36a8ed42def4507a81b435292ad20bb61c6a2d54374747b18599df5a7a76b696

Analysis

max time kernel
150s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 18:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
Size

116KB
MD5

ed70fb782a4e3b26dd15b305ab4bc759
SHA1

05dc573207379f0fbe568d882fb1bd5d2d0f7300
SHA256

36a8ed42def4507a81b435292ad20bb61c6a2d54374747b18599df5a7a76b696
SHA512

e7d0801c9f6a87e29b4569114a4d1b1fd70b016922c778223633772d6f07964ebdebfb12b9cfc4f1d8a148d15d9d32b0d1d80b0d4ba378d053e49897f1db9df3
SSDEEP

3072:CbpAVdYIYQA2CKkJli8pBVWBb9u55OdjH:CICKGrpUk550

Score

10^/10

discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (88) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	vkIIUwcc.exe

Executes dropped EXE 2 IoCs

pid	Process
1800	lMgYUsME.exe
3460	vkIIUwcc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lMgYUsME.exe = "C:\\Users\\Admin\\XmoQUcEc\\lMgYUsME.exe"	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vkIIUwcc.exe = "C:\\ProgramData\\jqIEEkkY\\vkIIUwcc.exe"	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vkIIUwcc.exe = "C:\\ProgramData\\jqIEEkkY\\vkIIUwcc.exe"	vkIIUwcc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lMgYUsME.exe = "C:\\Users\\Admin\\XmoQUcEc\\lMgYUsME.exe"	lMgYUsME.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell32.dll.exe	vkIIUwcc.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	vkIIUwcc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vkIIUwcc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
1720	reg.exe
2084	reg.exe
632	reg.exe
312	reg.exe
548	reg.exe
1784	reg.exe
1524	reg.exe
2352	reg.exe
4704	reg.exe
1100	reg.exe
4540	reg.exe
1556	reg.exe
1920	reg.exe
2540	reg.exe
2188	reg.exe
4104	reg.exe
2016	reg.exe
2092	reg.exe
4540	reg.exe
828	reg.exe
1084	reg.exe
1932	reg.exe
3192	reg.exe
4780	reg.exe
1828	reg.exe
916	reg.exe
8	reg.exe
3576	reg.exe
4228	reg.exe
2820	reg.exe
2840	reg.exe
3900	reg.exe
4508	reg.exe
4476	reg.exe
3456	reg.exe
4248	reg.exe
2476	reg.exe
2884	reg.exe
4224	reg.exe
220	reg.exe
4068	reg.exe
2820	reg.exe
944	reg.exe
1416	reg.exe
3504	reg.exe
760	reg.exe
2256	reg.exe
4192	reg.exe
2752	reg.exe
2016	reg.exe
3904	reg.exe
3548	reg.exe
3616	reg.exe
1440	reg.exe
3728	reg.exe
4400	reg.exe
3676	reg.exe
3836	reg.exe
4824	reg.exe
4740	reg.exe
2860	reg.exe
3212	reg.exe
2352	reg.exe
4956	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2632	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
2632	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
2632	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
2632	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
2356	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
2356	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
2356	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
2356	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
3076	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
3076	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
3076	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
3076	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
876	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
876	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
876	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
876	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
452	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
452	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
452	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
452	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
2452	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
2452	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
2452	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
2452	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
1304	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
1304	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
1304	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
1304	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
5020	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
5020	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
5020	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
5020	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
2180	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
2180	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
2180	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
2180	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
2968	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
2968	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
2968	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
2968	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
5068	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
5068	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
5068	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
5068	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
1100	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
1100	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
1100	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
1100	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
4308	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
4308	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
4308	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
4308	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
4704	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
4704	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
4704	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
4704	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
1296	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
1296	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
1296	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
1296	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
3792	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
3792	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
3792	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
3792	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3460	vkIIUwcc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3460	vkIIUwcc.exe
3460	vkIIUwcc.exe
3460	vkIIUwcc.exe
3460	vkIIUwcc.exe
3460	vkIIUwcc.exe
3460	vkIIUwcc.exe
3460	vkIIUwcc.exe
3460	vkIIUwcc.exe
3460	vkIIUwcc.exe
3460	vkIIUwcc.exe
3460	vkIIUwcc.exe
3460	vkIIUwcc.exe
3460	vkIIUwcc.exe
3460	vkIIUwcc.exe
3460	vkIIUwcc.exe
3460	vkIIUwcc.exe
3460	vkIIUwcc.exe
3460	vkIIUwcc.exe
3460	vkIIUwcc.exe
3460	vkIIUwcc.exe
3460	vkIIUwcc.exe
3460	vkIIUwcc.exe
3460	vkIIUwcc.exe
3460	vkIIUwcc.exe
3460	vkIIUwcc.exe
3460	vkIIUwcc.exe
3460	vkIIUwcc.exe
3460	vkIIUwcc.exe
3460	vkIIUwcc.exe
3460	vkIIUwcc.exe
3460	vkIIUwcc.exe
3460	vkIIUwcc.exe
3460	vkIIUwcc.exe
3460	vkIIUwcc.exe
3460	vkIIUwcc.exe
3460	vkIIUwcc.exe
3460	vkIIUwcc.exe
3460	vkIIUwcc.exe
3460	vkIIUwcc.exe
3460	vkIIUwcc.exe
3460	vkIIUwcc.exe
3460	vkIIUwcc.exe
3460	vkIIUwcc.exe
3460	vkIIUwcc.exe
3460	vkIIUwcc.exe
3460	vkIIUwcc.exe
3460	vkIIUwcc.exe
3460	vkIIUwcc.exe
3460	vkIIUwcc.exe
3460	vkIIUwcc.exe
3460	vkIIUwcc.exe
3460	vkIIUwcc.exe
3460	vkIIUwcc.exe
3460	vkIIUwcc.exe
3460	vkIIUwcc.exe
3460	vkIIUwcc.exe
3460	vkIIUwcc.exe
3460	vkIIUwcc.exe
3460	vkIIUwcc.exe
3460	vkIIUwcc.exe
3460	vkIIUwcc.exe
3460	vkIIUwcc.exe
3460	vkIIUwcc.exe
3460	vkIIUwcc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2632 wrote to memory of 1800	2632	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	82
PID 2632 wrote to memory of 1800	2632	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	82
PID 2632 wrote to memory of 1800	2632	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	82
PID 2632 wrote to memory of 3460	2632	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	83
PID 2632 wrote to memory of 3460	2632	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	83
PID 2632 wrote to memory of 3460	2632	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	83
PID 2632 wrote to memory of 1132	2632	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	84
PID 2632 wrote to memory of 1132	2632	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	84
PID 2632 wrote to memory of 1132	2632	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	84
PID 2632 wrote to memory of 4508	2632	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	86
PID 2632 wrote to memory of 4508	2632	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	86
PID 2632 wrote to memory of 4508	2632	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	86
PID 2632 wrote to memory of 4540	2632	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	87
PID 2632 wrote to memory of 4540	2632	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	87
PID 2632 wrote to memory of 4540	2632	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	87
PID 2632 wrote to memory of 4564	2632	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	88
PID 2632 wrote to memory of 4564	2632	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	88
PID 2632 wrote to memory of 4564	2632	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	88
PID 2632 wrote to memory of 1096	2632	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	89
PID 2632 wrote to memory of 1096	2632	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	89
PID 2632 wrote to memory of 1096	2632	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	89
PID 1132 wrote to memory of 2356	1132	cmd.exe	94
PID 1132 wrote to memory of 2356	1132	cmd.exe	94
PID 1132 wrote to memory of 2356	1132	cmd.exe	94
PID 1096 wrote to memory of 1188	1096	cmd.exe	95
PID 1096 wrote to memory of 1188	1096	cmd.exe	95
PID 1096 wrote to memory of 1188	1096	cmd.exe	95
PID 2356 wrote to memory of 3372	2356	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	96
PID 2356 wrote to memory of 3372	2356	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	96
PID 2356 wrote to memory of 3372	2356	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	96
PID 2356 wrote to memory of 2180	2356	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	98
PID 2356 wrote to memory of 2180	2356	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	98
PID 2356 wrote to memory of 2180	2356	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	98
PID 2356 wrote to memory of 1340	2356	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	99
PID 2356 wrote to memory of 1340	2356	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	99
PID 2356 wrote to memory of 1340	2356	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	99
PID 2356 wrote to memory of 1716	2356	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	100
PID 2356 wrote to memory of 1716	2356	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	100
PID 2356 wrote to memory of 1716	2356	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	100
PID 2356 wrote to memory of 3852	2356	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	101
PID 2356 wrote to memory of 3852	2356	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	101
PID 2356 wrote to memory of 3852	2356	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	101
PID 3372 wrote to memory of 3076	3372	cmd.exe	106
PID 3372 wrote to memory of 3076	3372	cmd.exe	106
PID 3372 wrote to memory of 3076	3372	cmd.exe	106
PID 3852 wrote to memory of 4420	3852	cmd.exe	107
PID 3852 wrote to memory of 4420	3852	cmd.exe	107
PID 3852 wrote to memory of 4420	3852	cmd.exe	107
PID 3076 wrote to memory of 3996	3076	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	108
PID 3076 wrote to memory of 3996	3076	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	108
PID 3076 wrote to memory of 3996	3076	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	108
PID 3076 wrote to memory of 3904	3076	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	110
PID 3076 wrote to memory of 3904	3076	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	110
PID 3076 wrote to memory of 3904	3076	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	110
PID 3076 wrote to memory of 4504	3076	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	111
PID 3076 wrote to memory of 4504	3076	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	111
PID 3076 wrote to memory of 4504	3076	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	111
PID 3076 wrote to memory of 3192	3076	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	112
PID 3076 wrote to memory of 3192	3076	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	112
PID 3076 wrote to memory of 3192	3076	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	112
PID 3076 wrote to memory of 1680	3076	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	113
PID 3076 wrote to memory of 1680	3076	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	113
PID 3076 wrote to memory of 1680	3076	20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe	113
PID 3996 wrote to memory of 876	3996	cmd.exe	118

C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
"C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Users\Admin\XmoQUcEc\lMgYUsME.exe
  "C:\Users\Admin\XmoQUcEc\lMgYUsME.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1800
- C:\ProgramData\jqIEEkkY\vkIIUwcc.exe
  "C:\ProgramData\jqIEEkkY\vkIIUwcc.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:3460
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1132
- - C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
    C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2356
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3372
    - - C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3076
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        8⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        10⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        12⤵
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        14⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        16⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        18⤵
        
        PID:732
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        20⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        22⤵
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        24⤵
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        26⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        28⤵
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        29⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        30⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        32⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        33⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        34⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        35⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        37⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        38⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        40⤵
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        41⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:1860
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        43⤵
        
        PID:740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        44⤵
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        45⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        47⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        48⤵
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        49⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        50⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        51⤵
        
        PID:612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        52⤵
        
        PID:3704
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        53⤵
        
        PID:944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        54⤵
        
        PID:3816
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        55⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        56⤵
        System Location Discovery: System Language Discovery
        
        PID:1768
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        57⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        58⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        59⤵
        System Location Discovery: System Language Discovery
        
        PID:3428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        60⤵
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        61⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        62⤵
        
        PID:3372
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        63⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        64⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        65⤵
        System Location Discovery: System Language Discovery
        
        PID:3836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        66⤵
        
        PID:2828
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        67⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        68⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        69⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        70⤵
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        71⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        72⤵
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        73⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        74⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        75⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        76⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        77⤵
        
        PID:964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        78⤵
        
        PID:2828
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        79⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:3076
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        81⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        82⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        83⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        85⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        86⤵
        
        PID:208
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        87⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        88⤵
        
        PID:3804
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        89⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:4068
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        91⤵
        
        PID:644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        92⤵
        
        PID:3080
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        93⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        94⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        95⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        97⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        98⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        99⤵
        
        PID:940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        100⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        101⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        102⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        103⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        104⤵
        
        PID:3704
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        105⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        106⤵
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        107⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:4120
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        109⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:3792
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        111⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        112⤵
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        113⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        114⤵
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        115⤵
        System Location Discovery: System Language Discovery
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        116⤵
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        117⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        118⤵
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        119⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        120⤵
        
        PID:4552
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        121⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        122⤵
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        123⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        124⤵
        
        PID:4060
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        125⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        126⤵
        
        PID:4540
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        127⤵
        System Location Discovery: System Language Discovery
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        128⤵
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        129⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        130⤵
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        131⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        132⤵
        System Location Discovery: System Language Discovery
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        133⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        134⤵
        
        PID:2200
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:3792
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        135⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        136⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        137⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        138⤵
        System Location Discovery: System Language Discovery
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        139⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        140⤵
        
        PID:968
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:3076
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        141⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        142⤵
        System Location Discovery: System Language Discovery
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        143⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        144⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        145⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        146⤵
        
        PID:1056
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        147⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        148⤵
        
        PID:1220
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        149⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        150⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        151⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        152⤵
        
        PID:3704
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        
        PID:1168
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        153⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        154⤵
        
        PID:4456
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        155⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        156⤵
        
        PID:2336
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        157⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        158⤵
        
        PID:836
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        159⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        160⤵
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        161⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        162⤵
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        163⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        164⤵
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        165⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        166⤵
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        167⤵
        
        PID:940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        168⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        169⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        170⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        171⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        172⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        173⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        174⤵
        
        PID:3808
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        175⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        176⤵
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        177⤵
        
        PID:968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        178⤵
        
        PID:2296
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        179⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        180⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        181⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        182⤵
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        183⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock"
        184⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock
        185⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2016
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        UAC bypass
        Modifies registry key
        
        PID:4824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        Modifies registry key
        
        PID:4228
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        UAC bypass
        Modifies registry key
        
        PID:1932
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OUwIkcQw.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        184⤵
        
        PID:720
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3008
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:3420
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        UAC bypass
        
        PID:5112
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iAAEMUgo.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        182⤵
        System Location Discovery: System Language Discovery
        
        PID:2452
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        System Location Discovery: System Language Discovery
        
        PID:3376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        UAC bypass
        
        PID:4224
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nsYYQAgM.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        180⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        Modifies registry key
        
        PID:4068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        Modifies registry key
        
        PID:3836
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        UAC bypass
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nisAgIsg.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        178⤵
        
        PID:2500
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        System Location Discovery: System Language Discovery
        
        PID:1180
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:2800
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        
        PID:3000
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\liMAcwwM.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        176⤵
        
        PID:2476
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        
        PID:1932
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        UAC bypass
        
        PID:4060
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SmksIUsU.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        174⤵
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        System Location Discovery: System Language Discovery
        
        PID:4292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5112
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        
        PID:3008
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gykYAwIQ.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        172⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2656
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:2220
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        UAC bypass
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AYoQIAUI.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        170⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3832
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        UAC bypass
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DKIcAkkc.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        168⤵
        
        PID:916
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        
        PID:944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        Modifies registry key
        
        PID:4104
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        UAC bypass
        
        PID:1660
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xOcMcAcA.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        166⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        UAC bypass
        
        PID:632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZUUYwEow.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        164⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        Modifies registry key
        
        PID:1416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        UAC bypass
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YaAAUQwo.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        162⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        Modifies registry key
        
        PID:548
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iIgscYUg.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        160⤵
        
        PID:4896
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2188
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        Modifies registry key
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YyEMsIYk.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        158⤵
        
        PID:1108
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        UAC bypass
        Modifies registry key
        
        PID:312
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kuoscwkA.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        156⤵
        
        PID:968
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4160
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        Modifies registry key
        
        PID:3676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        UAC bypass
        
        PID:3252
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fSsUMsEI.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        154⤵
        System Location Discovery: System Language Discovery
        
        PID:4768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        UAC bypass
        Modifies registry key
        
        PID:1100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tMwkwgcs.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        152⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        
        PID:1236
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:32
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hIsgEIIU.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        150⤵
        
        PID:3648
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        UAC bypass
        Modifies registry key
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iasckIIo.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        148⤵
        
        PID:1336
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        Modifies registry key
        
        PID:2540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        UAC bypass
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iYQgcswE.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        146⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:4616
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        UAC bypass
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OyckIEoI.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        144⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        Modifies registry key
        
        PID:944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HGcEEsQs.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        142⤵
        
        PID:3644
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:32
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2988
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        Modifies registry key
        
        PID:1084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xcocAYok.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        140⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        Modifies registry key
        
        PID:828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        System Location Discovery: System Language Discovery
        
        PID:4960
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MoIIwAQc.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        138⤵
        System Location Discovery: System Language Discovery
        
        PID:4456
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4608
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iEsgwAsQ.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        136⤵
        System Location Discovery: System Language Discovery
        
        PID:400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        
        PID:4360
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\raIoEUYo.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        134⤵
        
        PID:5068
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        UAC bypass
        
        PID:1476
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JoQgkogs.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        132⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        UAC bypass
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JaEIQMoQ.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        130⤵
        
        PID:1768
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:1556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yGIkAoow.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        128⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2800
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        Modifies registry key
        
        PID:4248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uEkQEUEM.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        126⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        Modifies registry key
        
        PID:4704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GSQgMAoQ.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        124⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NaAgogYU.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        122⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies registry key
        
        PID:2352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        Modifies registry key
        
        PID:3576
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lccoYIsA.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        120⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1720
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:1088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XAoQQgUU.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        118⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4400
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nowckYgc.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        116⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:884
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UMIkcgco.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        114⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        
        PID:3076
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CEMAMQsk.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        112⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        Modifies registry key
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mUQUYYEA.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        110⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        Modifies registry key
        
        PID:2352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LCYcoYgs.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:1648
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        Modifies registry key
        
        PID:632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JWQwUgwk.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        106⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        Modifies registry key
        
        PID:220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jyUgkMgE.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        104⤵
        
        PID:2172
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pGoIYYgc.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        102⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1472
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        Modifies registry key
        
        PID:760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        
        PID:3088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WCYQwQcA.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        100⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        
        PID:1852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UkgQYwUo.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        98⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fIkMIMMU.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        96⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:3456
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        
        PID:4376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HOQscAsc.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        94⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:4064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZyMgcIkM.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        92⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        Modifies registry key
        
        PID:3728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        
        PID:4908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TAUgwYMU.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        90⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2220
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        Modifies registry key
        
        PID:1828
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AwMoEsIU.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        88⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        
        PID:392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:4532
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:3524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cOQMAEoI.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        86⤵
        
        PID:4540
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        Modifies registry key
        
        PID:3456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:3996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IgkkQQUk.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        84⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        
        PID:4324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WSoskYIM.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        82⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        Modifies registry key
        
        PID:2840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:3648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VoYIkEkc.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        80⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DsUssgcM.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        78⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        
        PID:768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lwAcEEYg.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ESIEwUoE.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        74⤵
        
        PID:760
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        Modifies registry key
        
        PID:2820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        Modifies registry key
        
        PID:3504
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        73⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YYkwsowM.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:4780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:3636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\COEYscoY.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        70⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        Modifies registry key
        
        PID:4476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:4636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OcgEcYsA.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        68⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies registry key
        
        PID:2084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pwIQgoUQ.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        66⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies registry key
        
        PID:1440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        
        PID:1476
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LwcMAcsE.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        64⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pWwkoYow.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        62⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3368
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        Modifies registry key
        
        PID:3616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ACUUssoA.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        60⤵
        System Location Discovery: System Language Discovery
        
        PID:3104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        Modifies registry key
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OkAoIIEk.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        58⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        Modifies registry key
        
        PID:4540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        Modifies registry key
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wmkksIkA.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        56⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        
        PID:1888
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        55⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XaAUcUsw.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        54⤵
        
        PID:716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:3912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vAsgYQMc.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        52⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:2172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\biQgEQgE.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        50⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        Modifies registry key
        
        PID:3548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lAscoAAI.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        48⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YEAgwcEQ.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        46⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ackYYMsI.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        44⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cCcUUEAM.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        42⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        Modifies registry key
        
        PID:3904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tMwckYAo.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        40⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAUAUows.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        38⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PoEkYEos.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        36⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qwEwgcEA.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        34⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yOIMIMQE.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:3212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:4560
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        Modifies registry key
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rUIocYAs.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        30⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies registry key
        
        PID:1524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:4584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ROsIMAIQ.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        28⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        Modifies registry key
        
        PID:1720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tSAAUMEQ.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        26⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        
        PID:392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        Modifies registry key
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GMswYUoM.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        24⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        Modifies registry key
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\suUossos.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        22⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:4776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YCcUYcYQ.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:1744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:1528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:1296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CUEIMsUE.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        18⤵
        
        PID:400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:4072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hKYwksQc.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        16⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jWIsAwkY.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        14⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        Modifies registry key
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lIcwMcMI.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        12⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        Modifies registry key
        
        PID:8
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cyksUMEE.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        10⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OmYMMccM.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        8⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:1396
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3904
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:4504
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        Modifies registry key
        
        PID:3192
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AEMsYYkM.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
        6⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:3632
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:2180
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1340
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      System Location Discovery: System Language Discovery
      PID:1716
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RkUwAMYc.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3852
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:4420
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:4508
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4540
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - System Location Discovery: System Language Discovery
  PID:4564
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\leUUMcgU.bat" "C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1096
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1188

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:3832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\User Account Pictures\user-32.png.exe

Filesize
112KB

MD5
8e0cd53ced97234e5fd70c7a047076fd

SHA1
19972159a22c092aa231799cacac92020d93ce73

SHA256
d59e703b2667bb98cdb6e33b34879f75f7ef0281f155d4c9390fffcdc799ef9f

SHA512
6de37c238a03db0e99293cefc3168502e41583dbf386c378cfbf3dfc65a9001e730a3855d20ec6840ae5f1068471b4661eb4c2527d8b8fa5534169595b70f02b

Download Submit
C:\ProgramData\jqIEEkkY\vkIIUwcc.exe

Filesize
109KB

MD5
f56c1efded1a7add033b46e497c004da

SHA1
4aceca24004527d0b017f71f9a6295e1d3bdc7c5

SHA256
49eb68181bfe85acaf97075a0cda6ab3258f9b88b871b3e94c6196dd4825f2a9

SHA512
3251dacbec199625436a780893f8cf89f02f7562d8e891e07b5607af8f51ba30e6e6c2f3238f47dfc28f297a57d0178cc2489006ff75f0b081867b88fd6756b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorWhite.png.exe

Filesize
119KB

MD5
0c7f0f68b172df51fd4758b4b088b604

SHA1
460ae2f8edde0737d80df5665b713ac686072c81

SHA256
89cc861d22ce400b20ad3fb61bf09ba858213225e5e2f85babb014547c775d13

SHA512
5aaa6764db8be40e87d6276b6a24cf34bd3793b506e040585830eb8fc2a24199b1db92616803d81221949ec4c6176107bbd4969caa27c0ba2bb8bbc3dcfd28b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-150.png.exe

Filesize
110KB

MD5
a70b2cee111c728955edc8e7e7df0905

SHA1
e00f11fa7af7a569a6276596c1445aef9327ab03

SHA256
1a410e47a73eeebf97015788106c3fcf22b63ebb5ff8cbc2733576897e82ed98

SHA512
5dfc2db638568673c5014f9ffcf87ea10ea88761a94b34e7aaded810e0794039a631777bc14e1d2c1975cea879f84db0a12f73f10855f7bfd7c3320c28fbc820

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-400.png.exe

Filesize
113KB

MD5
0695ccbd98a773215e579f355ca70c27

SHA1
f6c09e1e266b5cb6afa04d0f64469a291ac31b5e

SHA256
7ce4b0e8118d85f893cab0bd02411fb515aeab5b61141c6136435eac1559bc5a

SHA512
f963440d30f5704c279d0a110a432b786871a029403dcfafeddb5cc68b37c2579a1e5d3128ea623dcaef21bc0174ef631b593b8c1fd79b1606a89b83ea646404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe

Filesize
1.7MB

MD5
10282becfe29e63ba6d7f2b01abab751

SHA1
7e8715f56e2ea2a977774496c47e42e983a87da3

SHA256
e1e38fd38652431d7ac9647221b2b16df76b7086b43562d1f3d05f55d522edf4

SHA512
affe650a9a475437c618f1a9180781c0db39316508447fcedd5b309e585c2249e7c7267a100fa4031eb3c9c7c241a10d6bacff36665298c62951e9b674d16d17

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\squaretile.png.exe

Filesize
110KB

MD5
5dc89b0c9802cbf164c16b039cceb1da

SHA1
d3822063fc169efcc6eefbd3f2a6de57933b1a34

SHA256
004a96730bd3d59b6a27164fb94d26735492e8a71d8dfc63536370ad42a12edc

SHA512
b42d1f0b22fb291dc38e130297aa20694df556a83cfc96a99733df44d7f2a7a27e2187e88e3d74ff58e648bcc60fe449d340b43911ed9266286555c6522e72aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\20240919ed70fb782a4e3b26dd15b305ab4bc759virlock

Filesize
2KB

MD5
068c52eb2659fb8a987eaea13dcb6d49

SHA1
4472f4c6de4c8816f1e39dc2bad6db205827400a

SHA256
4a404d5bcb1109a33329f0e099fa8c07a8b02401da4e531bbc6de733a90e45aa

SHA512
e1abb20a45614ade94037ef0a2f1236a32e47adc7d3674c89e345cbfe3b04438fa103515f602b446d9e0deeddd997e02da1f42ca157efb253ace7f39cba17a4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMIU.exe

Filesize
698KB

MD5
a55d7ec9a3f6d72a47cf6a38b88f7ff2

SHA1
84fe6f2bef0d2f4a2cb3c7f0198abbb1367112e1

SHA256
f12ed3dc61783ceffa4b8641527c2d785d9012fd92ebf1b757bde5d94e6604c2

SHA512
fabeea016f875af2faaa43a30337ffd27899d642019e54176f0ecd4caa44ca7422ba4c6c6dc1b320bbd25793804e17e57e330e3b361f154d90a7d876e29ebf1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AcYG.exe

Filesize
135KB

MD5
e56c07cd484371064488d6d7515d559a

SHA1
ecea7372bb8b2a696b939eef498bd19157b608a5

SHA256
306a8401bdf74d80cd74932faee0080ae94d00aca687bf72b672d8b62186a9d2

SHA512
584bfaec7db36f54fd02a7acdd9c085ff0769c002628bbf7115dc69292425e67212560da467fef4512892563f92fd57424771926833b1c9b40dc485530568046

Download Submit
C:\Users\Admin\AppData\Local\Temp\AgMI.exe

Filesize
484KB

MD5
36ab981e9754eca6c5d9231091fece4d

SHA1
a390157b44844e731c0ee3d1bd93f1131d0e5dd9

SHA256
a5e10f45b0a5335752f7fc3c711c4c266a8e39b160318acec17dc549b7fddc16

SHA512
f683a595a4a2bed7756812465f7f4f38190f0d194c1f8dd431b5ccf9d4d40b076286f3686571e63f7dd6cfe715275bf86cdd2b2f913bab75ad41cf07505d989e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AokO.exe

Filesize
1.0MB

MD5
9192d691ed769ce9c041a153bd254770

SHA1
54925babd6c2da64c791be89114afdf86115d088

SHA256
f480332019dfc3952f5ea413ad73f97a6aa0aaafc167f52be943ec950c2e9f32

SHA512
b4a2b42e1f1658b30ece1f14970a2493e57daa5695170b99ddc911d5b33d7df091bd40d5dcf657cca5665d5257bb9283a9bd1476b41050e2e934b50ab677e445

Download Submit
C:\Users\Admin\AppData\Local\Temp\CoYG.exe

Filesize
110KB

MD5
e291c52dc0c52e4ba5b487500660e50c

SHA1
4a859c7f16abb967a4709ac4dfac1e073ab4544d

SHA256
8a4a5c2ab05259c0a4b9179c98f94e55ba027d563422009638d3f507d5140dde

SHA512
6e71ce0fcf28c4af525bd4658e4eefe934ad5a55e716b9c932e19577fa5f7a382ec9bfc477bb7aa7ac71de08d067a6844f5f94e172c0a053dc60dd7fc5d58a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQIk.exe

Filesize
152KB

MD5
6b6d78611aaa60b197607bda072c4fff

SHA1
93b935a726484e374e4281f28095a63d44016db7

SHA256
4dff2117d73aec39629b289c4eb6e5522639f749bcc54a730769d5403cf3b274

SHA512
dba0a883294390951fc0089bad91fca6facdf6e2ba2c491713cc710c31aeb85f52783d9f5608bced806a48bb67704b565c5559acd4c57cb322dbbf4c9ee3466b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EwEy.exe

Filesize
110KB

MD5
2e467a52b03d9bd30030a183e5bc0f8d

SHA1
7909ca4bdcf4fa8b67038f826880bf0eff1efecb

SHA256
cf5f0400917ddb726087d5ca69f1246298b9356cb72000e2c49fafcdf0f3d623

SHA512
67adf8a0df0e8e88e0cfb5e09873a3d89f41d1da877bd7ba9290ad71911845c9c94dd3e846c8ce2204f60c36459503b4c96457fa8036984e19a1aed9b5a03e87

Download Submit
C:\Users\Admin\AppData\Local\Temp\GckC.exe

Filesize
116KB

MD5
4343b605ccc0fb1c38721d984b81f6cc

SHA1
bfdc96a9e7b6749bbda67fd184d549ea087f1829

SHA256
98ea1054bd9e25a349939e783877f090cdc21b8ef5fc80d07ddb28910d392088

SHA512
d425cdd413c201f0dd6b579c990967fd33103a2298d462d8f66421022b11d705ed3192a5705a7803741ed01f65b76fabf77d2209a1df43fa8e06cc234410315c

Download Submit
C:\Users\Admin\AppData\Local\Temp\GwoI.exe

Filesize
111KB

MD5
e76001cf6d44b156bb09a2fa893deb58

SHA1
91f9958f7bbe0c45ed54c9bc3e89143f7ff86e2b

SHA256
2976dcd117db13aba54b275f3556008dc7c4c40237a95299144c0eb949959880

SHA512
457e764b6669bf5044c8f60f519e3fc7e9c700c878c809c31f165076aca5ea9d021dd9dc88e99740949050f53e3a0dbe50364f6028bf0619981e2c6e885a9af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEIU.exe

Filesize
347KB

MD5
568b4a299da45568becd3f9d043a2f91

SHA1
5c075c60eeec0eb160e231916cc9b19b727eae03

SHA256
4371bfb19efb4af3c5a56024908da04cb19146d682d97f50af8a316f8a30dabb

SHA512
c32d7c0dd78e992afea312e94059c2d95d5d5bdc99d506f892b5512829c542b649ef5c027f87673a760986e206d94876fdae8f1d1432c1048e24c4cd13aeeac4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IgkE.exe

Filesize
112KB

MD5
c3aa0b16ca2ddd46c64a4e65be3aed64

SHA1
908c862dc10c7f36eea551b8ee1a20b30eb13db8

SHA256
33d760106303f8db690d9219b26a71c0761b5a22df648d3b6877ce560126bf18

SHA512
e9482fe915d81e1437881e271010272d44321f55b2a9e5258c76ee946ab0d006aebe173b24e5ae185e9c2f83f0ac4773589560b6b72397850e238e50f0472b88

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAci.exe

Filesize
5.8MB

MD5
d025f5ab23b8990081b3f9cace783b4d

SHA1
100e190889340508c328a8bef633e82e3be1ce2c

SHA256
d1f73cbca395a8cfd01e8dac20fc835b3dc88b2130e50122428d93d1e9eb203e

SHA512
11e32a7b4fef7dc1b6693ff1d464977509653d15481b450e32069b91f8473c5afc8fc6fdb33732d109839b3dfdaa2e4e86d3231eaad4a0f1f2c26d1501ee9087

Download Submit
C:\Users\Admin\AppData\Local\Temp\KQos.exe

Filesize
114KB

MD5
a095d412643647c06a897a0780e8bb59

SHA1
0d673242e2ed1a10f5f4dea965dbd085d4c99fb6

SHA256
82543642a15bd3e2deaf09a8540b147f3c366a57073225f877d5e321feb38629

SHA512
add8ff05f69f5ac14d24b4da87c87bae290e75d9abcc231562ec5e5ef6174b4cdb7b24e3032fe025c09529ea2fd321c16912e1f2b1687e77e37ae65c0ad98014

Download Submit
C:\Users\Admin\AppData\Local\Temp\KocO.exe

Filesize
112KB

MD5
4168aaffbb6d5a2980d809301165292c

SHA1
38bcc1fc15689bf486d30f44ac28aab712a7e95b

SHA256
4c6b3b2c5953e6a98cfb72170a715219de79faed2d01c6304eed631ccfe8edd6

SHA512
becab7388f6e4aeaeaa89ed29a3d66c5ccbc9a480695f9150c5bd48e72e8e8d24226fa0eae5f3f57841e6f98862b730b332866cae69a313b3aa85e7936bc863d

Download Submit
C:\Users\Admin\AppData\Local\Temp\KwMK.exe

Filesize
510KB

MD5
e96b58b60550ff09aa99300ff5080828

SHA1
fc5f4e31e6d9de8e9469e9cef2987614a983f880

SHA256
df3d5d5bfa5c2b2fd2e6394bcdbb501fac635646faf074d214f3a7cd8cd26f5a

SHA512
12505ce4be1d6d1340dd67fc4a1f7402649c16b3db0b7cac16b6b4de409f202109256da489579d1d0407eb618522ea46d7c0cc2ca64cf00cceed982d28088a37

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMEA.exe

Filesize
1.1MB

MD5
67d4395b2c82228f71e9a1322ec786e9

SHA1
068f0a91e613493c827ebf4112461487e38abe2f

SHA256
5ccf1be8517795ed7af0057648e7c7036cf94a3b6d8274ea5c91548001df74be

SHA512
a294f7e16e72ccc678e763ccc0f5feec23257926c39401932f6da93c3487fd8e48029af264cebc6c34999ec326ddd6e9f73a04b1dda395059425f7e39a2fa034

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYEc.exe

Filesize
1.2MB

MD5
8b180492330488e6bf2d7f39ba036c0f

SHA1
788a3c61d5a4b9bdcba1844bc759892c0e68bc8d

SHA256
b43975b48f390fd8938fc1648c6683ff90eecfb65b4fd2ef65c3a5533d22f487

SHA512
b9b8ecaa7fde322c49babbb55a0e935e12c4cd3012686c44b1110b2e9cbd03063b7b4130efe60172e4b81178dc9486acca2f57eb1548948e54555d0a1d8b378d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYQK.exe

Filesize
121KB

MD5
fd3b1a5318d0336727c755cad5b46ff2

SHA1
82654109111e5bfe6a125a9963bcd3c8757f9cf6

SHA256
4223fbb19c3ed96fd73485610d912255fa59453fa003cf439ce3316b790dde4c

SHA512
d2e2c1559bc5f968ac2e276367b6f4d58594e135675f4e33d7c27fcb6592738122d30fe9679a5998d90a097d3fb1cc5f03610adac73d8381a049cd32611f61f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYkW.exe

Filesize
484KB

MD5
46097ea58a78096c6d2e5f0eb57ddc10

SHA1
e49acebadad9a8f8821c46d913e84f817cbcc098

SHA256
15be524c4432546cb8adae23ce3ce6f85b0814b5dc8f3e48a8abbb8e1adb1245

SHA512
ce24126349b33fd7ba0db2b61f1a6c5b2c22c91af921b4f4c49385fb0a8d5b609ec23eb25e8c174a8ee775964b3684e9b313768abe36cccc02ded4d7ea905650

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYww.exe

Filesize
111KB

MD5
02f7ce7a3caddd6977d923f1ceaebb0e

SHA1
1e6955ac166ab697d9c665742497f32c82c81aa1

SHA256
155d28a5bcfb5ea47b1dd556e3acac7ea7927e655021edcd6412194bcd034045

SHA512
c4a2d33b51cfb6c99c61415d8f72a69633d742df1d9edf2d020482d17243102ce8a71696d8363072feac89eab8a9e789311a8fcf0f501cd1cf8b3c563f488c4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mcci.exe

Filesize
118KB

MD5
30f576cd2cdcbbab7a63506475f66354

SHA1
48f70fb35940ca52e9108cdd93e87599413359ef

SHA256
fe4487f9a147393e264733010b8dcf3884987563ccb03c8938eaefafc54c6aaf

SHA512
9de2581f9e4b08d837dd8898128ab9291a05ccfaaefec91a28e878aa871a75b0d3e2bae778fb8f4264392e1717d24fd82f25a18d24ba73d4259d2df60d663487

Download Submit
C:\Users\Admin\AppData\Local\Temp\MgEM.exe

Filesize
111KB

MD5
f6611d428cf3fcf936a4ae517bf08833

SHA1
2d4096855737e5dce0c2eb8582b41e3be92f624d

SHA256
c4b4f6cab8abba9a8d8b076adf05263520e33dd9b7ce4a31fa284bdb3c187220

SHA512
a97509a40545c47c64db3761185122f87e5294d717d0ede8b242d0fa55b32995bd2bf37fb32c3af462443297c84474e346e81f6c8e9de38c5f61ebbc26abb07d

Download Submit
C:\Users\Admin\AppData\Local\Temp\OAEk.exe

Filesize
112KB

MD5
57882219b0f8edc02440fa16b3f94c1e

SHA1
253b65514b2531d9a42edca9b23b76518d74ad50

SHA256
1fc188d6f956e621019580541b9ddd2ae5f25ed9c1fdfcc6cd817e8d7a0c374e

SHA512
acdbab6791d28fd8aeaa3c13326e132a35386c1161ff9e69c1fcb0354097e4329de018dc5d859120d4e53ee5262b35a56cf7b3240337474f883b36ca7ad51b6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\OAQw.exe

Filesize
112KB

MD5
e2d3ba7e22af5a8347671bc1d151d947

SHA1
25d42ae30b388403efcae551434994ddc70429d5

SHA256
05a884ea55fec0e1ec042dcf4001e2b46ab15fced1a3550c6ec17db1fbfa45fb

SHA512
50c96c27b9edec4a2cd73a5ccebc6a379e634a3d362af5e04778bfe3d5e56497aabde3e9e70e642184b5e3a3ce7145e0dcd13db770104b85825a923f40166e01

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEEw.exe

Filesize
1.0MB

MD5
81d9183839e5e8533705ff9edf424686

SHA1
bdad630092c602da8557a49d59c320fe56f0dfd6

SHA256
d41b434c9ffbe023e14063037d7577e56950a41f0788ddddec3956bc743c5cad

SHA512
725376c5de3193a14a8f6f34315f9c520e3fa28005ce65201812e1f2b89468541a2b33c861bee57a3ae5a4571e03e3c68ec3c2be7cfd0d7cc9ae9721fc95efc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEoo.exe

Filesize
119KB

MD5
474a5e156480054967138e66bf4bf1c3

SHA1
e0ba8a3324608e0cf915a58d4b28d01f7665e5db

SHA256
298443509eddf7cc7bb93a90b859efea5e4fdabfae0388e6ee59704d35fde633

SHA512
7e2f241f8bc13d354723a9def65a1a20bd643f2d540b5c7a277a5f55fad72b42ecd934bab624f955633ba9240b6071ccd9f08d2ad8e08ce14ebf4c6f27c561e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQoI.exe

Filesize
112KB

MD5
c32428f467f4666b9aef2e83f1baa8b3

SHA1
2368ec3d2566130a006e6e7187ef7e38c7996b31

SHA256
363b90de28a593618be1b3cf25a63b3ff9ac33dd5d7ed204bf08b5ab3e3a0323

SHA512
d2e7d0506dd5242a8b91f709c450cbf63b23e2e47297b30b7e8edb8ff74737b50da25a2a52cb911655fb463adc115dbbf20bec41c6c650db70d9dbaf8b5ac6bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\OgcK.exe

Filesize
937KB

MD5
ed633f83a933b13f414a5c37b4e0ad21

SHA1
41ae99d147d935243bca1bee3d3134b629d1ede0

SHA256
0cb662544c72f18f2e19f8b57eb7f958acfbe00fabf593ed092c28d24f887fdc

SHA512
4e65324bd585ff9a382aae7f5b1088094a56ab4510c8cac0c150e031a89571074ab548385bc3cc40482341c7038532947e5519f339ef442710adf20fee74bb4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Oggy.exe

Filesize
237KB

MD5
e4f2af873f47b6ca333a994250148754

SHA1
f151aeda3d6ff3a700cb2e7c94d12653f4777410

SHA256
ddd466ad970f1f43f1a543b6919ce7a82f7fc9ce8eb97529b108d6099b6fef34

SHA512
0b79ec9f86c31e7f76d59811ab3adbb11a1fbded4d0a41ff135478e6793d571235cb146e55f0f2578d570ccdc23b68d3ca063dea6c36eb35c25a8dcde2338eb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\QAUs.exe

Filesize
697KB

MD5
936f8e44d66b8e2ae4e7fbcf3e343ca2

SHA1
790eba670dccc660c67c36dde3be17719bd331a3

SHA256
85fb80c1e432ea39a7a412332b65359935d349104a88bae7fac6f4710dab8aec

SHA512
e5588853cde7d8991fbd67e4bab3a02a8e8f79870763b7f7524139697bc7d3e6310cd98bc90bcfc6ad1bed197d0ab2b1a7b5d486e63a05b7ad967cde024ac5ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIYk.exe

Filesize
5.8MB

MD5
73b5cde1ff447d815c06c5352efbd6f2

SHA1
c6985a4e98a5eb433a967dcf45e7fbc5bcdfd41f

SHA256
279181e6be8f5cbf297d33c65e099c1d3ccd2d149d11477c2668da07eac1312c

SHA512
5f6c1f4e16cb01d79b3a2c06387d77ed4779d788c151fa43952066584555af883dbd8b3ce5bc0bbde8b719f4b662fc3ba08e08b2997d503cbd11894c6c54d38f

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIsy.exe

Filesize
155KB

MD5
debe6c0de602b69ee476f5f991941c57

SHA1
4f2a2a35f2e119289af1f8976768a1a5d7e1ed99

SHA256
ffddf41b935bdbad83e866c1d8240a5d1029046fafeed436f484fd2f47de77b7

SHA512
43da7927aecffd4f1642d2bc7013cf6a2488ed7cd1a39cedd0d9e74d007859f57f19bca3abfa20198bb73943b5f057da3d6ff6420d4eec2b8b89afe330653960

Download Submit
C:\Users\Admin\AppData\Local\Temp\QMok.exe

Filesize
113KB

MD5
327eb06de59c099c229f9bbc9efddfa7

SHA1
f41be439d044ce0041984362ca78f361c02745f2

SHA256
f8ed6d5117d8f9e847bbca2c761318bba924698e04c7d02764f227b15a44c888

SHA512
15f27a97748fcc17bd06a653794a2ba78fe2f1d7965f370c385bdce22f77a03eeb82322a229f9cc99ff870bb95164cf1c96447649f2a96406500bc55cb3b30c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\QgMC.exe

Filesize
708KB

MD5
ab0d9826e7b5fc77922149fb753c4b9a

SHA1
4a0f357ba9d455ec2147f7460bbd92d782de1832

SHA256
4270143f66c226ae9b421741f399e298837c2f1d960e4fe62a3d730054351d94

SHA512
befb4ccd220786938b5af78863ab3034bb6a11039a70de07c26160fb150494ab4ab55c60db07915322b7a83a111250dc4b412a27d8a1776ac2e0c2aebef1de90

Download Submit
C:\Users\Admin\AppData\Local\Temp\QksK.exe

Filesize
118KB

MD5
1a673235c918c8c5a8bc3075b0b6ff0d

SHA1
f8e74688732afd7bb596429f31ed7e4fa25ae7b3

SHA256
c90ee151f1b138ce1d34bfb3a52591e58e18370908da7b8ad797fc25cbe6c34c

SHA512
b651484a89ad0d7ad8f88e09508e199bf9249ba586d1bb431fdc367648eafda6fe3d4e6f5d3cf4a10a69c22992585e6ff8e63cbdf25ec904ec5f046084d631e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\QocA.exe

Filesize
119KB

MD5
b3561894337f1c0420642dd2ab28ae1c

SHA1
7491ef4f99dd2f6c77ccfaf00fbd2ad313e5e84f

SHA256
947bf4a84baf4c35a2ef3bb1dd7f3b3be676edb1c02c06362657865908de4e93

SHA512
a87a206b1afc3f009d2a75405cc0d751a554f19c8ebc3190f6f142cc99fc98b1427440a2122b75e3444b73131fd5f2951695830393ac4bdbc9fa7abb3e673929

Download Submit
C:\Users\Admin\AppData\Local\Temp\SEom.exe

Filesize
676KB

MD5
855e9ed10b5a602d03de0f28c0e881b7

SHA1
c3b32178ff319532e5cfdb5c7c00fafd00aab937

SHA256
e6b1a287e49bb9294a8b7d5b102f89b4a4c0951fba76a7b9ebccae1808283f15

SHA512
08c6dedb9b55526859a473ff347b90368a3c149242b92879196a45336b45f9f9b49ed62561da2f0112031cd1c34d17949d1aa2f906f07e8026d34c27be31e0cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoEO.exe

Filesize
111KB

MD5
02d6350b2e674205b6501810d7748a7b

SHA1
56ce6c94a3abce81a3cf4d5d32a77692821b0688

SHA256
7cca499cd1d86a67e3b0a3e7be3eea6494e907175d60236bf7fe8eddf9876b2e

SHA512
aeb15929966ad2aa1af85fe05431818b855234f22f5f5d5cfb4909ab2939a04fd14a8522c39eda7a8cb4d2e25ab3510fd50e2f30226bf511678046d686babc6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SwoQ.exe

Filesize
744KB

MD5
f995b48c7c0002918f2cecefe953dc63

SHA1
f7f81c3a3ad7b8cf5bce97a6cb5f466f423498b3

SHA256
f1832dc5b0a3605a3a4ffaee685b31573e5c164597976f58d3486cc874a82d9d

SHA512
ed229e66ab387d6917d96fc95fee3180ef7bc8a809d4b31ed44d76e71e434d0c4d8df1e5cd869460c12dadd62f8fc23049ac7d2e43cc58e4d67de251417b299a

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMII.ico

Filesize
4KB

MD5
7ebb1c3b3f5ee39434e36aeb4c07ee8b

SHA1
7b4e7562e3a12b37862e0d5ecf94581ec130658f

SHA256
be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742

SHA512
2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\UgEC.exe

Filesize
139KB

MD5
d3798437756059479fd4d292d5fea78e

SHA1
bf918637d36c0deeea2cbd45875c75d90e10f35d

SHA256
44460e68fa93fdb6b081ace8d3659fa74db3e2e3304d4b876d1ce489da2c28ec

SHA512
046ab1cd0be96da40975f92733a0e0fb43791b8879419d17bbfe1e492724e263fe87c3432d58395bd841494202bfd38ca435e7c491c6a54915564cfb8a18ef28

Download Submit
C:\Users\Admin\AppData\Local\Temp\UgIG.exe

Filesize
111KB

MD5
5430a321ddeea5f0e15023495eabe17d

SHA1
2e691a26c25a020f91f690aa2689115fddb4794e

SHA256
3c9a21a77342be9ac11455140228d8074a612cb64b199f44bd022e337ec542f4

SHA512
1923c6f8e3afbcaa78583f61d960ee49c821f016868e26739cda094e99d9531097e60d9a4f626d8b3b8ba747867e9026b16668ba77604c631dbe0e7fb0229ab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\UgUc.exe

Filesize
112KB

MD5
45db126d901c212861fdbefcbcc714c9

SHA1
373ffa9d911bd2d87066c58ecd18292bdf504067

SHA256
d090963737daef5a656ade8d3ed9d51ebaf140d4d75a9312070464cb9a4e960a

SHA512
b129fcc386cdd796cfff5fd4cff2cb0d4a553086cd81fe7378c88890dd80ad5cf4eadb837df53b33768b0d0c2218e9681236f9345555641457bf1b807d96d4c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\UsUi.exe

Filesize
721KB

MD5
cb436ac608f3e78c0b9dd0f2f1db8dd0

SHA1
74fe99344496e563712efc15f5086fe96e2e01af

SHA256
1ee7598aa0cfa7bdc7075eebef9f3cfbb9b85911d0e7a0db5f27007241ef98c7

SHA512
cf4a79178a537d393675e499f15712e2a32f2375047569417006a658326e6ab4fae16905f0f6cd1c3053c092d169f32af5b8356912a966f6472566dc7cf5297f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WgYe.exe

Filesize
141KB

MD5
f5c3cdabf4e644d9ad5511e8b297571e

SHA1
3c70c56986b86c1dfbb3158ab1a4590a1c20c202

SHA256
e30499ee97e0c5f34187bc7d77b3acd22e223d1b4a61e80937cce7f6a40c682e

SHA512
48c9192565dac39a33288785b76da57916073de4496edae15ffc42e03f4996ebd58e3cfe719ec4803dc993b567e91ca55dec0cea188a27dfa37cb8c026f92688

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wwgk.exe

Filesize
116KB

MD5
1ad8e5b598793ca475a87a175e51db66

SHA1
68707737213b5e814314afaf7b8784599d0a5bcb

SHA256
3c37c0f13648068f8e568174d45c8483bc386ead117bf9d9d9d6c96b7093afc5

SHA512
a03f54335527c52f91228a8e77524b310a705202b9f4e8317539faf8802ed2af308bca6c6fa32fb6040fb6d018e77568cde792d67fe28a765f3dd48fd1d1261b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YAYs.exe

Filesize
120KB

MD5
c62bf03773027848d866b3f5b08a2d06

SHA1
6c45d9efa7afd70d0cebe3a282363d945f444257

SHA256
322a585dc5141ee00557d30c9ff45fdf64887fe36a096ef89ee71dbd84416394

SHA512
55b40bef074aee2ed792aeb91faa83c333f205836ccc4f46a2e72699fe37eefd54c3fde9e834346ed0db7759a46f368264c1c1074019f9243415271bbc7b2be9

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEoe.exe

Filesize
113KB

MD5
5f3b57bea7eef84e8d68dd12518ea2d8

SHA1
f7c4a13182526e6a81db6d5fa50142952b6ec80e

SHA256
d928a10a34d1e9466fb625a7d4451baf24a27f9eb9de80af7580d6d7c9008ce9

SHA512
b694e805f3cf832ff49f85f6aa5d6029cd9985eb1cd2ea2477f9688b3150b6fc0a60147557bcefbe095d94e405586243f4f4881c63a8c6f398befb06a7ceecf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\YYck.exe

Filesize
112KB

MD5
a89b48d52d3a061177864469a4eb2c27

SHA1
024fb91f4577f76767600f0a7b38a13a6f1a7dbd

SHA256
05b61cdac6eecc50b6fe4f3d3f2f719e3a369fbb2417d1034a47d97831c4c85d

SHA512
05341f15c008fb185f93b89f13937a0217d7a2ac2b8ef2306f91cdae24f1a3c982bbdb6c4223a9e39a715cbde192a83e2f6b113f4e8b42cfb677b68aa9199951

Download Submit
C:\Users\Admin\AppData\Local\Temp\YYkI.exe

Filesize
556KB

MD5
cc269267120da2338b57b8c16af2a868

SHA1
cdddb831dcb9767a74f918d790af652d5e1dc8e4

SHA256
d712e3ab84402d4d792f4bdc1165cfd62f17649bb97d18884e74d64142130b37

SHA512
7153a01c9e30c7ca3a5b4e032277e9373e8e1d116a43f7bf2e2e8aed368ff309e4081c57e2b813b101acf36e17be3fba4a0f2f3c2be946307b70018030b3a1d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\YYki.exe

Filesize
115KB

MD5
236a1e3536f4522810788b1138acb70e

SHA1
25be2a72fc348a39b753177ca7dd02ce71cbe9b8

SHA256
f1230224475342780de7a7716fd1d5f38e8750c6f96b0450c2f6b4c0d59335ab

SHA512
1e18bad01b8fad718b737035e545013c4f04aafd38640a3316442052c057f77cdb39fef2343e68208255146e4c08ff8b5b8695c101611595e5c8c518f6ef20c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\acsY.exe

Filesize
1.4MB

MD5
a0b4aaef8f2b6e2852d17895e463e77f

SHA1
e9aa3184b228e1933454d4c116c8dc77ed7bbfd7

SHA256
ea3e3fcf94065aa1579a0044920135184c01c148638a84fcd53736dc1c5eff7a

SHA512
56f5f9c9b1918949b9e19fdf150b6570905269c51eca6b6cd7c165e06e13abb3920aa6e74ce628b7ec9396f97857300e42ba34839830a7ff5b1fe4c3e848c268

Download Submit
C:\Users\Admin\AppData\Local\Temp\agYU.exe

Filesize
112KB

MD5
5c3820ecdbdff7c302da01ca51c05145

SHA1
670986fa3d3083c1812898d70305e0bcc8f9fbb2

SHA256
1266ac9173a80dd337c8489f94e3bef3ed9a43867e846ddfec9fcd3586182c4d

SHA512
b672582566aa01d5871291758193b6fe691409e02bb1661a4ce2941e81847ae10e68586335adb05db432a451ada04101ffc1d59f0fc30e43d056f91957071108

Download Submit
C:\Users\Admin\AppData\Local\Temp\aggo.exe

Filesize
113KB

MD5
0b0db4d2feceb4a13c2747f210e7ef3d

SHA1
dbc3523861236c3d1287d14747422e25b903917c

SHA256
9a50fc66a85425cc1600f0bd5a1c811444f182263061c113851c6eec0a4744aa

SHA512
66af3a97e4d11904a9f7631c3105d14c8a94368cc54d4efcd9244befdd91a7e2b9303bbe73ea1b1ef1586ef74f1b0c39c98ce3acf0977aad3adcf543c7beb0eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\cEoQ.exe

Filesize
111KB

MD5
b1171dd788fb22ca4c078939d59c589f

SHA1
04ca2749a3de8d72bbbf73eb37f27804d9002414

SHA256
af74250e478ae3b9e5dd42d0d106a23fcb5725daa6d2e06e10e27b9732b9f347

SHA512
0251ed2d5768727c740bb6c12a48ad98f524a7ba8be34851edbbf0cf9fbaa13c7bcd2f17413aa5eaa1d367b7f45d4b590a8aa11cbd394b75b7818f78eb1fc701

Download Submit
C:\Users\Admin\AppData\Local\Temp\cEwc.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIIE.exe

Filesize
111KB

MD5
fa12f33a52462de869d158cde171aacf

SHA1
6ef29620192c69451b0ce68141d5a66b132251cf

SHA256
7b0c36ba7b4212b3cf83ab60fd85e438984ab902f71fcaad5d56c5ef8a4ea446

SHA512
4b69f36ef640da909a831f7f507987a557a0acd98189b8dddda874e4e5859304552718315b05bd276f3d6489f6b14e8aa5c8d560eacda905ce141d259ecce6ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQMe.exe

Filesize
110KB

MD5
029e101fa504f6a2bd565f2c61d4ab66

SHA1
53bcffd0709b1ea78492dc667d118da5f41e3e00

SHA256
8aca4e49d717c8c88b4a574ae6a344a3fa1e9b6028ff892580dfd6514e9a3768

SHA512
f04050f7205d9785fd9778316c3388cca76c1d291078391cb3f43b2323715bdff5a294a252b0de0b9296af3373114a6512c8d9a37e60e5e1896d7f8acb3a2b2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cYki.exe

Filesize
114KB

MD5
8bcc5fcb3c128cbe8573f16523de456f

SHA1
70eaf30ab0e0db963b1362f05b02dbaaa41099ac

SHA256
ae33117bfdc92617464f0b721a95476fd1b32d17912029c12c6e1be77d5d30a8

SHA512
b41d770c7822a891047b8435a80b67cf00265e7ff6192920db7ff8dec1a169eeee47308b92afc72aad5d7dc5b42fe209101a38bef9aedbbf9587263f114e4046

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgka.exe

Filesize
114KB

MD5
cf7c1f43d008401cc713f681d2e89053

SHA1
a2f31e88650bea3f44563ed3a667c51e8240b27a

SHA256
3861fa9e34ee9025fe8d6427bab65e6a42b8fb33869f3dabcd9ab7cc45ed94bd

SHA512
8c025d794cc1b0c07f259c917168298b4183ba4e769cfdce3e952990359389c6a3900c333e7253a7db02c609cf9ce9dacbfceb15532c9e3c300bca18e39b25fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgku.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\cscE.exe

Filesize
556KB

MD5
b5ebc4829c90695961b9f1c774746b13

SHA1
9603ce74492608c1897b0627b3b23539c4ad16c4

SHA256
691882a994ddc5356c6fbaff09ececaef4ecf0e28c31e447be7e101983032ffb

SHA512
d0c53ab93f26391734890e3f2aa7b85c3cd9e678a4a85983060e1afaba203c2886f93f1adede411a01ef57c9a33f8af5a86ce073314f6bc659d9c201fc06cbda

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwQs.exe

Filesize
110KB

MD5
a7819bb444eaf0269d7967e558352ea3

SHA1
316d1a451dd89a6adb183c056f19b82ce1bf0eda

SHA256
944da5eb00428293d7fc79cad8fb6291b8fcfa8db9b97f99ad08976ed5edee4e

SHA512
dd0579320133d2b402951eca7c19239c932a1f8bd33292c4fc98e49f0fb213db4282e19ca2397f4bfa5a1aef6bdfac7e6b9cdfbc422978f352aae31a49f158b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\eMIE.ico

Filesize
4KB

MD5
7c132d99dba688b1140f4fc32383b6f4

SHA1
10e032edd1fdaf75133584bd874ab94f9e3708f4

SHA256
991cf545088a00dd8a9710a6825444a4b045f3c1bf75822aeff058f2f37d9191

SHA512
4d00fa636f0e8218a3b590180d33d71587b4683b0b26cd98600dcb39261e87946e2d7bdcfbcd5d2a5f4c50a4c05cd8cf8ac90071ecd80e5e0f3230674320d71c

Download Submit
C:\Users\Admin\AppData\Local\Temp\eUkM.exe

Filesize
149KB

MD5
2bb895bb48380ba0a30345bcad8a9236

SHA1
89091d8626d00b8b292ee53bd22c9fb134336ce1

SHA256
0e62eac568ad602c0e47388e9dcbfbe21abbb1e2029e8e81559463738c3c0b58

SHA512
d684f890d51c8f2600f5d188c20aff9bb89582f55affdb6e5820d4dfbc43fb6b7ee625444c0036c80a4f12da580bb5a33a1d90092a19a27119db70259c0fdfd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\egMc.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewMO.ico

Filesize
4KB

MD5
383646cca62e4fe9e6ab638e6dea9b9e

SHA1
b91b3cbb9bcf486bb7dc28dc89301464659bb95b

SHA256
9a233711400b52fc399d16bb7e3937772c44d7841a24a685467e19dfa57769d5

SHA512
03b41da2751fdefdf8eaced0bbb752b320ecbc5a6dbf69b9429f92031459390fe6d6dc4665eebe3ee36f9c448a4f582ac488571a21acc6bba82436d292f36ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gEcG.exe

Filesize
115KB

MD5
aeacaef54904bf4950d0746aeb035925

SHA1
e943d238a68d267b5628c4cd3a6f66ab118a4372

SHA256
7b218f5659577a52e57f26edaaa4488422b4948f882bf2a4c0632eeb251824ca

SHA512
f10b2f69c97f19afa656f79733c1767dcbe6eb0c08bc711b93d716b8af6cf0e247646a871877360294f89b7c3ba717ca18a4e1973f15f438b0bbf924bc3bc81b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gUIY.exe

Filesize
449KB

MD5
5500db834a4f20907a6f64db8db783a1

SHA1
23fdfb1e219b826bebb7fff8ee743d7d9ca29d6b

SHA256
23f44337bf5c187950714f3f7d5427da5f8defd0c57ee6ddb55d5364e87f15aa

SHA512
3fc2b0ad06baf80d65adb817d67d50a5707d250e904da9a2af28f313dfe7df540aeefc23bb8539a5f2a99bd9345f272b7bcc21fbec2b0835fb6b9fcc27343778

Download Submit
C:\Users\Admin\AppData\Local\Temp\gUMy.exe

Filesize
110KB

MD5
0ad115afb8536b49c2f9326408eb1b3e

SHA1
f6ae6fe0b251800ea4e8ca1e6fc99e0a18bc5ca3

SHA256
8535b8eae017999c08e9d910d9a604909591193588e80559aa20aaac49f7b6e3

SHA512
3f99e5c0576c4798b270e643b53bc83b51827d8b9bc44f85992731535d4d49a3560dccb1c715ea93557596aba54d9b6c7607a2bcfb75a9b01d5bd2d776188bfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcsY.exe

Filesize
564KB

MD5
dd6ff33c8066beedebd890239a6a6432

SHA1
d67ef4c7fa9e44c4b885b4c1d009f4bfb822053a

SHA256
01cbade95cb2e617957971d99b3e88da1ee1c3ccfe77cca653627bee91f4f126

SHA512
641f97c96da3a5116123a6f5f8573b0a2d9c7596e825615013a1f71362e00476f206f2fc0bcd4398a388ef671aeecf6e4646bb02c8244e707a8209184521b7e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\goYg.exe

Filesize
779KB

MD5
e3f7587b701883dc4e9f855c2047ab2c

SHA1
23891b908b2025deae314179550dabf85d990f14

SHA256
bf1e2463370007265f508b4e9a61ecf005886610ea62a1520b06147a2aab2566

SHA512
b0ead81258b883f015aa92c3787edd989433ac9195f34889a30a2c053883c33e7ef6cc51ff3dd2b1f7e6072aa4ecfa868380011923e95ac507de5dfee2d09ccf

Download Submit
C:\Users\Admin\AppData\Local\Temp\gokq.exe

Filesize
466KB

MD5
cb937f959af0228726ffe46999b63a19

SHA1
06b1cded581fad29d8ba8e070217d431954f5a8b

SHA256
22208151cd030fb2ae1ef01fbd7c13f7308afd867efb3d6a6c2ce834c2805482

SHA512
db047d73dc730ec88425fad244fc9e5d9fd13df44c4ff3b5d2efeb4d495425ec5f241eaca52426943898ef85f2bfeb8df8e12fb160470c4c78dee4a9fc92b96d

Download Submit
C:\Users\Admin\AppData\Local\Temp\gsIU.exe

Filesize
113KB

MD5
faef11587fc19ba028b48b5f552d6f8a

SHA1
0a5f332ab7ece5c178fea64f6db65ce2eaa74cfa

SHA256
b58e4cae5aac46d30d8af6857b1093e7eeae739378077396c74eb415a91a01a6

SHA512
73e4b84aee09453b539b1f404057c62c10a175ac8d56806d012710e376b090d5190634f56cfb9f97f1bfac210c39bc616d65a48aa0d185dcfd8e01b3945c37a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\iEIW.exe

Filesize
719KB

MD5
2e33de68eb85bd7f547e68c45f3d998a

SHA1
67a5afb3049a6d46b13ae898c5f30c710880bfd3

SHA256
969b27579b2673459a1ca7dd580b73b40955ba5dc3f5ef6641c8277bfa11a0d4

SHA512
b83d2faed1c3e487e514055bc5a04625ea127d8f5d2be6c79d6f704573b5f413ac9da4774efcfa5d9b1f6a60744a08b2a2df5bdbff4eb0de0c3103875f04e3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQIQ.exe

Filesize
115KB

MD5
a09177c0f1416111f23e4acbc5161b41

SHA1
90a2ec2de496d6ed59a6ade8dcaef7a83e3945ca

SHA256
fa8ddf51c897a55d049e645728564f9b2b998e5f33432da1a40f885e7d0b36cb

SHA512
f66a62b583e661d4a81975054fd35d187531ae7cf0a613627ca004bf86f7167099ff3188e25a52b0d8ea3e756b9955902716a8003d2b47420e1cebd0d91d445f

Download Submit
C:\Users\Admin\AppData\Local\Temp\iUkQ.exe

Filesize
237KB

MD5
82fed330484503bf88524421f20e7a56

SHA1
b615dcf76cbc02ebae8d34e8e3d67c71777dac5e

SHA256
1146d91a5348c00df95816dd382ca23d57759eb0c15439a16bbc748c334e9c1b

SHA512
709606a3710d5f054d35b38e58a27a71616ca00c875ce4d151d62525a240ba85a945218dd4308fba94de168348a36ab85c9104592734c5076ba72b18e0eb5864

Download Submit
C:\Users\Admin\AppData\Local\Temp\ickM.exe

Filesize
564KB

MD5
b7ef010c0a069e05030bb93faab3ec9b

SHA1
01986fad4e15638f110eb935b6d1a2f3f2cc6b53

SHA256
abdc609c95e74e9711dc839e548b282bac1f32ba8b7b1849779b5faf092ce254

SHA512
de037fd6aba2b89ff47bc3e94f209076651d29c77b7bf7300e61ac633f8a81af5377ed9cbc13ca14e8d7801ad5d24dac5478c6d4399011da5c587679fbdb2cba

Download Submit
C:\Users\Admin\AppData\Local\Temp\igEA.exe

Filesize
112KB

MD5
33bac39dfce6471affd337510554eee1

SHA1
d0baef89f58141ca675179e0e454cae5062f552c

SHA256
65e2aff035f890f9e79909c62397c01ed86bcb8c4652a350b0eab5e30e25f6f2

SHA512
2cc2540016607845d9c7e245c82e6da88173ad75e707259f61b65e23e08c92ea135bab2f92669b7b564ec4b22b93ae7f8b152e8d82b426dd3293d1a6871bf1aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\iwok.exe

Filesize
110KB

MD5
26df6061ec4c57fd0664943fa91b426e

SHA1
71f7d3adbd15d379aab3af8fa9a5d7890bf70412

SHA256
bcd31a6c7a183ea1f887e1050b8c57005e47081cfcf9f78ba615d8e5d5cea43d

SHA512
dee3ae9913441902e0889c7aa9d17df7544d08faa4e2459da18df708bd3f3ec8299878f9bfc2d38a5d669dd7800c3a1745570db1b105e3c0b7edc9c028b2d454

Download Submit
C:\Users\Admin\AppData\Local\Temp\kIMQ.exe

Filesize
115KB

MD5
2afda5f96812fd7df87119dab88e816d

SHA1
7094751df255967fb4be3c85fdc603bfff42f3e4

SHA256
23015bf18621e32e4186c9d690bc89ee7e3770c3be902a2307195ad07ca21f97

SHA512
3e527ec1489b987d33854ff58f19320f8831f99ac22f59ed64948c859759cb61b3dceb55a15a65a7f06a6e7e6dfe590983b739dd78e3e5e3b3cfa54c83bff178

Download Submit
C:\Users\Admin\AppData\Local\Temp\kksW.exe

Filesize
117KB

MD5
23078c78af504ee6b617843ff4a09ab5

SHA1
3e8fd5cdd838be64b63f1a7473b759c380f52bbd

SHA256
89aba055224d580f75ce3451e5c9d0e78a1e4b80f10d679e364d6c25be0e7317

SHA512
efe9abb49de636496212a75b1bad0a9b76973e6a60c6a056b507f113a03819dc0959842962d447eb73395012f1b9a41fc289558ac2622bedf88d8f86906fcf3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\leUUMcgU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\msYW.exe

Filesize
140KB

MD5
394530b458320596a058072549f23378

SHA1
b7d72c0cd34fd261993a084a0eac6cba86c24e5a

SHA256
dbc5e0d021a4ebaddef179ab1a325d15a97a3dc857127cc6fb5dcbecfba1ddbb

SHA512
20ceaabf713321e15f52ba27dde0aff3157c2818034bf2b6b186c6e951e937f769fc2c5a9ac5c78b9db78ebfdd8d9b020bcb89883f0388e5327443200a24456e

Download Submit
C:\Users\Admin\AppData\Local\Temp\oAog.exe

Filesize
599KB

MD5
38409c700ea058c8537d5ef1f9b9ddcd

SHA1
538ed60b527acdb548caa93013ff18d29b775158

SHA256
19ad8115e43ea8e23cd4100d4e4c0b10a58dffff8aa5faff47ca7bba811ba11c

SHA512
5bd9d92de825737d6145559c674bc8aaa18ea5d59dfe24f1418d055b3dc69a49042b0a7b64737d3a8f9ddaf28dedc171ab80a2870442891c4c90733b802147c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\oAwe.exe

Filesize
111KB

MD5
829fd3a0606a3a9a6e7097abb92da352

SHA1
1962ee879d1b47911fc53fd09eff05f5c2e83325

SHA256
363942ced41827437f07268be6adbe26b34eeb2a13f3c3327d20b743dcb4ff89

SHA512
39e29c2e0e88d4dfc4042954d7d7578d136561af3df561e42af972c5e3d920a421172536db04654b876a7491617681fe3a1830a5c5509c190386a8ebb1d5bfd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\oQIY.exe

Filesize
111KB

MD5
68d0c23d2d1a24c42037c52950c1ba7c

SHA1
476824e9ce8c0f9fefbba12277695b3c4c621038

SHA256
3267d91fa7bea7df8d88c547194d5d6f1480f500f60aa09452613d2c2159adb0

SHA512
01c75dd264a0cdf402cf90f1e1f617f4f4821a82edc24a4ebe79e9264ab7d1c9d73a4cab3fd015a7fa7e3b0902f3bab6879f921baf401f0e6c0bd5a1e262ab9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYwQ.exe

Filesize
110KB

MD5
379348d0a88ddd6fe21c33847ef0462a

SHA1
8ae52186c5a9e676824c44a9f002b3dc1aa8fd15

SHA256
8a851a470cab5d6caa00e29ebf33514f5cd449c6739e57d499e394947de92a18

SHA512
5eeab00d308015bb8f7be3bc8dc79e5f89e6b0f23cfc89b3cf609966f9279f62be9c3425e44e7d07350ad8385de5e7f09b4c9de29edded38d1a3e78991d93f5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\occw.exe

Filesize
743KB

MD5
f1009371a5272cc5958cb546d2e78364

SHA1
6c0413409eb1be7deaeafb86ae7ba1c00b2bfe20

SHA256
8e80b94f2bad5aff22779c6b868564d3f3a3d4f69ead3f0003be9c30d4dc70d2

SHA512
1a3fc9dab4a3abcace246c5dc3f5f6b19db4c58aff6d530536c5f0044f495706a56536d6ce5360f56aa363e695d153da39e307e1bb3014cc8921f548b7f47426

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEAg.exe

Filesize
124KB

MD5
02e0e59cb09e436d8365a3fdc3c56513

SHA1
fade8d42f008bba8261d0a110856f31773a485a5

SHA256
3f57f8eef3b8c8e1f5394eb1e052268887115bbce8e1cecafbdeeb74505e7a94

SHA512
1e86ff1111a0fdaa476768a31d360add6c71dcf19d3636808b359443d337474bc40ddfd5d5951fa0c5a3c713413f6f49e57acfa9f0d769f126bed7d3807161a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEwA.exe

Filesize
112KB

MD5
b8977c549d5300ca684cf53df249c68d

SHA1
a47920721dfcf145d195139c89060825d6d20e66

SHA256
219dd8613d4c19d673cc23f15ae7670facc156ed6cdf8b34367a9cefa0c52e79

SHA512
7f9a0d0c6b17f8fb25d14d13d1c1996f4e267eea5119d90a6426c693a86ec7a81ed539ab8906bc2c621710ea0861a2f0e4375f4b9e483207a5512b3165787ee9

Download Submit
C:\Users\Admin\AppData\Local\Temp\qIwe.exe

Filesize
236KB

MD5
f90c2db39474f252878afe926397ebd5

SHA1
38ffdf7ffe66dc2ac14e4ad8ee2b575fa3dace6f

SHA256
0b82112a884d4f4950f9c058f91cfa4b8ff95c846d1f62393f7ae798f7704409

SHA512
8d41b4357f968bb7daaa517e117811cec811c39a3a65e4097d7abe19d769b1b3ef5f449db0e687a4ae11d145e267e6781e683a4e6620fb154190934cac98238c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMQe.exe

Filesize
124KB

MD5
84401c604c4f66bcab03ea87139db31e

SHA1
39f795d6cb22ff745b831cec3a1114e55f33a5f3

SHA256
047e6d4b79e73c8257946dd45d36436c451f39a1fc6249bb4246e9550796700a

SHA512
a647410428f4a617a01b415ca396fc86587b888a3756799ba614b32d764ad5fa94e14cf84bdd72fe4e566e8363512063974da02d0b2843758c349e443f781259

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUsi.exe

Filesize
664KB

MD5
ced27f5ce48bec7850e662835762123e

SHA1
4f280fbaa151a530750c4657f013b81d5ffa7d19

SHA256
4faa5fefeb6b5c454f00b757cd35f221c2b50f4ec48475ea5a010a5d2251ddc2

SHA512
6136eb6393a70a90f52b473315bff0a3a94f27e4183355010b990a675c53195eab84a0118465567e3f6afb979ba1973657def0e72089de44004996c712d54550

Download Submit
C:\Users\Admin\AppData\Local\Temp\qYYa.exe

Filesize
139KB

MD5
cd355aa07a404e352fd811bbd4dcac68

SHA1
ba6e47b5a8bbf8f97afd9b744bd313c15e0657c3

SHA256
6f2189ec0888bf71262226b310e37f71f2accb98da39b1c04ce9ce83b24788b3

SHA512
21953afbce32d64fedb80584708528491cc45398bfba0f4f48bd001651da2c15757de6bd30c5f416e431f904b2b835b080a6314fcfafdbf4b0b6203260277077

Download Submit
C:\Users\Admin\AppData\Local\Temp\qcYq.exe

Filesize
1.1MB

MD5
2686d0d16499e1d06a5ae98a7e99bdc5

SHA1
eecd0c565c0967dcce73308856466602fd7e8dd6

SHA256
b0be781af0612f53b4d4cf9491fe994193c36962da649942dc13d4819bd2d60f

SHA512
c8bfe520d817072593101d33b9b4d267615ae9a90ce8fc1f1f1f33eb1a931b320730c085e523d8b37982019110aa07782844211da6c5a49d458e0d530addd40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\sAsu.exe

Filesize
112KB

MD5
ec6e54f3a912128323e69f7b004b53b4

SHA1
e8df1df3d2f8508bfd6288056e3f40e6aa6269dd

SHA256
5867ed457d0ca43babb10106c0494a0ed9899efe911bac56799913ebccffb626

SHA512
46457ce2149a65214aff6331266ff1bdaaf45e960cbdbf0939bf4ceb64d2fa3302ef33e308c82d44f4f6a9e3aaae245162c71789bcf427ca92385d5af6c2b972

Download Submit
C:\Users\Admin\AppData\Local\Temp\sMQM.exe

Filesize
149KB

MD5
333a7cfaf54e6f026f01328a9d918219

SHA1
7aafd0af73a09e2f2d0fe7fe0b40a4bd9ff04d9c

SHA256
087058c8818cda40582377975f2a9b446ac77dfdb0a4c5c3a5c5472839a6d478

SHA512
ed2534ca1b0e4c1a30187c2abe155b8488dbc895f8602075ad50c499b21d0059c001c136a680e61cca54b584f7389c2d47249047873f23bdbc9aa76926cd14fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQwW.exe

Filesize
110KB

MD5
3f177b1c225e89682e6396ab79195f82

SHA1
da2b0459c4eeb12da8ce4e68d32a8ae1fe1c2b09

SHA256
e03e36799e30c7f6b874fa8b82dd7ec7e2857fa43293d6a04a17b91943e5e395

SHA512
87bc844c8427ebcf67a999156743c9817fc89085f4ef5251c1e458fd8cbdf5986beb11628813ed9130506e1e3f9e2df9ee6d971d910492a927c1a26568191e34

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssYo.exe

Filesize
111KB

MD5
d7fdcd3b8a3324521df317fd735c30d7

SHA1
a4a969f304dc5c4435a9cf73fce7121c525dbea4

SHA256
8155e376bdfddb3d202ac54b0cc804d3761782d3d4692b50b8331c07b728b96e

SHA512
2605d6c438ee3f20ac1efd29d0692daea89a99e8d813714f435102344eed33ef9fbca0697482aa7d401881b5fadcbfe61d4c9e19d8db273c2141a9d1e5682a86

Download Submit
C:\Users\Admin\AppData\Local\Temp\uAMG.exe

Filesize
114KB

MD5
0064d429c9cf28afaeaa0704773aa439

SHA1
56df83a782677dce978edd0f6162e76a502334d5

SHA256
054ea59e6e64d5cd9fdc4b9b8ed4c1fa204af94e9cac0c8c91f07b29d6f56eac

SHA512
2b4e2fc003a4395f507d3174b9eccf4e8ddd9b17347bf81be5f3354c4f711c323a6c285b42f7ab2f8ae04933d8d1ac9e76e0dce61b0894d71d3c7940a220b5ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIQI.exe

Filesize
110KB

MD5
16e51912d9451fb6f3f45854330706a2

SHA1
072dba27fd80a85b3e5d1a5a723524c0cb97b78e

SHA256
d38a408b307696bc7ccc85deff389adce149a6a92d5d813ff8cea2604f63ec7f

SHA512
43c32f6a50c2623af806e4cb0af68d0386ff275a66d683f847d0f26807e745e2a386b49bc23b7b55c926d575d9d62b9a973dadbcb5e5379b78ef2c5f4ac5effb

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQMk.exe

Filesize
577KB

MD5
86f9719089ae67374f0dea3a6f751a53

SHA1
3f3d0b3561a3324b479e5fc6eb2d227a1ddeea73

SHA256
9541956bd21835599cf59d025cc430387cbe6608e3834d3cb113910c3102b720

SHA512
913f4d10416be95cc2f63f7b899a9d05fb9d26ec26e3a6abb7e92508efb1d0039c00511fec606a696e1629ef2e77470ab5c0b4538770014cf26ee951697c0707

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukIa.exe

Filesize
567KB

MD5
cf461f78a005535bdd4e3d9f2aec8e9f

SHA1
f77cb6679c9528f5133f8731e6b6c280a0f6cb8d

SHA256
6875aa432cb8701357f1be133e890eb26f9b5bfaeb5caa8f6f971aa1581dd1ae

SHA512
67baa59b0e717ac9a355caa450665b0153c7a8ee18c90cf8ef17835af5207732235534b7ea7ad66c9931d6442d2effc99c33350efd6252b6ba3535c6da51a0dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwok.exe

Filesize
111KB

MD5
fe2448211937ec82fe94bb06494e68aa

SHA1
523a8de1f36bd7947f89676986b1ca38ce7fbe0b

SHA256
2b6cb21ca4278778d07679b15664a3af509837059ebc9647553a0bed061a6d93

SHA512
59da9c3ad754bfaa13e1561165d24e44ba1ee30f8ccc9957573ece8252e9ee603e79b11e97f667325fead4ccb5ebc2389fdf0c188a2b5b6445c3bc7a0adb6239

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAIi.exe

Filesize
113KB

MD5
f8b4cf3ff5d9e0cfe1316d7e5948c0d4

SHA1
46a6edb3df3c215441fd8a44a7160d5f6208f910

SHA256
c30c545b3e8d9948aa2c4ad891608cecd0f8f95c608a8a6ec4cdacbaa7726a60

SHA512
37359d31a4ba828f87cb057fc67ebcfe872d74dc398e58bb4d3cb811f9fb9b873d3e4b3866e972a8afa4e1c683d64dfc63cced7e2fca4cb5dd86501c7b1cf440

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAkI.exe

Filesize
633KB

MD5
64c6b516c34d8dcf15ed0bf5c332eea9

SHA1
2afc3a4a17203fe72dd9dff6c1fe7e392817acd7

SHA256
db750f406cd6e9f095002ee1a745997b05adeaa76f87e3b278d74fe9aa54cdb4

SHA512
1a65420a51f6837c087edc7563b51d191575e32e9944292d1f17a92b8a3d22003e99320376f67f266ce1f1137b6269d54796e40da8524a0b108a930622f6d8dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\wEgq.exe

Filesize
115KB

MD5
becfba54d2333ed77cd0009b5b84bcd1

SHA1
16a8b8e5d6bad0c2967d8710a424168938d61f04

SHA256
2592e7067ddd78073256eb704e93b9711d081a33399e77c4594d12d82ab2a601

SHA512
7ead757eece021b0151712b36dff8239ca237e4c4b840ace232dd2774f3fcb9da3fe1499b5b15a77b69b523eaf42ba603642307e34f7cfe81ac79e4793724105

Download Submit
C:\Users\Admin\AppData\Local\Temp\wQwI.exe

Filesize
721KB

MD5
ae43b4a34c3d4b0384ca5a477e32ed5e

SHA1
94c463eeeff6250dd896b035574d93d9152dbe36

SHA256
52dd245c43a47f9af27d9a257f773e3b7eb36ab336dc5f7b4206c581b9ec9b86

SHA512
963585051968510a34d42b700134151ed9b0e004d6615f333881147fe953617b5068fa2d0c31c753721928eac31431862a8c8e1d86e98979cfb97e3f04de3569

Download Submit
C:\Users\Admin\AppData\Local\Temp\wcsY.exe

Filesize
113KB

MD5
0fd2246d47d5a784aec45e5704d18c09

SHA1
5d04d9dd876bf3634937e8278a35011ac7587e59

SHA256
91e77544db7faa13dfc9df1e74e935e1c8202e550436ece405cfe5a4d6f1359f

SHA512
d4e948166ce71edcdfabeedd84464c8333ee1f9cea0fae6633ac6d5f511c015ff838b1f7e5ce01e4e17c71b65516c0813d35952f2f49984d6c361c3b020dff6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsQi.exe

Filesize
238KB

MD5
63fd431f36f93bb23960d378b28d7239

SHA1
373b10505e78d682f4686fdd06efe21f2ee5df14

SHA256
7e91ba60d35426bc1ccb14039447734094069d3575d257c4365016555e0553f0

SHA512
c50fbb9eb479058066d0c1855930c02503ff24342850206390aabc84a526ea383a457d0229d1e29452496a7c6ee953bcc316ad4887a1df31f8c073982fbbbd84

Download Submit
C:\Users\Admin\AppData\Local\Temp\yAoC.exe

Filesize
118KB

MD5
007a7c61461b939707fe4f0ff49b5703

SHA1
64f790469aaa104af9774d9e4b07c81e5aef19ce

SHA256
2ea5dc16a153096e0cd4832263a80e567da42981f31f431db342a785e73f68b7

SHA512
1697eb3ee0ba3fdf34b48ce2b8e931495218ea0e97bb075b92b5fe4170b6082d86f80c1781e01e7b69f8ce7d4c7d7080d01d306f0ebbf6140f3f1e884011605f

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQYE.exe

Filesize
358KB

MD5
e84349e71749533f94daf999c1d8a1bd

SHA1
5acac5dac641b0ef0d959a3c06d929188d3ad8f3

SHA256
ca1d63de06ca8d95d6a92087b1722dfb154429aedc4e7429c4b3050575b4a5fc

SHA512
a01fc466ff0d86a252ac51e49d973be98d9a1ef9cb1e5aba35462b14734b8106bbcecd951f4194cd4c89247f44f069ef4ef547d9dc493b0c54b76cc8a61faa2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\yoQW.exe

Filesize
406KB

MD5
8ec17748057d62ee813ca00ccd261634

SHA1
263718321ece22911898e3443340c21f5be5fb26

SHA256
9e5e45132a71a25d7fa5fa18afd2433b7e277d8856cbff3cce4ab84819e8e411

SHA512
8391ca83abcf73f963598ed0955c4a0f55956e3a87f9f3dd279fd545554b4a00e89e94b9b56f091587526055f2581ddba0974c151646f9ee17b2edc6056d8f8a

Download Submit
C:\Users\Admin\XmoQUcEc\lMgYUsME.exe

Filesize
111KB

MD5
947bfd8b023e11fb8d5c8552ee0a35b3

SHA1
972bce40405fc72a5737c0d3502a7074b1e50df3

SHA256
45e233dacac6947f3862f4032d47ba40ed6d3e6841404d016e669482f156d094

SHA512
fb2f74e53eaa0de1d8d73009c67fcc5d22c8fddf9496098c0000c503043e3d9557b483f8f63dc55f6d7d04fc54213136a967d77f71632c6ab9cc01eb4834606a

Download Submit
memory/452-64-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/612-286-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/612-278-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/644-465-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/740-253-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/876-53-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/940-665-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/944-294-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/964-394-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1028-1244-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1100-143-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1136-807-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1168-1388-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1180-1766-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1180-1670-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1296-167-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1296-178-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1304-87-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1304-76-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1416-434-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1476-1945-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1476-1995-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1528-335-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1644-1816-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1648-222-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1720-361-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1720-354-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1728-224-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1728-234-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1744-302-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1800-5-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1956-378-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1992-245-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2024-1308-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2024-1240-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2180-110-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2356-20-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2356-31-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2452-75-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2452-200-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2452-808-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2452-858-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2608-1101-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2608-1065-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2632-19-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2632-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2652-310-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2752-2088-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2752-2010-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2752-523-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2780-743-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2780-693-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2932-1516-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2968-121-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3076-42-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3084-362-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3084-370-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3200-315-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3200-327-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3216-986-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3352-1451-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3352-1383-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3356-386-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3428-1688-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3428-319-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3428-1609-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3456-1016-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3456-1052-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3460-15-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3468-1921-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3508-418-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3524-211-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3792-189-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3836-336-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3836-344-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4048-1871-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4088-426-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4224-908-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4260-277-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4308-155-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4312-402-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4312-1193-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4624-261-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4636-442-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4704-166-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4704-151-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4864-473-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4884-1608-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4884-1544-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4896-410-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5016-352-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5020-587-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5020-269-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5020-88-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5020-99-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5068-132-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download