd.exe	98
PID 5060 wrote to memory of 1652	5060	cmd.exe	98
PID 2624 wrote to memory of 700	2624	2024091396152c464108ec733320913981e12c2cvirlock.exe	99
PID 2624 wrote to memory of 700	2624	2024091396152c464108ec733320913981e12c2cvirlock.exe	99
PID 2624 wrote to memory of 700	2624	2024091396152c464108ec733320913981e12c2cvirlock.exe	99
PID 700 wrote to memory of 4508	700	cmd.exe	101
PID 700 wrote to memory of 4508	700	cmd.exe	101
PID 700 wrote to memory of 4508	700	cmd.exe	101
PID 2624 wrote to memory of 4732	2624	2024091396152c464108ec733320913981e12c2cvirlock.exe	102
PID 2624 wrote to memory of 4732	2624	2024091396152c464108ec733320913981e12c2cvirlock.exe	102
PID 2624 wrote to memory of 4732	2624	2024091396152c464108ec733320913981e12c2cvirlock.exe	102
PID 2624 wrote to memory of 2944	2624	2024091396152c464108ec733320913981e12c2cvirlock.exe	103
PID 2624 wrote to memory of 2944	2624	2024091396152c464108ec733320913981e12c2cvirlock.exe	103
PID 2624 wrote to memory of 2944	2624	2024091396152c464108ec733320913981e12c2cvirlock.exe	103
PID 2624 wrote to memory of 1464	2624	2024091396152c464108ec733320913981e12c2cvirlock.exe	104
PID 2624 wrote to memory of 1464	2624	2024091396152c464108ec733320913981e12c2cvirlock.exe	104
PID 2624 wrote to memory of 1464	2624	2024091396152c464108ec733320913981e12c2cvirlock.exe	104
PID 2624 wrote to memory of 4960	2624	2024091396152c464108ec733320913981e12c2cvirlock.exe	105
PID 2624 wrote to memory of 4960	2624	2024091396152c464108ec733320913981e12c2cvirlock.exe	105
PID 2624 wrote to memory of 4960	2624	2024091396152c464108ec733320913981e12c2cvirlock.exe	105
PID 4960 wrote to memory of 1052	4960	cmd.exe	110
PID 4960 wrote to memory of 1052	4960	cmd.exe	110
PID 4960 wrote to memory of 1052	4960	cmd.exe	110
PID 4508 wrote to memory of 4164	4508	2024091396152c464108ec733320913981e12c2cvirlock.exe	111
PID 4508 wrote to memory of 4164	4508	2024091396152c464108ec733320913981e12c2cvirlock.exe	111
PID 4508 wrote to memory of 4164	4508	2024091396152c464108ec733320913981e12c2cvirlock.exe	111
PID 4164 wrote to memory of 2480	4164	cmd.exe	113
PID 4164 wrote to memory of 2480	4164	cmd.exe	113
PID 4164 wrote to memory of 2480	4164	cmd.exe	113
PID 4508 wrote to memory of 3320	4508	2024091396152c464108ec733320913981e12c2cvirlock.exe	114
PID 4508 wrote to memory of 3320	4508	2024091396152c464108ec733320913981e12c2cvirlock.exe	114
PID 4508 wrote to memory of 3320	4508	2024091396152c464108ec733320913981e12c2cvirlock.exe	114
PID 4508 wrote to memory of 3936	4508	2024091396152c464108ec733320913981e12c2cvirlock.exe	115
PID 4508 wrote to memory of 3936	4508	2024091396152c464108ec733320913981e12c2cvirlock.exe	115
PID 4508 wrote to memory of 3936	4508	2024091396152c464108ec733320913981e12c2cvirlock.exe	115
PID 4508 wrote to memory of 1180	4508	2024091396152c464108ec733320913981e12c2cvirlock.exe	116
PID 4508 wrote to memory of 1180	4508	2024091396152c464108ec733320913981e12c2cvirlock.exe	116
PID 4508 wrote to memory of 1180	4508	2024091396152c464108ec733320913981e12c2cvirlock.exe	116
PID 4508 wrote to memory of 1788	4508	2024091396152c464108ec733320913981e12c2cvirlock.exe	117

C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Users\Admin\HEEgQcEE\DWMgscMs.exe
  "C:\Users\Admin\HEEgQcEE\DWMgscMs.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:4928
- C:\ProgramData\JaQwYgII\egskwEUg.exe
  "C:\ProgramData\JaQwYgII\egskwEUg.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1408
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1412
- - C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:700
    - - C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4508
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4164
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        8⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        10⤵
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        12⤵
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        14⤵
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        16⤵
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        17⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:336
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        20⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        22⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        24⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        26⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        28⤵
        
        PID:512
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        30⤵
        
        PID:4164
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:64
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        32⤵
        
        PID:1412
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        33⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        34⤵
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        35⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        36⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        37⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        39⤵
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        40⤵
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        41⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        42⤵
        
        PID:4144
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        43⤵
        
        PID:896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        44⤵
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        45⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        46⤵
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        47⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        48⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        49⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        50⤵
        
        PID:4532
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        51⤵
        System Location Discovery: System Language Discovery
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        52⤵
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        53⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        54⤵
        
        PID:3500
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        55⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        56⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        57⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        58⤵
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        59⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        60⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        61⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        62⤵
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        63⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        64⤵
        
        PID:3920
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        65⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        66⤵
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        67⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        68⤵
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        69⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        70⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        71⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        72⤵
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        73⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        74⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        75⤵
        
        PID:948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        76⤵
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        77⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        78⤵
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        79⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        80⤵
        
        PID:184
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        81⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        83⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        84⤵
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        85⤵
        
        PID:512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        86⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        87⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        88⤵
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        89⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        90⤵
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        91⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        92⤵
        
        PID:644
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        93⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        94⤵
        
        PID:3652
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        95⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        96⤵
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        97⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        98⤵
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        99⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        100⤵
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        101⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        102⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        103⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        104⤵
        
        PID:592
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        105⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        106⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        107⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        108⤵
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        109⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        110⤵
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        111⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        112⤵
        
        PID:700
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        113⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        114⤵
        
        PID:3360
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        115⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        116⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        117⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        118⤵
        
        PID:3788
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        120⤵
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        121⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        122⤵
        
        PID:680
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        123⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        124⤵
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        125⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        126⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        127⤵
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        128⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        129⤵
        
        PID:700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        130⤵
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        131⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        132⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        133⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        134⤵
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        135⤵
        
        PID:680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        136⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        137⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        138⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        139⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        140⤵
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        141⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        142⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        143⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        144⤵
        
        PID:4532
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        145⤵
        System Location Discovery: System Language Discovery
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        146⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        147⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        148⤵
        
        PID:3576
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        149⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        150⤵
        
        PID:3360
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        151⤵
        System Location Discovery: System Language Discovery
        
        PID:1016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        152⤵
        
        PID:3788
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        153⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        154⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        155⤵
        System Location Discovery: System Language Discovery
        
        PID:4832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        156⤵
        
        PID:228
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        157⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        158⤵
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        159⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        160⤵
        System Location Discovery: System Language Discovery
        
        PID:4644
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:1192
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        161⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        162⤵
        
        PID:3376
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        163⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        164⤵
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        165⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        166⤵
        System Location Discovery: System Language Discovery
        
        PID:412
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        167⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        168⤵
        
        PID:736
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        169⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        170⤵
        
        PID:2944
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        171⤵
        System Location Discovery: System Language Discovery
        
        PID:3440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        172⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        173⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        174⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        175⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        176⤵
        
        PID:3508
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        177⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        178⤵
        System Location Discovery: System Language Discovery
        
        PID:1448
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        179⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        180⤵
        
        PID:2052
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        181⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        182⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        183⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        184⤵
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        185⤵
        
        PID:452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        186⤵
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        187⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        188⤵
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        189⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        190⤵
        System Location Discovery: System Language Discovery
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        191⤵
        
        PID:348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        192⤵
        
        PID:2116
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        193⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        194⤵
        
        PID:1496
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        195⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        196⤵
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        197⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock"
        198⤵
        
        PID:3788
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock
        199⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        Modifies visibility of file extensions in Explorer
        
        PID:428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        UAC bypass
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        Modifies registry key
        
        PID:1672
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        
        PID:2300
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VQIwcIcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        198⤵
        
        PID:948
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        Modifies visibility of file extensions in Explorer
        
        PID:512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dwcYoIEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        196⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:680
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        UAC bypass
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OYwQAAws.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        194⤵
        
        PID:320
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        
        PID:2480
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:4632
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        Modifies registry key
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MSMMsIQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        192⤵
        
        PID:700
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:412
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        
        PID:4240
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        Modifies registry key
        
        PID:1532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        UAC bypass
        
        PID:1392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qwAQQsAA.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        190⤵
        
        PID:2148
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        System Location Discovery: System Language Discovery
        
        PID:3756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2512
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pGUIIAUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        188⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        
        PID:736
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        UAC bypass
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bSYQQIIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        186⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        System Location Discovery: System Language Discovery
        
        PID:2064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        System Location Discovery: System Language Discovery
        
        PID:2832
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        UAC bypass
        
        PID:412
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lMsEoUgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        184⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        UAC bypass
        Modifies registry key
        
        PID:3600
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hUkQUMQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        182⤵
        System Location Discovery: System Language Discovery
        
        PID:5004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        UAC bypass
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SqUIAgAM.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        180⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        System Location Discovery: System Language Discovery
        
        PID:2064
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aoUUkcsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        178⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        System Location Discovery: System Language Discovery
        
        PID:4300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        UAC bypass
        Modifies registry key
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WQoMocMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        176⤵
        
        PID:4804
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        Modifies registry key
        
        PID:4588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        UAC bypass
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pUsUAQII.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        174⤵
        
        PID:964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        
        PID:4164
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        UAC bypass
        Modifies registry key
        
        PID:2748
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DkMYwkUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        172⤵
        System Location Discovery: System Language Discovery
        
        PID:1600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        UAC bypass
        
        PID:2864
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TmsYkIUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        170⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4780
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SUUQwwAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        168⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        
        PID:5096
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WWEEwcwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        166⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:1436
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        UAC bypass
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QQAYAggA.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        164⤵
        
        PID:4632
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:336
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        Modifies registry key
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\liIAIoEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        162⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jEAUwsYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        160⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        Modifies registry key
        
        PID:1236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        
        PID:1552
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pmggYkUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        158⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        UAC bypass
        
        PID:4388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UAsUsgIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        156⤵
        
        PID:2296
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:64
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        System Location Discovery: System Language Discovery
        
        PID:4956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        Modifies registry key
        
        PID:3600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        Modifies registry key
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uGcwokMA.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        154⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:3652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wiQoEcEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        152⤵
        
        PID:412
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2316
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        Modifies registry key
        
        PID:1824
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        UAC bypass
        
        PID:800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sQUYQoog.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        150⤵
        
        PID:1628
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dQcIokQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        148⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NuosUIMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        146⤵
        
        PID:856
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        System Location Discovery: System Language Discovery
        
        PID:1404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1192
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:4500
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vOoIkIAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        144⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        UAC bypass
        
        PID:3472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xUQYQIIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        142⤵
        System Location Discovery: System Language Discovery
        
        PID:4716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mQEIYkoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        140⤵
        
        PID:740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:4172
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        
        PID:212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CkUUYQcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        138⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        UAC bypass
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oikkEUEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        136⤵
        
        PID:1004
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:1836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        UAC bypass
        Modifies registry key
        
        PID:4300
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xiccEEYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        134⤵
        
        PID:2640
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1052
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:4272
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        UAC bypass
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vyksQgog.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        132⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:4772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HOUsUAYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        130⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RwYUMwwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        128⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        Modifies registry key
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aEwUkoYg.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        126⤵
        System Location Discovery: System Language Discovery
        
        PID:3360
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        
        PID:64
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CUsgEkAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        124⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        
        PID:4112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EKUkQoko.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        122⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        
        PID:964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qKcgIgwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        120⤵
        
        PID:1180
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RsYgEkkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        118⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        Modifies registry key
        
        PID:3444
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JOwgsckk.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        116⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lcMQgsUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        114⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4428
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kyAUUEcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        112⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies registry key
        
        PID:2936
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:4144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        Modifies registry key
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mmoEMwgA.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        110⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:4312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        Modifies registry key
        
        PID:4912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\akksIYYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        108⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        Modifies registry key
        
        PID:1636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mCswcUoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:1656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wesUYAIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        104⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        
        PID:3472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tOMUMAcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        102⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RgcEEQkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        100⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jysMswcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        98⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        
        PID:2928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rSggccco.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        96⤵
        
        PID:432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        Modifies registry key
        
        PID:2264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        
        PID:4388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KqEUEEYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        94⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:1380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SacQkcwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        92⤵
        
        PID:740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GWUwIkIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        90⤵
        
        PID:184
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        Modifies registry key
        
        PID:4780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rQEEcUcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        88⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:4912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:2428
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:4384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XWEoQgkw.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        86⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        Modifies registry key
        
        PID:4588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RsgEQYII.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:3928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        
        PID:3576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lWIkMQoc.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        82⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GOAgIMkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        80⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:5004
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QIMcUUgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        78⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        Modifies registry key
        
        PID:3840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GsYssIwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        76⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TKosAEAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:4588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:3756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZskwkkwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        72⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZyoocAUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        70⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        Modifies registry key
        
        PID:1084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        
        PID:432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NmEoQMYI.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:1392
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        Modifies registry key
        
        PID:3848
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cOEAYIks.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        66⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        System Location Discovery: System Language Discovery
        
        PID:2880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EWwcYcAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        64⤵
        
        PID:456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kyMoscck.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        62⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        System Location Discovery: System Language Discovery
        
        PID:3328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        Modifies registry key
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BKQckosw.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        60⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        Modifies registry key
        
        PID:5004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\figgEAsE.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        58⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:3468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TWUUgMgI.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        56⤵
        
        PID:512
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:3992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        Modifies registry key
        
        PID:4156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:1060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lSEYYkQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        54⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QaIIUMAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        52⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AAgEosAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        50⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        System Location Discovery: System Language Discovery
        
        PID:1052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        Modifies registry key
        
        PID:2664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        Modifies registry key
        
        PID:3888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CswYIIss.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        48⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies registry key
        
        PID:4956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        Modifies registry key
        
        PID:3472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PGoIYIoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        46⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:4252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BSgwAUcQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        44⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        
        PID:1108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZcIQMoYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        42⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        Modifies registry key
        
        PID:64
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XCkcUYoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        40⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        
        PID:336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\McIkgMso.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        38⤵
        
        PID:412
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:4884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        Modifies registry key
        
        PID:3148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:3448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cWwMMcoU.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        36⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:3964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IGkwEgso.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        34⤵
        
        PID:736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aOswEowk.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        32⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        Modifies registry key
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TKQAcggs.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        30⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        Modifies registry key
        
        PID:4504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bMMosYAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:1512
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:2264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JcsIQIYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        26⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OqYkEsUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        24⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies registry key
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mgkIMAsc.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:4568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\caoMkAkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        20⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\usIQAAog.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        18⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        Modifies registry key
        
        PID:896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmMAUUQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        16⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:1244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xcoUYYMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        14⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        Modifies registry key
        
        PID:4412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rsoIoscs.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        12⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        Modifies registry key
        
        PID:3524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lcMssoEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        10⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        Modifies registry key
        
        PID:2692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aEccUMoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        8⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:3972
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:3320
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:3936
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:1180
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\socokEgQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
        6⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3500
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies registry key
      PID:4732
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2944
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:1464
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QQAkEcQA.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4960
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1052
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:3888
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:4552
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2276
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LAYEsMkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5060
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1652

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv IVa1bUzxrUW82Fsv8s2D/w.0.2
1⤵
PID:1368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\JaQwYgII\egskwEUg.exe

Filesize
109KB

MD5
50beee85d5d33957421cd8d232389f26

SHA1
d5c35d14b397b45de665f1f5953ec1d0e486e2a7

SHA256
58365eed207b09c2fff945a35b4161902792bb08abe00f5bab4667786e5f9eec

SHA512
ac6a14f139dd36d20c47208407975e253f7558cab78cee900dd4bc2c6983204de91c9e64bbb67db75fb22bfb61fff6366e8555bf0f675b87a1dbef94e49afd20

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

Filesize
153KB

MD5
c6cd86d78d23a6a3be9059b6c994e662

SHA1
19033c9462c289d4b2df841943958437448f5cff

SHA256
6eff72d4a7e0319454a6a55f64fe885b3b46dd26e6128733059ada38c9ec3bca

SHA512
0336b83596d835ebdcb9ac316f1fed308427619ffcf0fc022149a773d0bdad58556c4b6249aca8eab453fe00936ed3475c52c8c58f7d08f94ec7e24d8a457631

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user-48.png.exe

Filesize
112KB

MD5
40a339418e3ec2c844cedeeb17a60fc6

SHA1
76244f1970828215385e803be30356ad6870bc4c

SHA256
b90bf43d5bb0b4d73ca9c4305ce5080676a65aef9df07f199ef5a54daff48d99

SHA512
47218394e47247de944a09702973fbd304c60791ee88aa0506998b0f9b8be7b9781bcff2dd40fc998415b799e520bb901cf2cd724e5becf7448e9a04eca6f30c

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user.png.exe

Filesize
116KB

MD5
d0d2bbc5623dc1c5f95f1ff872d40756

SHA1
540804dfc88642a487a54ef1f2e3920481b7308f

SHA256
b3283d95a76a304beb95b7c1d186ffcb4e3f801c622d1f72f1381dc1ed6d6529

SHA512
f1fa21a563707402cae171f3b9baa72541487a0bdb0cb18fefd27557022d81bfb21d7c0cd6ea9d0a7576ce128c396ba4fc0ad2b4d96d6ef1208b91cf5a154d61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppWhite.png.exe

Filesize
113KB

MD5
2c24e14bf7faa04627c2523441f2580a

SHA1
28e7bcb03101bfa80af0b935ae6d577264d6a996

SHA256
1f55aec2f01ee2f594cdc2bdabeaa09022dd688c3a8c34aa9675759a44a3e6a2

SHA512
085e25de433951f19ed905128c1ff4a7f89d575a111a7e13c78a9df47e5ef2c3f9a73aa191e1af982aa433d6b12a273868a8684d44b9d8f9bf66e6ad01ce0d36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-100.png.exe

Filesize
111KB

MD5
349a610ed4b57ec0ceaed070ceb2a032

SHA1
5164c2ee2794ceb670a17405daf79d18c973b5f0

SHA256
c73ed0b5a51a5f8ff6fdd5e7d624ff64d05dea207d597f02383f902db30ecc29

SHA512
84c0b97b31e2b5086d521e62e7d2e32283d28598040e9556263340ca93c6fb3db54f3df4677bdfed90286f33acb9f654dee645f137c1e0ed029bb1d5d66439f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-125.png.exe

Filesize
111KB

MD5
9c8602b9f4c4da646f1347b17a5e29a2

SHA1
a03dbb9038a537ba6c7fe3359a21b5a1d6b2646f

SHA256
e65ab6c796f0e6a6b95806b942fbb3dcd59b393cc2da26354509417e4fe5f524

SHA512
5227a292ed0a553fa2af7702e0eb5b2f2857381b2851cdede3651ddde599c54dc47e566794e9d74f4361aa785e0a95b1d0aa631d8807adb857b93688ecc0c0d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-150.png.exe

Filesize
112KB

MD5
b5bef5fc6af1f7c90654e3dfe7bb6402

SHA1
73a21dc5cc54f123e1ab2b6d09e00d5801f58930

SHA256
2f0e2712be9b64c2105542bb4cc5014bfd2f8927b4f4fed07b5e52f61061818d

SHA512
f0a411f82643cc47df06803f0eda0b4af4866db7262aff66fdb82210650da58e17576e700357231b6411f80c3b9c98a0db648064d0db0f1e51b07d31ef75e156

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024091396152c464108ec733320913981e12c2cvirlock

Filesize
757KB

MD5
5a44c7ba5bbe4ec867233d67e4806848

SHA1
3b15be84aff20b322a93c0b9aaa62e25ad33b4b4

SHA256
6ca0eafb20496edf23fc1480e8b545399f484a630698324be652ed10f45fa2fc

SHA512
b69615f8f303eed22fdf0677a8d57b4b61df3487e385b5c2f108774a75a195b6f0dee1f0161c46118821b6b4478af68450db8620e735d13c518a565f4708a680

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIAe.exe

Filesize
112KB

MD5
90751c942e8d808d94d640e965e7447f

SHA1
1fddd181c080208c02a472a2a76045cfd4ae18e3

SHA256
641c72f11abd85accfb6503f788e35107a63678266df451130ee89f1527011db

SHA512
b852afbae954ec4a66a2482bdb98062f6d5a3412a16e14bf974b39b847553339955ac651472c5a24470f70051e1b996134410338fc41bb3d42ba7ec015e4da6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIMi.exe

Filesize
114KB

MD5
7b425c0e90d0b3c19779b88f5f1d98c8

SHA1
c491ef4805daf494e669e48b65d59a76d6d32e23

SHA256
89bf94b30a3848b77406f4a260ab4b4a1da7ad33b43819aac2b9e8470bdc9aef

SHA512
85b7e29a16b11ee259efc3f971003dafb6ac6ad240880a955e39109929437beb14a5d1ccb73ec8de5a80e44b4956d5e32b9f43d921e10f57ec2af8a720f190d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIYE.exe

Filesize
117KB

MD5
15b4ff9bc9ea9fee71c1ca964fd352b7

SHA1
f533145f91e1f6e8109fbfdc5d4745c2667001f0

SHA256
5d9ad801b2159957ae1bd2cb92aa9347b649f3a0c64454f746a5949ad09adcb6

SHA512
77288b1a3c35f4fe8c765ad32a93b461faef3cff39535cd9c912b4a1bbdf23dff13fc06fc88c7c7d166d92e269070fca2af78bec156c74250019a1a2c0d90fb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMcS.exe

Filesize
701KB

MD5
8a0586321b55a6f3b620bf1f08ce9f64

SHA1
40924b325a6162ccdc5d88679f4d5b4bd1bedff4

SHA256
6573ce7e99b85d79c47db9e232ec7b9146cb1c270f542ef8ef6d77cccf304dbb

SHA512
ec42a4dd053ba8a7947b423e1e715a6e6e2b2de4a334e5cccc569188153adeac8e90fa169d409cf08f4b18234f06cfc17c0b26fcd8310178f58892928c792ab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQcc.exe

Filesize
119KB

MD5
0acf3c3be6826308a4c01bb64e72e664

SHA1
d043065afa65d335071beb61b55c79c5b28f9e54

SHA256
a31e82b5d6afcd52fc2f76f8495aeb19150bd0e8e7d3abd6581dad79e4fe890d

SHA512
3a4ce5705c674f2d34520e66ac331c95585314489086f89905265ad299e8bce4772e360c43f67a94858f884bc8a84a08a7741cbc9ed9b27888a6f2ce2fb18259

Download Submit
C:\Users\Admin\AppData\Local\Temp\AYoA.exe

Filesize
138KB

MD5
4b32c5d2d0a6503fd3f187cc54263f82

SHA1
e9c75df9a8399f2e97bf6ce699973ad0dbbd40fd

SHA256
49341ed84d7bc6b3d7bbecd8c77876aafb4ca9f736e1879215a9d70877bf5140

SHA512
2ee6fb658fbdda22d5413835333223da2ceb5dd8a5939d3c899dfee57386a57d587f3bcbedf9d51e9538f07d4ecd39bf7c8373f5884eb3821f94fab3c0b8814a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AcEi.exe

Filesize
721KB

MD5
95c661596230ad53e7b6561467e1ab8e

SHA1
a1ca9e980ac87072e0ed159109544e60bb7eb362

SHA256
a47663f00b4b8afd40078142c5d0f3c610972dc3d783dbd3110598a04f5cd748

SHA512
2624d311795b2a70cf49eed71106a2d5f79cef5c47b5d1a94705e8c6f2ed0f80ba3835da3b29c2e1e51daf9f7b9a2d8c3d33727a03519943fd917346bc35ef06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Agsk.exe

Filesize
112KB

MD5
2340a1ce065857f5b697d4b9ecfae17f

SHA1
6e0f07a15ed8efe8768a87599ffac3eb3f34beeb

SHA256
0d4161b6882c8695cdf5dc744565f66a930149c59d295c2166656b879b3bea3d

SHA512
a969fe54fa5532ced0437657d92ebd6ade4c30ec782b57b2555341b12c3206382f92f06997d6f1a07284b6e8ff0d68c0912a581884f742425b91fea2f437353b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AkQy.exe

Filesize
723KB

MD5
2e155bbcb543a90402769645a3cc3b3d

SHA1
801af8acb5b39d0b725e733f0b513dc9b47178d7

SHA256
4b7d81441b3d367f37d82e34c92888c8d165233afb11fa5750d23966d2f4b534

SHA512
108480445476b00941ae3b40009cbea2415b03674619dc4626f18ff3c16fe735aadf99168cb072bffe8171ffebff1e94238284d0d25d955ddd32f3eed1d03e74

Download Submit
C:\Users\Admin\AppData\Local\Temp\AssA.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMEQ.exe

Filesize
292KB

MD5
ab8babd537b6181920e8b1a88e707b9c

SHA1
bfbef785911bb6439e57713ea5a63365c6e7dc71

SHA256
18a385b40c072960e6a244a2513d7961933b9c5ff724dbb1eaede6ee0d8cac57

SHA512
c35ea32ce78d4893a4fecdf784f106e5d364a9fe656e1b042ebc9623edc23c0f4706081ecd6af70033e6f38948906d3064e0ec3e8d67a780e82e68a45dceced0

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMcE.exe

Filesize
144KB

MD5
31762f330890064fe52572cdd9b9ee99

SHA1
b44d3d7c1766bcadb23be1ef8d7193432594d023

SHA256
724d3b6b09d1c5e131037905e29d39188197bb496838d3e0d47e7d3f859fa892

SHA512
08c6b2d3dd1c5d03fa836852277bf6878c02641aa6f95d7c617e708c441fdbfd6dc3eedb893354c7571d2a95ba243022eab4bb91cbe9520dc48c81ff16988d16

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUsa.exe

Filesize
110KB

MD5
a9a18ff229bad4c7bfe05005cd432fa2

SHA1
fd2376426c8379801d85aa3c19d39b904d6e0f7a

SHA256
c3d3697aa62390317748618e174705377604f8a2fdfd12064eef32679c81c772

SHA512
e21a733f71b32f1c8befcee721bb7270dcd9648765f8f5c4f58388e68f6ba4c9a44772b64ce913d7639b471739319fac9083a22e08351952dae09b5a8cf61725

Download Submit
C:\Users\Admin\AppData\Local\Temp\CcUA.exe

Filesize
115KB

MD5
110547e6eb761d74aac5c73b852d0722

SHA1
939c9c33b03bc463f9e56264e7758aca73bf9b9a

SHA256
412e39f45739aa3004c8630101d880d5d57486ea5d413003d812e69c7d3ca1c3

SHA512
dce574376b747181adc5842e6a741b13c41d26eb8659eaa810032ce3ac3e1e7f52c7e86503cc757ead3942cf979c2adad659ea565f771e65578007f5d4298f08

Download Submit
C:\Users\Admin\AppData\Local\Temp\EgoG.exe

Filesize
110KB

MD5
efb27201efc112f315c0e7a5f34ababb

SHA1
f918243df391c16b4523b7b333015658c43ad9c4

SHA256
99c604717f3048b9dae1fb9485db10d23762d6ebc2d2f90394f5646e34522319

SHA512
6cd43b596de82ebc61c6db7c64f3e25ad4769f6ed3649e56619dc1e2f6665ca4d66b6836b9ffa7320e5bf6691501c569753b3de943597c55578321ac466bc7e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\EkcI.exe

Filesize
117KB

MD5
0c61bc49768d1318d9f1b77f98a7d7ef

SHA1
716c75260fcf996e24741f45c0f33273f22b7c38

SHA256
090dd122e0449551a015da130a25ffe9f6a13790a12b041d744afa46cf5c7faf

SHA512
37c5b5c79aae964ffb7d918d41218381f34aa6c49957b761d63653e7a234c5d51d0b559e0a6e2cdf1f7df6a1f3b1e84aa98f4310acd1810e7aabac4812550fa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ekcy.exe

Filesize
566KB

MD5
3d4734bb22d928370b4997e442e30a65

SHA1
4958d395ce501c4da7cd023ec6e159cee8cff35a

SHA256
7ab398ad9c0bc04aa9eb3e8fb5543cfaa8169425c2a265f29873bc6dc4caac68

SHA512
a59b68b85c09b247d7985502d0b2fee67a46fe0f7eaf8b1fcfe210a049d083e8c06713f1c969837b952fa6c06ea03a07b7ffd4ff5cfe592fc4f63ce9f5b52816

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEEe.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEsS.exe

Filesize
140KB

MD5
c0676972f08a4777159efc7fe8531948

SHA1
64e0b85e967b68cb75c35a2024640d66b18e02c6

SHA256
3772611619eac43f13e962e912fa33596b2af070d6f9112c9a0e76eae70316ca

SHA512
ea47dd997cd06ffa802227d6d5f9395ffaed22dc11364901a56f5fc4083afa93d6aaf0ade438c0f9e1189071f294e5214fe92ecc1820a9c7120828fe4d53b57f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GIgi.exe

Filesize
567KB

MD5
9ae2b79b8165fd47e7b464e570ab4c17

SHA1
5cb05dd5b59aae465534d049db1ed71a9d7bc9d7

SHA256
9944268e45adaa163a82bb52822e658c77f3ad9ea463a16357060d051b036aed

SHA512
cb62885800eb6a182addc9688312d3f5c0e6e73f9297292128e7ae5f1c3487998d2a353545633b4a2186af4674939a43c30532327b4e30f67d283ad74adf77f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\GMAo.exe

Filesize
864KB

MD5
f6cd1d91bea3b9e7d7c8a9a37c6cc589

SHA1
4732dde9da85d6bf67c20ee121db04460a3bc996

SHA256
4ce21696ac1b1c1e146aefdd3a20e13940a029dfa3be162c43ab1c77435aad4e

SHA512
4991c8d19fedbc9177e5c09e96c775496430118835828464632fd0cd0d8c16ba50b95f699ca930326f6e0e6a76d76b1a374bf94ec179029f2427505aeccebe47

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUse.exe

Filesize
112KB

MD5
b0f62ba6077ff0051501304add0b2f9a

SHA1
8d75147d9cc6ae972dc512a2c39dcd3a9a28a0ee

SHA256
8989d6d5c7fa00e2b2607badcd8ab671a8e6a21cc39aaf219a3f4b3ccb84db46

SHA512
6c3b7657fd9dff051028c689af89696220b09d28ce07e48ce44bc54e43bb485153fb6f6f48c94566e5f44de0942920108496a1b4dd08dfc94723a03a075d963f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ggog.exe

Filesize
110KB

MD5
8b1a064d765bd5efdb0dabbbcaceba2f

SHA1
1425a662178ec687fbf5850877b0934f1b75ca52

SHA256
6fb88a979d26397d30ac32696ee3c9d025eb04cde94813cfd84e9581f1d6a694

SHA512
ed49f77dea59d3078be76dcf3502dde9720abe7efc7973952bcd7e42256584f781060bd58e64a69eb6f7b5c70f3c6c79b85839876bd3aeccfd039cad7cca013f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GsMY.exe

Filesize
114KB

MD5
c77e1dd4566e4f50451b9360686c6947

SHA1
d11cb308f81302559f7ec61ecbe127cf33e486c7

SHA256
346a0041fbfb63edefae5b2d4d75a6161e6e31bc5a046d1980f8aaab31a94776

SHA512
2327aef68eca5e317d0541960fe6b250d6251bd33844445d6221665342f8563d50f8bb52fb5fcd707ece1de6f1934a9d98a06d4034c1b0916aefbc279bd41476

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEYM.exe

Filesize
110KB

MD5
6225a456788830ba58f8ec96ed34b0e9

SHA1
e7ab916bb2c3d11c24c58282fc2a4408c68f7f96

SHA256
13b0c061dae3e0753440c42f4f6f95f064e56d5c109def985f924db37b520dcb

SHA512
b22b2b4549f5a9bf4145ab1b30bc550ec2b591d1a8b6364165e71e1c69a0b41c16e55a1704c323fcb01bab94bde1ca2737c7521ff8ce0b71290e102663eacfb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IggA.exe

Filesize
555KB

MD5
920a87c5917172f3a0f7b82ee14dda4a

SHA1
bc01f943685003d3da1a9f39460744bf0fe82b54

SHA256
caeb16619838b2b1be779574d7ebb5e8c02196ca212f23190d1a05f2c9ac8ce9

SHA512
d003a7fbfff18919c9860a4ebaae53f85a2b1105b1bd7f2b9ad444866041b4510b4ddadbed17d838f4239aae65f22301c1dfc024b72b643fcde8c54b3b17701d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iggg.exe

Filesize
118KB

MD5
14e86649170dc1ccb2c657f0b94f7f30

SHA1
97001f89fff0ec2cad545fea211090403502d3d9

SHA256
0fff35ae35556aac7ac0cb086c6447dba1f4dab2be7a63fe504efd147c76cf45

SHA512
435953dfb7f62c0fafcbe4fc607112f7b714dabb444d460d737c0e8c6f3d9790f0b6d47707a16ee96318b3b76f90441ed224c02921150a71ceaa114a585cf692

Download Submit
C:\Users\Admin\AppData\Local\Temp\IwQq.exe

Filesize
111KB

MD5
20abaa15bac2cadf1ce8176adcfa516e

SHA1
19b50d19953fee9fae26f1b2ad6aa1789f976d8f

SHA256
041e091d72c5fb57caa541f3ca2dc45250915abaac52bac3d75af2708583f3cc

SHA512
7cd80d42a24e6806f0e114dee26bc2ef448a0c43253329ddc67ceef7db1c6b31f3cf8f80a2ffc391ab9b62f6a126a1584594afdf811ef89213ec4f0f19b217bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMQI.exe

Filesize
113KB

MD5
a368ac190014d04f985e2c3a9459381a

SHA1
352c6efd6bfb10420e46d2f9917283d1b5d610fd

SHA256
5459f4f58ce08da4ef9158f175457ea28758871a5175e6d8f3237853bbe74d2b

SHA512
1d6c2727cce7092028a73fcdcebcc9e61dcdbc79371c59e2bd0644704e8ef89cce6b260f4f30a48679f01ad2031fd988872918a1f65ad7097d3f1a097a56e954

Download Submit
C:\Users\Admin\AppData\Local\Temp\KYAI.exe

Filesize
118KB

MD5
c2fb3259fc245e0f9d76bdf914f48c05

SHA1
adf1a48366f84e6e72479b5753b8bf14a81d3686

SHA256
e9f81ef765d0c15d4ccf0bfddfa142114b83ae5d9f264b6ffae7a55a0129eec4

SHA512
e7dd1d359e005616cfe0691c92216b66bc900b8e639f4de3b73b20a8b227d1495259bd8f85cd4b1d98d9d958b6f94d41d8901139547cc952332ec22b231ecd79

Download Submit
C:\Users\Admin\AppData\Local\Temp\LAYEsMkE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\MgUk.exe

Filesize
238KB

MD5
f9d499571211c653a8506dde6d408718

SHA1
f91e851c46b2dccf8838415c4f8e0b1cf1c57de2

SHA256
aa1c95de13c5bea21b0fac41364303b2838763565c3255ff39f567f0b41a3394

SHA512
82af16206034f6e8b16b578f858669620a7204c5b1e27e648dc53d8b86d6d78318838dec452f01ee4ddb9fedff1493dff01d3dbf384d052c0523f687eef58611

Download Submit
C:\Users\Admin\AppData\Local\Temp\MkMg.exe

Filesize
111KB

MD5
495339c83cf63dbe169e378e4e102644

SHA1
acc9deea15f3a6af9b25fa9be34afc2c8a7e25b0

SHA256
ea1e53fb2e22d7f7fb8ee424ff7faba1fb2234c142d01c7d55caa8af77ed7aa4

SHA512
7d9504ee6a12ab5264c893b69fb56d1a183becf8fbfa4801ca9c1eb4726409a31ab0687d94f3feee36cd1b05c39325fcc320a7a17a8e2e327dddfd4e44f822dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\MkUQ.exe

Filesize
113KB

MD5
cf865bf4d09aac876028ddea82fcbe5d

SHA1
7c46dff9c1a1ee253c7b9aa7b63251758814c159

SHA256
69750cfa1d82a6b5135a345f72372a77ff6f0f0165201175b4623a505f671214

SHA512
725682696584328afca01eb85c8e5af8cba125123b48a1deb2378f2c318dcc9a93415db136ca2f5ae2adc02cf83c39c20f23e87cf9b1029fa3e7f03379fa9d15

Download Submit
C:\Users\Admin\AppData\Local\Temp\MkYG.exe

Filesize
515KB

MD5
0e8cf87c23cad5ea938dc97c627f29a4

SHA1
d3a92b40d87eb8c2f17273ab6678e33eb43932aa

SHA256
0147c11dc3a6759b0d20f86e04e3641a41da8ac6017dbd6d2ee7ee876af5f563

SHA512
75cffb07642b2e65af970a0203c5404cfe2266c2b1101f5524263361febd603b19368b5e69deb4ae777ab545e1da2b4f9438c95548c2ede9b9537a1ab13ab930

Download Submit
C:\Users\Admin\AppData\Local\Temp\OsUO.exe

Filesize
114KB

MD5
d2ae4b8bf86247f448101bd6e167f624

SHA1
3e919b3fcd79e1596893c13d5273ea292a89627e

SHA256
2480a4d682b1dbc47dab67fde818a5cec37b082379721263e1febe993828b206

SHA512
470baddebb56f95a2f8e571c33003150eed135d07a9b67b0d1f2b8a392b12ca6e39e8d99dd26578ae5131a80fcf2217efa0b3018a43a7e0164a2e3fe5453205e

Download Submit
C:\Users\Admin\AppData\Local\Temp\QAgU.exe

Filesize
1023KB

MD5
551145527781fd966f17966fa2e9d8c5

SHA1
e6586c0707b6d602142e97ec31f9aa17ca166659

SHA256
b9bc5e282050a09c25cc8ab651a05285746aa69c7767811fcb46006bae0fb531

SHA512
d3c0e1d2aeef7949aaa9ecc122a6cfa02659f28803417229def4041c696322e9487b606220d72dbe93ec95c7640fcbebfd67de1a76c0998cf2b39dbc6437627b

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQoY.exe

Filesize
237KB

MD5
91130b98a761f4a58aa1ff10dff7ab8f

SHA1
ddf6385bddd41ebe15170798e184c77319743b8c

SHA256
edc61c9ff09ccc42c39cb9f9c396fb7a9b8414657d1d62a0f5c2b65bb0a3b512

SHA512
d4ac7d9c1fc5ce1505f643397d143463d5d91ac86333eaf59a74e0514d178929f2f8313055274789a8d198e9fd31aa96371ef8e8b1248ef8b1a702726d34d3f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\QgcO.exe

Filesize
136KB

MD5
b55249e682d308f8e9565286887e60b9

SHA1
1ab0789bad11445aa1da7cc73b6ac4067d09d86b

SHA256
68c37de9ee00e97e23801fbfa42d7cf1798f064c7436ec05273802a37258f16b

SHA512
29a697233f8d02c85f873fc7a60732bd073e183a8463c1a3f4e8223b98cac6e1d8165d1cf569635c43505025c1cc008a81d60c7d41d46b72f8dce8a3984b2f51

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qgso.exe

Filesize
111KB

MD5
f0a3cb5ad8d5bf7e20b95a9b9fa31495

SHA1
bb479e4ade1fc001e954370b8c2ea49e7d98a53e

SHA256
f009bcf2402a04a4558ab6ebf97573df97f91d3f4031bbeb15fdecd41d9fda76

SHA512
fdf3d8c237cca700907319bba3f5a9665e2b4dc236e7d5dc475ef2f96ac5ac8dcda8f23e6e0b8d577e472bd84fb8836510560e25e7229ff5a69c890825ea6222

Download Submit
C:\Users\Admin\AppData\Local\Temp\QgwG.exe

Filesize
5.8MB

MD5
d4065c1018ea6e4038b0433958e649a8

SHA1
2eff3611d12c35093ba2dfd7b3e4958ddbcdf466

SHA256
dd66c8219fec66cd5d72f0eb09298fadaf1e18bc1db0c5b941f8afb3d56fa091

SHA512
ef902d7b2afddc9a829e96c2b6f7a105d6ed9ef32904e81174a713306c95ca093597988b1919be8b81598adf97708aaec45a0c3df7b55ea5a42416b4e100464f

Download Submit
C:\Users\Admin\AppData\Local\Temp\QoUY.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAEu.exe

Filesize
443KB

MD5
869774dd6b8982d58ead7364cd68a673

SHA1
016b414842e3664551a3acdc3c58077de1e4c68e

SHA256
33fc0368c65c3f9b14543fc092ee16c0276a0ff302e87cba7f33a0f6e0d024ae

SHA512
a311246cad19eb56822b23f3193b6cdc599cc3ff00ee7b93325966300ec0fa5b96a3581aff426d853e57e541578ac6501fe022233ee8c8a3fbc0c311a5fff0c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAIS.exe

Filesize
113KB

MD5
471064d641e17662f40a13ca16a8323f

SHA1
d78df3ddd8c49db95bb1b2a9087ffca30d0d9fa8

SHA256
8205aede07dff119108ac5b0e7e47bb99c336ec5ded4a110dee9f69742ec9733

SHA512
f047d30ff894d47e3cef047e80f47531566a02fccd964f6dbedf93e41f0737874cfb561afccbb34fe97803eac50f709a49ec3813cfc41f2146511b73f7e6f8bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAQa.exe

Filesize
111KB

MD5
b0848fef32f502397a8cd505700fb357

SHA1
0d5162bf27517f93e7a4236e2cfef03270c41328

SHA256
bd40f8b01a84a8204df48ce4a51a3d68412bb6e11d40366675705bee4f0a8c09

SHA512
1321c1e5ed5ac3fa12854806bb8752033e1a7ccc894778a31b24d4e0dd8d0c6b086a1c9ef7aef853f7db714f76afca09a4ec7e003b79c9ef451e8ba87adfd053

Download Submit
C:\Users\Admin\AppData\Local\Temp\SgIc.exe

Filesize
112KB

MD5
a3ce3a75fcb277ab5b97496eff0c6510

SHA1
9bf2922a2d196cb841d31c24d6f33f0e9d9535cf

SHA256
2f511e46b36257aa0ef9f66c62c988c0723990f0608bc129423fc4eae8156002

SHA512
30bb91b2ad57b8ae1e750ea03f4c1a0e23556262d2e690d72e03dc03fc96e7e17850085a886a6f18462880397fd569da7b5725d90bdfeb0bb608acc312cf60ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Soom.exe

Filesize
111KB

MD5
8369984c676ff6bae48f3dd97889a93c

SHA1
a502ea69b2a479df57f79ff7d99dc32357a7c251

SHA256
97aae7f61911f84e95ee06f1a2dd11a43812c2ef822d6b81e1fc82c52d9526bf

SHA512
1586a1738d7896d2b20f917a3de8076ddb7a1f689cfa21c3760cf334e0238ec5e19454864fc2d9db9b314c365b8a00e87e5a51cbc11b21a31a5621d869d7c72e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SwUs.exe

Filesize
113KB

MD5
56d0443de3ad86e51de5e2740dc052e1

SHA1
2d2be119517d3d136e4273d11e2e27beb6bdd5c1

SHA256
ea90fee00eefd8ce5e740393d8f2dd67565054dc2a24cbe363665626cdae03dc

SHA512
901ff2e22ae797a9761680d404fe17704e8f70d159cc72e7135ec90e6390fc13ccdbb1d8d4fc3fdf617d3386fc0ee3cfcdd7aac7c702bf38279f865b70a821f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Swgo.exe

Filesize
138KB

MD5
fae0efcd2d6a7c79d9b225d48eb76b44

SHA1
2e4fa9c38892223fa4db12f04b7e228fd0266003

SHA256
c4e47354af5ab05a5a86426fd80afca31e82006f7f12b33242d5c0c84cb23403

SHA512
9b5348501f7c4e570c6f21826729b627c18f9739feaebbf476167c2a9b41d9dc80d354f534a0d7c7a58cae36e3edb1277d77f01795e1d3bcccd2a8eea220b1fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\UUEw.exe

Filesize
112KB

MD5
b056532826f4711747156f504dfdb54a

SHA1
c562fc1e4c8752ef814c30def8c445bf7969aa05

SHA256
197ab1383846cda4ffc9fcd355bc5fc8b83784340db1fe9769fe26c45bbdd393

SHA512
bd255a8ca651ce5f37307c0d4e61dbe91cf2c966a4a0bd6422175e5da70aead1084b778faafba9c11b3d3a76ab9ac2ef7a28d423f58f9053cd950d52ed2c61c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\UUkG.exe

Filesize
112KB

MD5
8869340c50d0c18ab318b2eaca2a4243

SHA1
5b0bf4a4641ddde7bb8a6eb5b8a6dc803fe80e10

SHA256
5fa1c97466fe2b454c44fe597b89793581a476a5b9328eafb53c7746d1c2861c

SHA512
03e034cad5095683ac8ad68fdac3b013ee18f62c369908e84c3bdec3a4ab6bbbdcbb8ef33a29a1cf82f38e5082aa419eddedebb56cea4cc7b2cc574878cd2de0

Download Submit
C:\Users\Admin\AppData\Local\Temp\UYkW.exe

Filesize
117KB

MD5
b41e9a6d558b993a460e8420ef8961cd

SHA1
3483cfe8caa0172b423d3c99a2d0363269e2eed0

SHA256
9400f7cb02c879d18a5568e5dc3009d9cf464bcf6fdb450f98702d40f9b3475a

SHA512
22527f1157f5eac7106759089c5032f56bfe601613c1b3d35bfc33fb6fb4340807cb0ce31fea2ffa1a6a81081cc9ce353ea0306b686e83ad82611d3a68b98d16

Download Submit
C:\Users\Admin\AppData\Local\Temp\UcII.exe

Filesize
111KB

MD5
83cc3f35f80979a24a0b4f912d0cba6d

SHA1
9289c91980108d5d253791c11586cba8f06d6d28

SHA256
a4f0aca4b570fb8fba8ded5240b97c98159ff856ea89d77f048d0a06ea9924f5

SHA512
f404d8bf9e4a2fdbc7ed6a35fc38790d749c259bac9b1dbb224f8bc07cc0e851c400b32afc9ea35c5c8d7e4241fd66704603e0f2919d4fe1b7fe0f41b42eed1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\UkAo.exe

Filesize
237KB

MD5
38e235e0e860ab16fe1df88d01d44a58

SHA1
db1aaf2c422e4346c20b738e993e9946ce10002c

SHA256
e6fae2ef560e75954bdfda5001ca9e6fcb3bd73758d660df2629bfc2147b569e

SHA512
e0fd8e7273ec3ae486d8c7f91187b72cf1749a7b6be940c7f5f4abfc138ad0854b5bbefbf360c87668ca0319cbe85d8ec54a5dd4a40b3eb7513ba4ceabf3ec30

Download Submit
C:\Users\Admin\AppData\Local\Temp\WQEo.exe

Filesize
116KB

MD5
d831c6a957c75a9315a05b0fc3c864a9

SHA1
3d372bc938773a20dde84d65399126452d892ad8

SHA256
77945b647a99d7b44e870f6096eeb256d5c6d822f109b154745c6f241d2f2e42

SHA512
c7bda1983cbd43708f9f1cb1a44b4babf74c0de90b22ec6e81d5a46d5a4a6f3bca4316f2c9a0ec9eeb9fa4f928477cf03858cb1ff1b88d962c4752680dee5690

Download Submit
C:\Users\Admin\AppData\Local\Temp\WYcQ.exe

Filesize
111KB

MD5
8bd29084d296df58f249888d409f89de

SHA1
ceff405a91cac7d1f4352c636b135d729eebfcef

SHA256
af4820fce3a5b53a381c6351c4666f72c20708ae446d86081e2829de041e80e3

SHA512
f823fcc1573c2a4f96a84ea2b84b02d90a00f99cfe3666e3db088a4e8a79a7bafb0bc514630defc1061aeeb83c1191c70e5809eed0ee3e9cffb161904e8edac6

Download Submit
C:\Users\Admin\AppData\Local\Temp\WoAk.exe

Filesize
120KB

MD5
78d2f47fe0ae3ff6690cdec350e76240

SHA1
7673933610e4116e79e8a36a8cbb3c620704d691

SHA256
67f6bfa986c36d51d7f369ef53d3ec3ec7fac445cffcf2ad1a6008c9550de241

SHA512
5c7b381a3182ae2f06c6570b4d23f675a44574fba47815ffd4b4e248741b2e96b8bab135d8f6d1950849f609b1a6bfa6ce28e3afeb15d3309dfeffb1868d8889

Download Submit
C:\Users\Admin\AppData\Local\Temp\WsYC.exe

Filesize
373KB

MD5
637a40c7110a68679283a21a7b8b18bd

SHA1
7ddc124737a457abe78a80c4af48a78e9223c344

SHA256
54c0717c46c70aee94f9f88c673f6e5121ed02fb0b9efc4e5643f064f2001f94

SHA512
22e4e2f0bbb003bb3d721b50136349e06613b8eb2aed6ac21117fab2af31c0774602c8841e76c2a51a61e62678b5645f47fba99ab7cdff95a8112d3eec0f7b3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\YAEM.ico

Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\YIYc.exe

Filesize
111KB

MD5
ad4e3b0c85b12ceaca5c7dba83a454dd

SHA1
f1ff70aa9db1577004c48379ce2009057d0fc32a

SHA256
5b62450e40704c38cdca9d551fa90039d98b25d1e3f7c8b8c89312db5e61a64a

SHA512
024b18cec8ae2bae5f988d55bc848d8cdb08e3ea599662cc4ed2ef15c5ab5649b9e27b425bb9598cec3a66ace0bd069007b7f27666d366819ca4497f6bb92ea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\YIoo.exe

Filesize
155KB

MD5
f6a947f3ba83edd7f4126a6b6c2a616e

SHA1
47af616780b0b0243d62de0d6e1526694bdcd9db

SHA256
89e84d00bf110c25c33dd2dc78c3f3b130b494694301cfdb7a14c99bbcc1e2d6

SHA512
c463a80e5e49e5797cced5fceadcf45b9c6bedce456c445350fdf67474c59d329d18d1f9f7d3cc0f4dd82eab37577e2393ecaf9222586e44dcb19488baa93cd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\YUMU.exe

Filesize
112KB

MD5
c093e154cdbb1b9e1cf866761dd5d3e4

SHA1
ca2a3899614a52da00af52ee12468730d07cf378

SHA256
2549a4df7683d88cef1f66c497279519c5642dee8fea583a013e45829eeb4767

SHA512
d02d472017a9f10cb513cef512799d0ade7f19e6e0669ad62cdb7fca339d2dd03d4f37bda4e61bcc33beac178273c4ccb5043600a345bcc1f2ba3da25dece827

Download Submit
C:\Users\Admin\AppData\Local\Temp\YUkE.exe

Filesize
118KB

MD5
584e5c3f5e35d9983ae82a615f73ad57

SHA1
5472fcc3e884e6112a38233dbdbb739b5eb127e0

SHA256
818067b0d61d72e6cf3d1ce866ac9f2478cb2e56204ac134793a8a38c4a7bb17

SHA512
d2de8f375ff4210b78c25396ad2a329bb317690b8e50464fcf5c6ef52a1384aad113aa9c636c99ed7126daa710c215241d667b9de7686bf9189fe9fae2216bf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\aAQu.exe

Filesize
743KB

MD5
50193bb392ed1816c5c84d2c2cca33de

SHA1
45e4f1e1e30583dbe52bf8549249e8a0975c4dbd

SHA256
b97c669de5a08ce8a45c6a06fedfcd3cfa18b5e7998bbc204558b47c9f0d1113

SHA512
9c55c6f17cf90dc704704a2928c09239d9610dddb90ac74fdc187abccd1a2b4100612286f260574fbe7af20eff9a75c2779350155686e07d21cc857b74539d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUMs.exe

Filesize
110KB

MD5
2a792110e2fa6c80cc21341e1a24edc4

SHA1
b3252e0ca86d014ab31163e8d0a9627cf0476dcd

SHA256
5134b28996d3bf6212a52ba52c049cbf033c00a71a1dbe4cfbf3791c0d12fb9f

SHA512
3b88392a9089f9b6469a7075d3e2048d4bf61963c6cf4ea39522d64b4d2c0626a6150a26c970e7b636f8568fe71407b91b39262f73d7d2ea0158e885e86e3faa

Download Submit
C:\Users\Admin\AppData\Local\Temp\aoYU.exe

Filesize
698KB

MD5
48ef38d262cf9962e5f149418da83749

SHA1
0bea55892ea1a96d87dba55cfe35b922e41a5c86

SHA256
d2687038369a8741d8c2544f8b9c82af01c6206800c84d77cb4b59e65a3e3bf8

SHA512
9f40c1bf9803612ba40adc09a49d9c1618067baea68e2f24778edeb978aa37f0f5cfb1201b04cfea721ae80327107434eca399739a073546e3d1f724d763ea76

Download Submit
C:\Users\Admin\AppData\Local\Temp\assw.exe

Filesize
118KB

MD5
06fddd8ebca40fafbd7f246026dfcc05

SHA1
59f060924d2eae6f9fc0bfc487ab4a33b6a063f6

SHA256
5eda0c974e702705176258dffb8d9d3acca66c7257edd121a83bdb2052964ca6

SHA512
418113284721daa1c425bb16a8b3ac49200f9bf5202d4a5815bad3bdf143ca04c25cca7af2f1c1247baf061e90b6f5870547ad9bd629ba3feab12911f0e39870

Download Submit
C:\Users\Admin\AppData\Local\Temp\cEwW.exe

Filesize
114KB

MD5
f7845f2bd453fd5460c91275df44effe

SHA1
f8b862c77e5099c61e6b6ea8a90ddc70f7ffa185

SHA256
08e20a7c2f27cbc10d5e24e0397447692db2d46bdfda9ce70148efc4e58bfaae

SHA512
533e10539801cf75b69f74736ef8ef4c1748cb915281bd8d0ea1afa9fdad7f7ef558a8e904a1ed8ee25ae6cd9b3b338fc0e531c87590f3c20e3c1cc21af08f85

Download Submit
C:\Users\Admin\AppData\Local\Temp\cocu.exe

Filesize
147KB

MD5
ba562dc4f135dd12cd12ab1d30447b87

SHA1
626aa8cf9781f95cd5028233a0ba2895cd4e32fe

SHA256
6c579fda53b49ae1eb5674e7ac3a2415c79f26c0b93b9523e9f674d85df082f2

SHA512
f144bedc7e75d8dbd0f7b976a497f4315e5a1b585a1dfe373edfc05ed9bf911997a0ba65910d942b40d5aad8f314bf7f0fafe72ede03a68712b55bf31d56f4ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\csUm.exe

Filesize
744KB

MD5
a1ce7c47c7fa2c13b6a2ab1294577278

SHA1
45a6cc9f6067f93f0e5eadaf5612be9a40278c9c

SHA256
59de2adbfbae24cd25e9698e0f0a93a0829b204c1d62107cf8656e08d8a73e7b

SHA512
aab9421160c8b5687a8e8eb8f7b1f2666ca2e6ff9a4c2ad04fedaf8b66a5219cd3df0f61ca03f0c0f5e4350a608a2c919573d0cbede0c07907e46879bb39080b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwYG.exe

Filesize
347KB

MD5
67776097abce944d5b1c965c0f10ca2b

SHA1
85a031f0dabd7fc8ac36815cf491b275148f34e1

SHA256
87bc18fbf0b0d28bf22e21ce4744e1d421ae481c903da9475192696f9c3aea0f

SHA512
a05f7d930b18809c8e68d900e20eaaf28cd0b8ca0e4c2939cf9650e315061f2bf26a51d9469fb8299b869bdd8fd5451861c7de99c38d2412bdc9ccd874aac76f

Download Submit
C:\Users\Admin\AppData\Local\Temp\eAAi.exe

Filesize
111KB

MD5
2e84a9bfe5d500d02a988206e75018da

SHA1
156b60ae1eae62acc1c067d2d90d84d927a341ce

SHA256
d70815537daf8e63ceda6191f71845d7ae89f92470eed222d321ff58368b609b

SHA512
2f835ec64ba9fbeebae350f72553738eee4f9d942c0c8fa485cfe5f19331155c4c6e218a0e13af77c8c66168050e435efe03dba717771fd3446bc1616668e86f

Download Submit
C:\Users\Admin\AppData\Local\Temp\egkG.exe

Filesize
112KB

MD5
9f945bcfd775784fabc407a4e94355a4

SHA1
02de9d3fb5d36d337d0ea4cc1a8c93337bf29832

SHA256
d837dade81ddde8ccbe8c00c3f433e02a4d675ceb849a1e093e8d6637da353df

SHA512
6eb270fff55cdd9b445ade77e5c7b20df484a1487335f86710ec6dd4350078b2b891c682f826af1cb1e74dd01261c191d91a8ee3f08d695780339be8cea9f72e

Download Submit
C:\Users\Admin\AppData\Local\Temp\eoMG.exe

Filesize
122KB

MD5
5a0143aa6eccbfd13e54739c60285343

SHA1
1e76d7a8c415e3646aec5945bfbbc6451f38d222

SHA256
a2c9edaa385459825e0ce979a6418c1745f5d431f259b14a5b6f4f40e290ac41

SHA512
70c9e0c6aaee89e68bf4518919012008de63bcdf33b1269fedc268f9fe39bbf955919a5ac870670b255f9937b95fae4e42a3cc789ad9beeeb4fcdd6cd958f250

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYoa.exe

Filesize
556KB

MD5
09453da6b61b305a7ae06ace15ea8d19

SHA1
00ee424d9deb8c2c37b16895df836a29039d9f64

SHA256
44d2743db0688f0d8b9963cd810f3e125787a590ac01e96f6fd05bba937b9e10

SHA512
7d4b06ea941a02393e9b66c26c7296990659b5950446460edcc16b84a20023b13384c75aed586b4f211dc60e2e09a36f516484fda17269d772c1b4ffc1a181d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\iMwG.exe

Filesize
111KB

MD5
a3f15491ff98f598fbfb3ce4586272e0

SHA1
a5d9bd0d6f7850a763303696dd7e9cd0d64130b2

SHA256
8c57ce93ddc32ce931305c7456918be10c93d2f30895188371f673b704796242

SHA512
68ae7f247da162242571895e096a874223f9397d73aa6767e50c63be66251ac758da662b3e972eea3dac36226e9b72f9a3131faf4472fccc3dcf8f682a6c0db6

Download Submit
C:\Users\Admin\AppData\Local\Temp\iscC.exe

Filesize
111KB

MD5
1a8b9d68527af446b01bc5b5d0c41c4b

SHA1
d65a8e2b332b12659b86f56bc1884693724e808e

SHA256
c6cb089d9a337878c5843f2b3dd5f4f2f73987e09bb61511cfaf00b9af086bad

SHA512
ab33fdc1fb1619ada00af9c8e1f54b58d4cce396b4a9009d50c84f0e93690cb6944f925c213b76432ec3d5d9699af34aa3f88e3e2a32cf19d7a80d2099fdaaa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\kMMu.exe

Filesize
626KB

MD5
035c5ae3ee349e5f7f5a8c56b15c1063

SHA1
1379f8f89286fb33b3deab046bb116b817188b65

SHA256
47f8f288efd56625c22278ba275759f23f0e51a0aeea463d9f27e03263a3b132

SHA512
a538831fe7f4eeb402f6cd8e1fbe04102f060e16e82fe81c78effbc1e1dd009fcb2d71d61800094ed2db1e49f56427da73f90ceeed70f901b319f3aac7970ba1

Download Submit
C:\Users\Admin\AppData\Local\Temp\mAom.exe

Filesize
126KB

MD5
72357af51fe4cde1ad397a734dd78cfd

SHA1
9e5db2bbd8ecfa04e798d4883dfd57f5d9a9bd2a

SHA256
a98b614484ad5841bec153c86e18c67c6206ff951806152c0cf1c5f259f5041b

SHA512
1f70f87a4eef1acbd37121f4de816e33fd1c92f39c27b52c0e077c0f6031f987553c76d71035b7652545135120450c1d1677797c2d01d12c431545e8aa9a5b30

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIEM.exe

Filesize
1.7MB

MD5
687c2c7b3d8c394faca36dfc98be5793

SHA1
8d2cccf93de413d382eec4633beb3f906c3168b8

SHA256
69184241da7828432a273a5ba6481ae6a9de57902e8eee9a1dceacc8271d459e

SHA512
42ced3962a434708713ff58eaac3b51d67a2a647d3f04ea543e0547328226422ad19800e7b6c69d7459302f87af8d185b43622393653f4e1d704c6ad7aca4905

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkwu.exe

Filesize
766KB

MD5
1133f02f38b7478b3bb4aee94f6a0917

SHA1
7b99aef9be73961b1d2c448d6296b9e18ee4bbf4

SHA256
6273a0a0d6e883c4f7f9a52ca0305754b18c9fe5ac71772b2eaf8a11f9429845

SHA512
59d1c9239fc573723a959237ca5db3af46c6baa90a296f5c03b520b06ec5dcb3215dee16bb66753ac2c8d4dfb9d84664ade53f2f7b25ceea5b085c03c9651974

Download Submit
C:\Users\Admin\AppData\Local\Temp\oAUw.exe

Filesize
720KB

MD5
9cb0b3c976351a7fb81f24afaf63bb3f

SHA1
28d7340f5f0896e690cfde2d4f4d28deda107e78

SHA256
5c2e95c44a505fdfa5792fd2b3e973e2968638307e5b6db079b985e6aec62338

SHA512
1f371f7551247fb3aa1bae58b03fd7046652c8597b4f248d670686c92438300e11f2adc669dc4923dd9431e8f1ef5a3bf4b7d3d111e042a0db0cd09824f74452

Download Submit
C:\Users\Admin\AppData\Local\Temp\oAkk.exe

Filesize
112KB

MD5
456c7157bd353d451228bfbe6e35cc16

SHA1
5a73ef74356dbe57f9f163bae5e40866442997cf

SHA256
25d81aefa72343281d3b55df45339a8bfedcf18f8cff38291168492e806d22b4

SHA512
f4337fcad484744336049b78ee53175e0d1d28820de7000af39c50349899753ae94fab373019fe7ba99454c9a49751864dd02e7f9af51663d6b18e26acb46f17

Download Submit
C:\Users\Admin\AppData\Local\Temp\oIIE.exe

Filesize
119KB

MD5
76d01e5ed1fff22bab1ba0871f48e647

SHA1
db7c1bef1c229d5ed698862a9d11075f2761f49d

SHA256
2e388ca269722b44fdfd2b5a9d97737562ae7c733e6fd470a1c300f602d3e20e

SHA512
74ff3c7a54056303271ba8fbfb07a6a96a5d2a7f490086bba210c7c0439c261a476e7fb1c54dbb11baf1d958bb4f78002ec496b6cacd2d7443e1d97a1ba93624

Download Submit
C:\Users\Admin\AppData\Local\Temp\qYQA.exe

Filesize
114KB

MD5
c47b2d9f0b364d0ee1035f884f65697a

SHA1
3a59e4c410f1d7245d330c4793d5f5f07c3ded4f

SHA256
46fa700d5ffa4a298cecca91c35dfa68f7c0b3ebfbffcebdc36f187c38d653b4

SHA512
5a8c8f0b3892689ecbc79bfe7626c717868a8b56826e27808b50a1f0f9738ee25a4ecfc3006183cd2b1cc915d32003c160c0b636ab59d034a2504509ed7e7af2

Download Submit
C:\Users\Admin\AppData\Local\Temp\qsIg.exe

Filesize
109KB

MD5
8ff2e773d03c593060ffa5a2ceba2df2

SHA1
376454ae3a63841cdc7c195f3d50948080c82ab2

SHA256
1971bb80655c2f684e03c13db5e04069c650a8fa878f331dbce8d8b9763d6e6e

SHA512
730834b3f8322098b5097a525135190a04b6e7faf005aa35eda0f0851e0fb6868a2ec82b76b986d942598e0ee636c491ebe9d279dd888ef1bba0b32ff53f47fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\skwO.exe

Filesize
606KB

MD5
18f202cb35945466301eacc060ce5f45

SHA1
f519dd24655463c9e0cbc94da82c8370c3ae7e0c

SHA256
28c099bd9f6c9de058d780864a4d1c7622877dc945d902d6856c7b5f6f1aea24

SHA512
2480df021749b18fd676b2166ada1e9555d5d972a1336985e21e86d5fb431c7d69ca44a6ac87eb065722d71e8ff3ccb0b9a1228e15f9d1605788e90bcaf34e73

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEgy.exe

Filesize
566KB

MD5
f2641146a11ce226afb50f50f0e2a62f

SHA1
2e36eeeabc966964024e387b2e5a318fd5a1f091

SHA256
44e1a91717f5489c39918473ea9a5c316601de06deda30238cc58b6d442d95e6

SHA512
17a6aa2da36cb1e5f34864badb5ac7d56ac96fe66c45a7352935f317598e3716d4c88b72da34ee338709e0a0e74ebdb789dd2bd1855d3344a7da7cb47d263709

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQks.exe

Filesize
964KB

MD5
9a8d9c38c2d8a3feb491111546f4d8ed

SHA1
9c710f79073d4385f1262cc80128a6779d6de1d9

SHA256
e101a9f7d77e93843ea96b2f7321ccbb54b85f99fd7578a2d62276e56f358b4e

SHA512
1bd270d44beb65abd8ef05adc283353b757ad8e2b5ab86fe24f477c8c731cfa4faac31ffc73c14eaef92530e54a9be737e74713cd1aeb962f5baffd18e0b4b73

Download Submit
C:\Users\Admin\AppData\Local\Temp\uUcA.exe

Filesize
112KB

MD5
23e1a662821498295001fd9977efd6f4

SHA1
b7cb1e7e0ea1c3dccac2d84fbe6d642fa0946ffb

SHA256
782b68f0c63b21da2f36f86b42ba8b6c7a97bdbc6d672c3b74e798f80232e691

SHA512
c7009fda10f6516066b446feccab88b7fca441ad9fc4eb718b4f1f47fa97ccccc27c91ce833295687e97fe668163d31412f577196629e266453e4e752a947d72

Download Submit
C:\Users\Admin\AppData\Local\Temp\usAC.exe

Filesize
122KB

MD5
1b231b37cfd126f46c508a4e0e0bc4d0

SHA1
579267339ad156c151ab8753169ae60babc13461

SHA256
ce05a29047de0dbd74469b1d32b1a2d354fa42fd559a968f0d494f418bed6d5e

SHA512
ddcb17513790dfee29ce3576e65c6e192f3db2d271baecb36b140ccd94e91dcb0fba79fadec2fe85db8f7fb7b113e5c5bb3bb8f0d7f852b017cac3b1933f4375

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAEc.exe

Filesize
113KB

MD5
86d383dfefec04629712d6c50b9cd83f

SHA1
d176bdaadd82abbdfeb5d8d4a977697d23306564

SHA256
168070db66af5359ae389528552e21cf7fdf06720415111509389627d37726a4

SHA512
147d53192d13f8809295da4212702d92616050f50ad022a8387e3e3a52cc01b2d3984b6c09b31df0daf83613c453544a8c07102c7c2e07803c82bfaeb1ca1ae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\wMUe.exe

Filesize
111KB

MD5
b76abb03f28f3591940d94f439d70967

SHA1
48d9da43287b1f6109303bc78c890af4cc5ad806

SHA256
696c78f9d5f20627b4dddbc989b99a56056aca7c944ffe4b9fc87b34cd9e4f6c

SHA512
5cd5abd86b12f68681e337cb6afe0e03d6b8ba25c24b29e1f58bb45906ef9c348018546971bf7c0fb6bb6f9394ccfb3a420385cce223e8f12eb8f52bfb2da760

Download Submit
C:\Users\Admin\AppData\Local\Temp\wMgG.exe

Filesize
111KB

MD5
e8e0b33112b4be81b3c24b23ca28e07e

SHA1
923fa95125b077776c1cacdd68813855b68291e9

SHA256
710062dfba87310700edcfcb6427d13e27d45ed24efa06157b2b6274f25a2087

SHA512
8216dde596f03c9248946375446b5c170077c89bb3da218c99c017b03556615ff3dd14ec366165b34f588addbb9d0bf06c29edf0e94456974696eb20ce51a4c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\wMgm.exe

Filesize
111KB

MD5
07d0c2590a7e07d9f501db9945871cf1

SHA1
bd7cf9f00b1d3ea431cad94a6f4ec4c5095b34d1

SHA256
741ab1491dadd0f9852b95380c7d72e3071fb791077a34a85206960b984ccc74

SHA512
352bdc9cde7663d08337222e45f840bef35556b3a5d9af65affb9e118fabec50f1552ea3a80f97ef0673c9745f996ad2d18d33e5ef4cc917d79576e02dfbeb1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wQwQ.exe

Filesize
565KB

MD5
52cd58006bd9b71ada4c695dc829b6f4

SHA1
61e22c898f404d713320077ff107b169c2391ce9

SHA256
13967d94c574f5a75a1995c118847d041076d4624ac8919d35d1fc631255ba13

SHA512
ec4e6879dfc5c54ada0c33067fc2e5ba8bb8465cc7cd161775c55533ce006d11bcd42aeb545a1945d3cfab2ce8869b6c9ced7167ea1f850fe33db44950160777

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUII.exe

Filesize
113KB

MD5
68dbff4a16a46048f4941d02d865a16f

SHA1
00214e51b8b3e930e4ee367df0c91ab1aa808d8b

SHA256
4a9ab11a2a8b29c9bead9fd796c7001c78ac41d0d1bf62d970036823b4d8ffc6

SHA512
f3e457165b2832a3dc16d23b6e116ce128bb5fb373837a90cd82dadd54e6697082fce714a5a226f9c0836c0512574a80d14da91940317b74e6e3451927320ebc

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUQA.exe

Filesize
112KB

MD5
0fa24cc7fa226e2bcbf0acc41a5d370d

SHA1
18f5c89ec12eac204044ae80e945ea97b80e0b3c

SHA256
a27e54e0b5ec5d93b4e895147214b6e4fc09207084cb79d850163893a25bcf0c

SHA512
4cfbf01e780b8d4b07de6326b6a54cdff63ad23bc298610d2ce050b5e7253d7ce07cf995870da9eca2633ac8fddb62c0b836cf865408090b685fa665c2bd54d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsgs.exe

Filesize
485KB

MD5
03e84eb96f21348c1fcf269e088e9c67

SHA1
1e35606ed3f241908cf28214d0b2f91171f931c5

SHA256
e169b091360abcd643e9e79b44bb230f05c12df3cf14717f36cd71a48fb107ec

SHA512
76301ae28b19a274710f96040d52e09541086dc96b45cc1d041014bfd49b9cd5fb01dc86d237298d93e277273f2fe14e62f36e062d3e3aa3255df0bcf7a47078

Download Submit
C:\Users\Admin\AppData\Local\Temp\yEwK.exe

Filesize
154KB

MD5
72b20b4d9f435dee821c564c87547be7

SHA1
5c9e47342360dff298d9ecc8878a5343fa6b806c

SHA256
8139c1db7729c4dfe34f85702c88a8cc95f12022a3c6d28c2b1c80da941e3672

SHA512
7a2ab7a9e5b942d810c061234e7de294a372544d92b5d8b3683246b0d63d2e93d4235e1b6f879be8ae4f3e0240f7ea4539f0b67a5a082a8aa92f2324e29ff182

Download Submit
C:\Users\Admin\AppData\Local\Temp\ycQu.exe

Filesize
548KB

MD5
a24a048b58f5b5ebf1f5c5ddb694003a

SHA1
84ac25c8b2ac54b569db01f0444b99f9ea939804

SHA256
b9ce556d6d80d93f419d779441ab4fdc7ed134a57760a1293032da384aafee11

SHA512
439720ad65a75065f4f9387d5e99ef2636a260797fb4ed349670fb80f28a966b989d16e6fea6896457d23fe6f5974740170b0e4a4b288ffa9af71d7176aeec17

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywEs.exe

Filesize
236KB

MD5
b84a693433cd94cab5a62972d4a3767d

SHA1
f9f045e45f91fd9c7d78837e7cd956c19bed13df

SHA256
4c904d498c86616dce34aeaec2bf8a1bae7a1f5e679596b36ec926aee8f1b357

SHA512
f9b2226ec94bb22281a1e8945b545b25e7d883bc0ae9b84da8d74a8883e2da541cf37ce8b6cc89794f1cd3e772715c05c87cb5115ae6d8995a6356c15dd52b22

Download Submit
C:\Users\Admin\HEEgQcEE\DWMgscMs.exe

Filesize
109KB

MD5
ce72c24cb59714190642020a3a7057ca

SHA1
4960488b10936cfb20045a3be98311e95f2e1dab

SHA256
845a8066ca4bff2464a49a0d3d4fa3b56827774b1876374956e0e9929b92c146

SHA512
4029a1ab3324b0264af7cf477d56edd088abbef1dfeec5600d7dc294a2b68a3a3bf59a1c6428597b593b6a7eb56519ba037df195071ee31b9b0fd30c190f4f22

Download Submit
C:\Users\Admin\Pictures\UnblockWrite.jpg.exe

Filesize
574KB

MD5
56b5d82d14fe522cabb5bfdef8e81fd4

SHA1
dcaa85c557445e102c5fcb74adddf8f80a9f0341

SHA256
2588c0a4c629d1c3e3dceaa2d5c8d5d302223ef9ca9dca2640340f114603be62

SHA512
7b53892e90fec15d7bfa45d818b8c5eaa0fc657373debb7de1c167ed93ae11b6321931e61671a479fce2684921342fcd50330b0dc0f6104ced63e1c171f81f76

Download Submit
memory/64-189-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/64-174-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/228-1168-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/512-434-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/544-178-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/700-1256-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/700-1197-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/800-96-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/856-235-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/856-224-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/896-257-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/896-249-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/948-383-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/948-393-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/1392-467-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/1392-459-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/1408-15-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1488-282-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/1540-888-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/1752-291-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/1752-284-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/1768-366-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2116-560-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2172-315-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2276-200-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2308-1068-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2308-1001-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2392-20-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2392-0-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2480-53-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2584-246-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2596-358-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2624-31-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2624-16-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2832-66-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2832-56-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2936-131-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2936-120-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2968-142-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2976-299-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/3024-674-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/3032-85-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/3148-492-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/3172-401-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/3172-392-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/3172-442-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/3248-274-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/3476-715-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/3476-656-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/3504-458-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/3644-350-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/3644-426-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/3644-774-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/3644-342-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/3644-418-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/3936-108-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/3936-97-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/3972-483-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/4204-1104-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/4276-154-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/4276-143-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/4440-954-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/4440-903-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/4500-556-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/4500-623-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/4508-42-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/4532-332-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/4532-523-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/4532-325-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/4652-417-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/4652-375-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/4712-475-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/4760-384-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/4760-371-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/4772-212-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/4772-223-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/4780-1018-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/4804-409-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/4832-258-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/4832-266-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/4840-500-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/4840-488-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/4896-323-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/4904-155-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/4904-166-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/4904-450-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/4912-824-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/4928-12-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4936-119-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/4936-307-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/4960-211-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/4976-1325-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/5024-341-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/5024-333-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/5096-65-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/5096-74-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download