7f89c34f98ce21ea18234c4e5c0fb83274cd63519b630d553bb6751b0b6fe4e2

Analysis

max time kernel
150s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2024 18:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
Size

208KB
MD5

006fbb7a7a5386fe5629f895d8969b45
SHA1

0241c9d8234e6b31d51f70a9df97dfa700a73229
SHA256

7f89c34f98ce21ea18234c4e5c0fb83274cd63519b630d553bb6751b0b6fe4e2
SHA512

995542437cca9f18a56a9a51fa69a01da784d7d8be277ab2e6be83fd2d162ab3761992aaaacb93e337de4a70aabbcee0e4068dd5632cf98b9534fd836340cb84
SSDEEP

3072:FRyqCshdxLZhd91BNskwIBnvy8VLKYl0XMKvWWFDTJOQd2xfPmS:HFHfdbsJIBnhVLKYlQRFDt5d4

Score

10^/10

discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (76) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	hCkUwgwQ.exe

Executes dropped EXE 2 IoCs

pid	Process
2888	hCkUwgwQ.exe
2016	MoAUAwgw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hCkUwgwQ.exe = "C:\\Users\\Admin\\OGUwssEA\\hCkUwgwQ.exe"	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MoAUAwgw.exe = "C:\\ProgramData\\RwsUQEsM\\MoAUAwgw.exe"	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hCkUwgwQ.exe = "C:\\Users\\Admin\\OGUwssEA\\hCkUwgwQ.exe"	hCkUwgwQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MoAUAwgw.exe = "C:\\ProgramData\\RwsUQEsM\\MoAUAwgw.exe"	MoAUAwgw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
4212	reg.exe
1172	reg.exe
2916	Process not Found
2952	reg.exe
3448	reg.exe
3600	reg.exe
1844	reg.exe
3132	reg.exe
4228	Process not Found
3752	reg.exe
468	reg.exe
2232	Process not Found
4800	Process not Found
4604	Process not Found
4932	reg.exe
3248	reg.exe
1000	reg.exe
1516	Process not Found
1632	reg.exe
60	reg.exe
1832	reg.exe
4496	reg.exe
3612	reg.exe
2952	reg.exe
5088	reg.exe
4468	reg.exe
532	reg.exe
4496	reg.exe
4968	reg.exe
3696	Process not Found
1900	reg.exe
4908	reg.exe
60	reg.exe
3772	reg.exe
932	reg.exe
1496	Process not Found
3548	reg.exe
2316	reg.exe
4672	reg.exe
4860	reg.exe
3748	reg.exe
3740	reg.exe
2768	reg.exe
1760	reg.exe
4236	reg.exe
3292	reg.exe
1760	reg.exe
4188	reg.exe
4176	reg.exe
5012	reg.exe
2700	reg.exe
2424	reg.exe
4416	reg.exe
2312	reg.exe
220	reg.exe
1724	reg.exe
3600	reg.exe
2772	reg.exe
3100	reg.exe
4084	reg.exe
2768	reg.exe
644	reg.exe
668	reg.exe
1168	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2080	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
2080	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
2080	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
2080	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
4832	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
4832	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
4832	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
4832	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
4732	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
4732	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
4732	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
4732	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
1116	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
1116	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
1116	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
1116	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
2464	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
2464	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
2464	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
2464	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
2268	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
2268	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
2268	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
2268	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
3636	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
3636	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
3636	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
3636	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
400	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
400	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
400	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
400	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
4468	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
4468	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
4468	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
4468	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
3248	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
3248	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
3248	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
3248	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
5028	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
5028	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
5028	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
5028	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
4592	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
4592	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
4592	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
4592	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
2040	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
2040	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
2040	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
2040	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
3748	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
3748	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
3748	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
3748	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
4148	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
4148	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
4148	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
4148	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
3784	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
3784	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
3784	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
3784	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2888	hCkUwgwQ.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2888	hCkUwgwQ.exe
2888	hCkUwgwQ.exe
2888	hCkUwgwQ.exe
2888	hCkUwgwQ.exe
2888	hCkUwgwQ.exe
2888	hCkUwgwQ.exe
2888	hCkUwgwQ.exe
2888	hCkUwgwQ.exe
2888	hCkUwgwQ.exe
2888	hCkUwgwQ.exe
2888	hCkUwgwQ.exe
2888	hCkUwgwQ.exe
2888	hCkUwgwQ.exe
2888	hCkUwgwQ.exe
2888	hCkUwgwQ.exe
2888	hCkUwgwQ.exe
2888	hCkUwgwQ.exe
2888	hCkUwgwQ.exe
2888	hCkUwgwQ.exe
2888	hCkUwgwQ.exe
2888	hCkUwgwQ.exe
2888	hCkUwgwQ.exe
2888	hCkUwgwQ.exe
2888	hCkUwgwQ.exe
2888	hCkUwgwQ.exe
2888	hCkUwgwQ.exe
2888	hCkUwgwQ.exe
2888	hCkUwgwQ.exe
2888	hCkUwgwQ.exe
2888	hCkUwgwQ.exe
2888	hCkUwgwQ.exe
2888	hCkUwgwQ.exe
2888	hCkUwgwQ.exe
2888	hCkUwgwQ.exe
2888	hCkUwgwQ.exe
2888	hCkUwgwQ.exe
2888	hCkUwgwQ.exe
2888	hCkUwgwQ.exe
2888	hCkUwgwQ.exe
2888	hCkUwgwQ.exe
2888	hCkUwgwQ.exe
2888	hCkUwgwQ.exe
2888	hCkUwgwQ.exe
2888	hCkUwgwQ.exe
2888	hCkUwgwQ.exe
2888	hCkUwgwQ.exe
2888	hCkUwgwQ.exe
2888	hCkUwgwQ.exe
2888	hCkUwgwQ.exe
2888	hCkUwgwQ.exe
2888	hCkUwgwQ.exe
2888	hCkUwgwQ.exe
2888	hCkUwgwQ.exe
2888	hCkUwgwQ.exe
2888	hCkUwgwQ.exe
2888	hCkUwgwQ.exe
2888	hCkUwgwQ.exe
2888	hCkUwgwQ.exe
2888	hCkUwgwQ.exe
2888	hCkUwgwQ.exe
2888	hCkUwgwQ.exe
2888	hCkUwgwQ.exe
2888	hCkUwgwQ.exe
2888	hCkUwgwQ.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2888	2080	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	89
PID 2080 wrote to memory of 2888	2080	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	89
PID 2080 wrote to memory of 2888	2080	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	89
PID 2080 wrote to memory of 2016	2080	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	90
PID 2080 wrote to memory of 2016	2080	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	90
PID 2080 wrote to memory of 2016	2080	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	90
PID 2080 wrote to memory of 4968	2080	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	91
PID 2080 wrote to memory of 4968	2080	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	91
PID 2080 wrote to memory of 4968	2080	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	91
PID 4968 wrote to memory of 4832	4968	cmd.exe	93
PID 4968 wrote to memory of 4832	4968	cmd.exe	93
PID 4968 wrote to memory of 4832	4968	cmd.exe	93
PID 2080 wrote to memory of 4932	2080	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	94
PID 2080 wrote to memory of 4932	2080	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	94
PID 2080 wrote to memory of 4932	2080	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	94
PID 2080 wrote to memory of 2912	2080	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	95
PID 2080 wrote to memory of 2912	2080	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	95
PID 2080 wrote to memory of 2912	2080	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	95
PID 2080 wrote to memory of 4120	2080	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	96
PID 2080 wrote to memory of 4120	2080	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	96
PID 2080 wrote to memory of 4120	2080	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	96
PID 2080 wrote to memory of 752	2080	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	97
PID 2080 wrote to memory of 752	2080	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	97
PID 2080 wrote to memory of 752	2080	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	97
PID 752 wrote to memory of 2012	752	cmd.exe	102
PID 752 wrote to memory of 2012	752	cmd.exe	102
PID 752 wrote to memory of 2012	752	cmd.exe	102
PID 4832 wrote to memory of 1516	4832	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	103
PID 4832 wrote to memory of 1516	4832	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	103
PID 4832 wrote to memory of 1516	4832	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	103
PID 1516 wrote to memory of 4732	1516	cmd.exe	105
PID 1516 wrote to memory of 4732	1516	cmd.exe	105
PID 1516 wrote to memory of 4732	1516	cmd.exe	105
PID 4832 wrote to memory of 1036	4832	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	106
PID 4832 wrote to memory of 1036	4832	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	106
PID 4832 wrote to memory of 1036	4832	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	106
PID 4832 wrote to memory of 1352	4832	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	107
PID 4832 wrote to memory of 1352	4832	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	107
PID 4832 wrote to memory of 1352	4832	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	107
PID 4832 wrote to memory of 1244	4832	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	108
PID 4832 wrote to memory of 1244	4832	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	108
PID 4832 wrote to memory of 1244	4832	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	108
PID 4832 wrote to memory of 1000	4832	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	109
PID 4832 wrote to memory of 1000	4832	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	109
PID 4832 wrote to memory of 1000	4832	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	109
PID 1000 wrote to memory of 3140	1000	cmd.exe	114
PID 1000 wrote to memory of 3140	1000	cmd.exe	114
PID 1000 wrote to memory of 3140	1000	cmd.exe	114
PID 4732 wrote to memory of 5040	4732	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	115
PID 4732 wrote to memory of 5040	4732	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	115
PID 4732 wrote to memory of 5040	4732	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	115
PID 5040 wrote to memory of 1116	5040	cmd.exe	117
PID 5040 wrote to memory of 1116	5040	cmd.exe	117
PID 5040 wrote to memory of 1116	5040	cmd.exe	117
PID 4732 wrote to memory of 3180	4732	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	118
PID 4732 wrote to memory of 3180	4732	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	118
PID 4732 wrote to memory of 3180	4732	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	118
PID 4732 wrote to memory of 1236	4732	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	119
PID 4732 wrote to memory of 1236	4732	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	119
PID 4732 wrote to memory of 1236	4732	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	119
PID 4732 wrote to memory of 3300	4732	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	120
PID 4732 wrote to memory of 3300	4732	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	120
PID 4732 wrote to memory of 3300	4732	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	120
PID 4732 wrote to memory of 5056	4732	20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe	121

C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
"C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Users\Admin\OGUwssEA\hCkUwgwQ.exe
  "C:\Users\Admin\OGUwssEA\hCkUwgwQ.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2888
- C:\ProgramData\RwsUQEsM\MoAUAwgw.exe
  "C:\ProgramData\RwsUQEsM\MoAUAwgw.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2016
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4968
- - C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
    C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4832
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1516
    - - C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4732
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        8⤵
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        10⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        12⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        14⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        16⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        20⤵
        
        PID:3344
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        22⤵
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        24⤵
        
        PID:2208
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        25⤵
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        26⤵
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        28⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        30⤵
        
        PID:4188
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        32⤵
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        33⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        34⤵
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        35⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        36⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        37⤵
        
        PID:60
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        38⤵
        
        PID:1652
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        39⤵
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        39⤵
        
        PID:748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        40⤵
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        41⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        42⤵
        
        PID:932
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        43⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        45⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        46⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        47⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        48⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        49⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        50⤵
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        51⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        52⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        53⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        54⤵
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        55⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        56⤵
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        57⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        58⤵
        
        PID:2308
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        
        PID:3332
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        59⤵
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        60⤵
        
        PID:1412
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        61⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        62⤵
        System Location Discovery: System Language Discovery
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        63⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        64⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        65⤵
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        67⤵
        
        PID:844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:3280
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        69⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        70⤵
        
        PID:1496
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        72⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        73⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        74⤵
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        75⤵
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        76⤵
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        77⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        78⤵
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        79⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        80⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        81⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        82⤵
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        83⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        85⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        86⤵
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        87⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        88⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        89⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        90⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        91⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        92⤵
        
        PID:4540
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        93⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        94⤵
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        95⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        96⤵
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        97⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        98⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        99⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        100⤵
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        102⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        103⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        104⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        105⤵
        
        PID:844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        106⤵
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        107⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        108⤵
        
        PID:2308
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        109⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        110⤵
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        111⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        112⤵
        
        PID:4824
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:976
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        113⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        114⤵
        
        PID:4160
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        115⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        116⤵
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        117⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        118⤵
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        119⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        120⤵
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        121⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        122⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        123⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        124⤵
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        126⤵
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        127⤵
        
        PID:932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        128⤵
        
        PID:3228
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        129⤵
        
        PID:516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        130⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        131⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        132⤵
        
        PID:3300
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        133⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        134⤵
        
        PID:1968
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        135⤵
        
        PID:392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        136⤵
        
        PID:3600
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        137⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        138⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        139⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        140⤵
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        141⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        142⤵
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        143⤵
        System Location Discovery: System Language Discovery
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        144⤵
        
        PID:1968
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        145⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        146⤵
        
        PID:1716
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        147⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        148⤵
        
        PID:4364
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        149⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        150⤵
        
        PID:3264
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        151⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        152⤵
        
        PID:3236
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        153⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        154⤵
        System Location Discovery: System Language Discovery
        
        PID:4560
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:4540
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        155⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        156⤵
        
        PID:1764
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        157⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        158⤵
        
        PID:4652
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        159⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        160⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        161⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        162⤵
        
        PID:3252
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        163⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        164⤵
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        165⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        166⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        167⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        168⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        169⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        170⤵
        System Location Discovery: System Language Discovery
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        171⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        172⤵
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        173⤵
        
        PID:532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        174⤵
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        175⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        176⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        177⤵
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        178⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        179⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        180⤵
        
        PID:60
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        181⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        182⤵
        
        PID:4644
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        183⤵
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        184⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        185⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        186⤵
        
        PID:4148
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        187⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        188⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        189⤵
        System Location Discovery: System Language Discovery
        
        PID:3276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        190⤵
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        191⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        192⤵
        
        PID:3636
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        193⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        194⤵
        
        PID:2780
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        195⤵
        
        PID:632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        196⤵
        
        PID:3124
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        197⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        198⤵
        
        PID:4148
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        199⤵
        
        PID:668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        200⤵
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        201⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        202⤵
        
        PID:3988
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:3736
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        203⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        204⤵
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        205⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        206⤵
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        207⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        208⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        209⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        210⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        211⤵
        
        PID:976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        212⤵
        
        PID:3064
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        213⤵
        
        PID:64
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        213⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        214⤵
        
        PID:3100
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        215⤵
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        215⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        216⤵
        
        PID:976
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        217⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        218⤵
        
        PID:532
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        219⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        220⤵
        System Location Discovery: System Language Discovery
        
        PID:412
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        221⤵
        System Location Discovery: System Language Discovery
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        222⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        223⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        224⤵
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        225⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        226⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        227⤵
        
        PID:412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        228⤵
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        229⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        230⤵
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        231⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        232⤵
        
        PID:2380
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        233⤵
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        233⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        234⤵
        
        PID:64
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        235⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        236⤵
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        237⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        238⤵
        
        PID:3712
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        239⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        239⤵
        
        PID:512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        240⤵
        
        PID:4920
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        241⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        242⤵
        
        PID:3736
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        243⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        243⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        244⤵
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        245⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        246⤵
        
        PID:3124
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        247⤵
        
        PID:3236
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        247⤵
        
        PID:220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        248⤵
        
        PID:4504
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        249⤵
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        249⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        250⤵
        
        PID:1516
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        251⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock
        251⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock"
        252⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        250⤵
        
        PID:4860
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        251⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        250⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        250⤵
        
        PID:3804
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        251⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gKwUUEgE.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        250⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        251⤵
        
        PID:668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        248⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        248⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        248⤵
        Modifies registry key
        
        PID:3132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cUcMIEIA.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        248⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        249⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        246⤵
        
        PID:2460
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        247⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        246⤵
        
        PID:2476
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        247⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        246⤵
        UAC bypass
        Modifies registry key
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UgogYwoQ.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        246⤵
        
        PID:976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        247⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        244⤵
        Modifies registry key
        
        PID:1844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        244⤵
        System Location Discovery: System Language Discovery
        
        PID:3280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        244⤵
        UAC bypass
        
        PID:4560
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        245⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xGMsQkoI.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        244⤵
        
        PID:380
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        245⤵
        System Location Discovery: System Language Discovery
        
        PID:844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        UAC bypass
        
        PID:2344
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        243⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TgsQkUMw.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        242⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        243⤵
        System Location Discovery: System Language Discovery
        
        PID:3436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        
        PID:2356
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WyEUEUQk.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        240⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        241⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        Modifies registry key
        
        PID:2768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        UAC bypass
        
        PID:4228
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        239⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cAwkgsIg.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        238⤵
        
        PID:2308
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        239⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        239⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        
        PID:2208
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        
        PID:4236
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lioswQUk.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        236⤵
        
        PID:3144
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        237⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        System Location Discovery: System Language Discovery
        
        PID:3944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        
        PID:3080
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        235⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eIIoYoMQ.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        234⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        
        PID:668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        UAC bypass
        
        PID:3448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UKIUUQYc.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        232⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3364
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kMoYUQIE.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        230⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        
        PID:4800
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        229⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        
        PID:4084
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        229⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kUgYkwEg.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        228⤵
        
        PID:3068
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        229⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        Modifies registry key
        
        PID:3292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        
        PID:668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VYEgkUMU.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        226⤵
        
        PID:1216
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        227⤵
        
        PID:556
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        System Location Discovery: System Language Discovery
        
        PID:3280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3180
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        225⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        
        PID:1036
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        225⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        UAC bypass
        
        PID:4176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uegYgkko.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        224⤵
        
        PID:4556
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        225⤵
        
        PID:512
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        Modifies registry key
        
        PID:932
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        223⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wQkUUEgY.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        222⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        UAC bypass
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SGEYUEwU.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        220⤵
        
        PID:4084
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        221⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        Modifies visibility of file extensions in Explorer
        
        PID:644
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        UAC bypass
        
        PID:3548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FWUMwYcE.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        218⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        
        PID:2368
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        217⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LCoUMYgA.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        216⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:4436
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        215⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OgcgoMAM.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        214⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:3536
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        213⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lokEUwMI.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        212⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        UAC bypass
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ouIogIUc.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        210⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        
        PID:468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        
        PID:3184
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IasMwokc.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        208⤵
        
        PID:1216
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1168
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        Modifies registry key
        
        PID:4968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gAksYgws.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        206⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmEQIQsY.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        204⤵
        
        PID:216
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        System Location Discovery: System Language Discovery
        
        PID:5072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FcMgwAgo.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        202⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3612
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        UAC bypass
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ugUcMskg.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        200⤵
        System Location Discovery: System Language Discovery
        
        PID:4844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        
        PID:552
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:60
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pwMAgEIs.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        198⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        System Location Discovery: System Language Discovery
        
        PID:1320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        UAC bypass
        
        PID:5116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NEocEMEc.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        196⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iggIAQoU.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        194⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        UAC bypass
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SWMsEoYg.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        192⤵
        
        PID:60
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        
        PID:3100
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jYIkEgQs.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        190⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        Modifies registry key
        
        PID:1172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        Modifies registry key
        
        PID:2768
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AcEAwMEk.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        188⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:60
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        UAC bypass
        Modifies registry key
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HooEYkEI.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        186⤵
        
        PID:2916
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:4844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        UAC bypass
        
        PID:392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hUgQUQEo.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        184⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        Modifies registry key
        
        PID:3100
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        
        PID:380
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hMsUAsUc.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        182⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        
        PID:392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yioUUwUg.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        180⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3352
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        System Location Discovery: System Language Discovery
        
        PID:1712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        UAC bypass
        
        PID:3292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sAQUEocU.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        178⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        
        PID:4620
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZIUYoAYo.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        176⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        Modifies registry key
        
        PID:4496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        Modifies registry key
        
        PID:3612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xEEEAUMw.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        174⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        
        PID:2100
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SKAokMIs.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        172⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        UAC bypass
        
        PID:976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NEMswwUM.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        170⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:532
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        
        PID:4472
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oOkQoUIk.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        168⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        Modifies registry key
        
        PID:3772
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        UAC bypass
        
        PID:4228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RWcgkswI.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        166⤵
        
        PID:64
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2312
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:3536
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qYsQUsEM.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        164⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:1968
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        UAC bypass
        
        PID:1212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgosgMYY.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        162⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        
        PID:2416
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JOMQYgME.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        160⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        System Location Discovery: System Language Discovery
        
        PID:4336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        UAC bypass
        Modifies registry key
        
        PID:3740
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EIUUoQIk.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        158⤵
        
        PID:632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        
        PID:512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KGMUMcIU.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        156⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:1236
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        
        PID:2720
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AyMgIYQU.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        154⤵
        
        PID:1188
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        UAC bypass
        
        PID:3276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sSggAUAU.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        152⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        UAC bypass
        Modifies registry key
        
        PID:4672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RCYsMIAE.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        150⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:3444
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rsQoEUkY.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        148⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jYUAcIkA.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        146⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        UAC bypass
        
        PID:3144
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JgYMYQQs.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        144⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:3124
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        
        PID:644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\meMEIYEI.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        142⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2832
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        
        PID:1748
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JWUAgskI.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        140⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        
        PID:2356
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        UAC bypass
        
        PID:3392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ngoQMoAU.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        138⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        Modifies registry key
        
        PID:668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        UAC bypass
        Modifies registry key
        
        PID:1900
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UmsAIsYw.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        136⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4324
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:4680
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        UAC bypass
        
        PID:4244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GyIAUEoo.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        134⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        Modifies registry key
        
        PID:4236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cAMwMwkA.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        132⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        UAC bypass
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QMgEMgEA.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        130⤵
        
        PID:2772
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies registry key
        
        PID:2316
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        
        PID:644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zYAMQkAA.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        128⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies registry key
        
        PID:3748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        
        PID:4796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gSMkEIcg.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        126⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2192
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eesockEk.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        124⤵
        
        PID:3176
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        
        PID:1352
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:4800
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eCQsMcog.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        122⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        
        PID:512
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:4564
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rAAIYIkg.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        120⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        Modifies registry key
        
        PID:4860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        Modifies registry key
        
        PID:3448
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aOUggcIw.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        118⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:64
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        
        PID:916
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cwIYwsQM.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        116⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zkQkcUEk.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        114⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        
        PID:216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:4616
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        
        PID:4796
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\amkYIgck.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        112⤵
        
        PID:4208
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        
        PID:3696
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        Modifies registry key
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TMYwQYwM.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        110⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        
        PID:380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kqQIAccw.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        108⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:4672
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        107⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EKssoMAg.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        106⤵
        
        PID:220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:1820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:5116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        
        PID:632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SswYMAAc.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        104⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        
        PID:380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        Modifies registry key
        
        PID:4496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FEgAYEwc.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        102⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:396
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:216
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hYoIMgQs.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        100⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:5104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NOEsgwoE.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        98⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4416
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:668
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gycggAUI.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        96⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        
        PID:4328
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VqEckoIg.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        94⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies registry key
        
        PID:4212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        Modifies registry key
        
        PID:1724
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mSIYgMIY.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        92⤵
        
        PID:3740
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies registry key
        
        PID:60
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        Modifies registry key
        
        PID:2952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        Modifies registry key
        
        PID:4908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DCswEEYU.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        90⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yigkgoAs.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        88⤵
        
        PID:220
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:3352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VsYcsgQc.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        86⤵
        
        PID:3944
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        
        PID:1888
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        85⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vMEgkwEo.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        84⤵
        
        PID:2208
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        85⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2288
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        Modifies registry key
        
        PID:1832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        Modifies registry key
        
        PID:4176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZmAMIwwM.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:4588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:2720
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aQwAsIcs.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        80⤵
        
        PID:4672
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:3124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:1320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AuIckMQk.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        78⤵
        
        PID:540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3548
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        
        PID:512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BuUIkogA.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        76⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies registry key
        
        PID:3600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iOkgUsEw.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        74⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:1184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lyMQYYQk.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        72⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:5104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ESgYQsgE.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        70⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        Modifies registry key
        
        PID:3600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XKkUkwAg.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        68⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:1764
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        
        PID:2368
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MWAcoEUc.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        66⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        
        PID:1748
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fIssQMoM.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        64⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        System Location Discovery: System Language Discovery
        
        PID:1832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\psUcQMoU.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        62⤵
        
        PID:4680
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        
        PID:556
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MUAYUQUk.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        60⤵
        
        PID:5072
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:1172
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        System Location Discovery: System Language Discovery
        
        PID:3184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AMcskoMs.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        58⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:5116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WkwAswYE.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        56⤵
        
        PID:5024
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:3748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\meEMIkkg.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        54⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:512
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:4672
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hYsQsYIY.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        52⤵
        System Location Discovery: System Language Discovery
        
        PID:2292
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        Modifies registry key
        
        PID:644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        
        PID:2632
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YiIEQEks.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        50⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4732
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        49⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        
        PID:976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dAQkwooM.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        48⤵
        
        PID:632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:4908
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EmkkosAc.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        46⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies registry key
        
        PID:60
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZSMwcEgs.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        44⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        
        PID:3364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XQckwock.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        42⤵
        
        PID:3296
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OqEgMEAc.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        40⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:1320
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        39⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TkkEEEcg.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        38⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:4356
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xgUQsYks.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        36⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        Modifies registry key
        
        PID:5088
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        35⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iUMEkgYg.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:4284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sGYYUMkI.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        32⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:1084
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        
        PID:516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hykkAcIA.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        30⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QSgswkAg.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        28⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\reggMcoY.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        26⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UQgkUscA.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        24⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:3320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aWsgMMwQ.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        22⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies registry key
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yoEkwYcs.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        20⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DCQwAMwc.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        18⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:4352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        
        PID:2368
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        17⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UeggMUMY.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        16⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:3448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        
        PID:976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IyIAsUok.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        14⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HQQMYcQw.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        12⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fowgoYAk.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        10⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wCowUskQ.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        8⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:3540
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:3180
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:1236
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:3300
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HiMQsgIU.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
        6⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:64
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:1036
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1352
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      System Location Discovery: System Language Discovery
      PID:1244
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JOgYkccc.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1000
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:3140
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:4932
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2912
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:4120
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rCgcIswk.bat" "C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:752
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4212,i,15436195446242760253,4000484513008731869,262144 --variations-seed-version --mojo-platform-channel-handle=1308 /prefetch:8
1⤵
PID:2688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:2292

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv ZfHsNgqd806JDcZWetlW3A.0.2
1⤵
PID:3544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

Filesize
318KB

MD5
005c94d1f41d00c7e61a16da8b83fe42

SHA1
45443b85f7f16f5d12662884e77f4548b1438ac5

SHA256
f5e3c1f3c6722cc45c3ff21684574643f82f92139ccc4f29933b7c215c86f628

SHA512
799871f0b2ebaa08995582042eef03ebf9d42b219e293c31984260d81ab13eb4e504a91999289ae4783db1c7130e54266ad8f6225376d7e5dc83f524ca7f8028

Download Submit
C:\ProgramData\RwsUQEsM\MoAUAwgw.exe

Filesize
194KB

MD5
d8c9511ac46cb4fb69fa4955b1156e28

SHA1
c3d639031b2901bc608fc52f6f02493905085980

SHA256
d188c101f120f3ba4bd21bba6dc1c03599cd72cdf94e03452a59b08ef89ea1b9

SHA512
91deff30f4cb44b1dff987df2d61c3ce811b13f5e15e3084e2ec173afc69c455488c8a949fb3f8ec0c575c9d673c0de24a41d5f01a685f20f7139b7c3ccf3f31

Download Submit
C:\ProgramData\RwsUQEsM\MoAUAwgw.inf

Filesize
4B

MD5
dcc5bc022bc475b1353c77ebf3eb4092

SHA1
e1f6fd635f3d66b308a6f5e72320bb0965e5f331

SHA256
d761418df9dc7c58d8df30945b1e56df4e9e35c8d506577ad235f9f56a421770

SHA512
fef51b18d78953ed92786c3354b4e1c8353195b2d5c8adf6dcb01ba501bb7e9523c31f01928ca851e882ef9b117d3ca3dc26afea6dc0b9949d12754bb674f62e

Download Submit
C:\ProgramData\RwsUQEsM\MoAUAwgw.inf

Filesize
4B

MD5
4378ce693f5d14e49f9a163bac3a5164

SHA1
b616e0098bc65cb8277731fdaf445bffbb04528f

SHA256
731ed6430e5c3addb79a80cc852ff514966e9e10dae4a30cfc491a12e8e804d3

SHA512
703c9a22164ade0b6668166d795c306e991be7fd5e915c0ec595e4fa978e8b51ea984b6ac0a7227fb347985caf6cb6fb82a40d2ab8304955861296783303cf06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\48.png.exe

Filesize
208KB

MD5
3bb0edd2905aa178c04c40cb7140f75b

SHA1
cb0328be3bd01ee5cd568968491fd98b64073537

SHA256
09b2daa30a9fdefff51a10851b1fdb3d80d6add9c3b978644bd9456d6612d52d

SHA512
1c330fe8c82e5c83453f6152ab47d12dfbb7355e184999f687a63afe2f01cb450af4833d3ea8fd5de0561bf8b2da3abde9837681ef56347eeeec232d51709995

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\192.png.exe

Filesize
190KB

MD5
3ddd049913f5f7333839de820c3bb010

SHA1
d3c915ed62aef1cad4a31ef870a7e3d98f5c82b2

SHA256
e28c73d92e57ad984ee8a5b853ef32f76c046dbb5a08e943083a8dc5bfa90f54

SHA512
335f2ae36777565ce7b2856db5c11d17da64ae08b9fbd191fc6efcbccc7cd9fa9ae2b9162d9b66c176a041cffac20a332838ce84e3de61a4b905e4de837193cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\256.png.exe

Filesize
189KB

MD5
d9324cc4d8bfd8248842c9af579d76dc

SHA1
2dc8a2eeb150e3cd132958ae22b8bb795a9c911d

SHA256
1c434835a6204942760c0bf9d10b861f4763d6164a50c5f044ac83307400ddbb

SHA512
ee7e0052a598b46cfe094fe6a92d46503b48ce56d8caf445cbdc61cc17e80e38bb87144167b09737ae9c9e1642b2dca14d13c60657d5f656fe9c1288c7c817f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaError.png.exe

Filesize
191KB

MD5
f3531f8169ef61da6644ab0bfd5c645d

SHA1
c4d50efa28a1a9739fc386cc94d5f9e037736bff

SHA256
bb4a41eb833e1744aa38292b19e11f6a249229ccde46da446d401facd615f44b

SHA512
471c6f68b7c527dadcd96a90f86fb7ca31f3d6042d0122071468719e44a0ed1247bdd48a021a627fb225a7ba69344aaa585981aee4be3f28600eaccf0ae8eef8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaNearing.png.exe

Filesize
210KB

MD5
8eb49133881797698c4319c8191af6fe

SHA1
84da04b9a4e3ae418c91e26c5a63bc2b74ff919d

SHA256
3421104e84dc0d33a953d791fc788c27b329e7524dff4bffec54dda46dec440f

SHA512
425d8aa3f601c23f82b3835a92023904963912151a08b9399755125fefc173207758684081fd4db9a497003e3b3be293db15352efedcb92d8e94b9a4df609010

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-400.png.exe

Filesize
197KB

MD5
5f3802fa247729e1836c286797d10ab3

SHA1
0745c16665244884f66676354786bd7a86738f28

SHA256
19763bbd213ac2228630c62f4a518a07b8d7473bf44172fa6e1939d4ee73194d

SHA512
1547460341c6b650cabccc66bbc1fc17c47c635eb696bb2c93bd713222dd9a0e9eccb8d0b7e25667bf5984f83716c3660dc80263fd93e83de8d9d26d9e788ca7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-400.png.exe

Filesize
200KB

MD5
c7fa190192da94efd371cbdac99023bf

SHA1
8576d5544b0241d52781c1cc56a8e2a161ff0a27

SHA256
16033b511dae4290e1aa64cbf6e2880396cdbd6f6cc29044d66d2de29af4addf

SHA512
9226e3a1a9b2adbf6eae46a20bfb03d0036e434dfa9b90fac9c8a66329f9b030deba48465ff6516abeea8ddba6f478287aa590cf55ee98dd77e67eb4a2e2f74c

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\squaretile.png.exe

Filesize
193KB

MD5
edbb1844d53d1491b1ff724db9c70b02

SHA1
5c089cdc0a0fa7cf5c7698f6c767cd522a426946

SHA256
7d9215c645ce9dc8d45359731d9a7afa9201d75708b2d98ff138303c74274624

SHA512
d56e87f910ec79dae7e77c3602639f47b4c014d74a8df734396e6b9c463994163c0458aa978ed659000257c089271d3ee1c3d2185ea48af10e8bc0048237fc78

Download Submit
C:\Users\Admin\AppData\Local\Temp\20240920006fbb7a7a5386fe5629f895d8969b45virlock

Filesize
3KB

MD5
f914e6e58fabc9e45dce8645ff188bde

SHA1
e16ba069be4ac338fbfb731d5dca60685300ffdb

SHA256
51d110882b29e686326a7f942b829e9d1df5c0deb804b59f4e62bab84cdac26b

SHA512
2f3924f255c453ee32bdbced2ca690ef6ed2ef1b09dfb4922bc8db48071c174d7217916109c63ff1a38b09714b5d5f3557dd6aae8edc99e775bf3fefa7d046b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\AgkK.exe

Filesize
186KB

MD5
8625d205518a5ab7df7fcc114cdb63c0

SHA1
050db599aaeb4f489248c7f72b4ad70b19bff7f9

SHA256
78929acde5d5485f6b19b1e94675fdeb634a807e9085bbaee0901ec8f50d7e24

SHA512
a4578918631fcc778f3f53ec49af21b0300ea7915669f83391b235c0bf8f0ab4cde614dd8a3f9a1d2d3db37092d1f383101846a5e71530ae08264df2ebf29322

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bsgs.exe

Filesize
198KB

MD5
5da079f4ecdbc24498d55782172cc459

SHA1
a058a34f78fb02af387a3295a31474b7baae6d16

SHA256
c4103a07b2f363cdf10914b16cb4a1ce8daaf7515cd7b0a22c36c5ad07a3d93e

SHA512
04c8bc6bfc8782f881cead9610a9a7b3a9b3f9dc7d0b80163b117c374f21c48a25b376fe957cc5e7eb11a97c7ea16a22299121f60039c7e52d4c90037a3ce5a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMIS.exe

Filesize
197KB

MD5
8cd996bf630435a9384b04f5cc6fe404

SHA1
fffb81682801fbb5fb025169429a47eb5d537b13

SHA256
75725451fba9998d9d08eb1839515b1df364a35f89bd4ea78339a10f666015b5

SHA512
936b094828d39b757c6135033dc8c1e72eab1db65869cdb5ee1a3a282c03c185f515739fe33620a4b77445ea5be23a05e05bfb42c9dae28827d02e922f1569c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUQO.exe

Filesize
203KB

MD5
4b22cc2697cab29be6c09256914d150d

SHA1
f7300cfb239eadaada1e4b267d2420b5acb97d36

SHA256
8da881b4a323a72b3c6f6c3de7ddc6360fa446f7dafba38c8b578bd842b4bc01

SHA512
6b9579eb2087fb0a5c55fa8054233cb1cac7e1fd9e6ac650b0b5fd78e06f3856e13feffcb7816005c04283ee807dc870ac0c6a24dc2c6fc8b4f2a5fbdc5f2126

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ckwy.exe

Filesize
187KB

MD5
5cb04bd675409c135b5b575693a5ab4c

SHA1
6b203c45a4e3f63e2b25b6aa0b7550085ca0978a

SHA256
a87dd7c9d4a2120d5494e5e64ff5eb793b9c3f528cb72a5077356929953e4e8a

SHA512
2e3ce6772f7a22a2111eaacb1297c631936418cc2323063147d342cda5c7712de6eb21895122af17502cce341f3ae941e70826574e62c775deef35978bd2efb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DwYE.exe

Filesize
205KB

MD5
54819143cf52948958613a7cf023b732

SHA1
9201a6733d898ea5a15b10d9b265d8ea730da52e

SHA256
ff452277f1a7b23a58eeea986bcf79d28af2178311dd8089c1c3940c605f471b

SHA512
61c05a448562ea80498043539146ec3fdb5a88a499a764dd6ad9e2e80d46b5510f349f79b1452af65b875aa1822e143d083491325ce2f8b2f0737398a7145e37

Download Submit
C:\Users\Admin\AppData\Local\Temp\DwkQ.exe

Filesize
201KB

MD5
551f0ec9fa65a00cb7b2a8dbc69f315c

SHA1
9c31d8367c5710a9e66cc0f2747384d95a8fae1e

SHA256
79c86e6482081cefb7576fdd19be4782e39cb9cf6bf00247fc17d963ca84ff5e

SHA512
d6090d160bcc93ca087661248e8a761d1928302378751c79016f6e319ec6ec949ad3fd1c4c208ff4d2c2d9524c488b386c0f9ba062385b32d3ffbe2f8d90a045

Download Submit
C:\Users\Admin\AppData\Local\Temp\EIcg.exe

Filesize
203KB

MD5
fcf4db0d777af559290910d72f7bcf6b

SHA1
3e5f50d7d8f1b35c48dfb5130f1a18046f4b5705

SHA256
d98f981c40db6fb37e55df5df6bd8e7e5a8058183f020fb2ff24464bd5fc1a94

SHA512
98806ad276505a8b3b47cdb9ddb17dc0bac8d968b0656ac29bbb642900bd5c27954a12b9393f6471fa89ed7407510ffaabf6685352fccbf19f9793e20b8970d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\EIwq.exe

Filesize
205KB

MD5
67db2bb38f0420998df6061e537ba14b

SHA1
db4ad73b30e12c5d63922636d44e6d720c66e274

SHA256
00754e425cdface91ba42dd78a86053fe854bc9908fbc5e2f7aacd83e292fdea

SHA512
3a09429629ca2d4969d8cf8fa0646f863fda38c4595062879b9c3ff4931550e3c8531021024b6d68a36c94310d9cfcf7ebd7a39d101183b2740fe1a12367477c

Download Submit
C:\Users\Admin\AppData\Local\Temp\EsYs.exe

Filesize
431KB

MD5
9817022b5a98b4007153ad87267b3649

SHA1
af3450b1c17a17f4e00f4d5cf1dde04293f4209d

SHA256
68197867cd78c0748df5180515a3b92f0334f105c70624f90b4aae0ce26d2e06

SHA512
491ebb50cb18efe33c8b1d087669c4afee8b4209e3cb6e07d637174a75ca3e43f419b5a78965f0b20ddcc8db574ade2026b44652d96bbb55ad244c530540c7ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\EwcO.exe

Filesize
197KB

MD5
6e9a0dea391a4783875b4cdccd1bf971

SHA1
285fc98a940fe8fcab0f355f3ae5f434259a14d6

SHA256
d160a203a6eb88e3b9c58ccca308f72f536b10c62d85b105520bf3edf851f420

SHA512
a6104cbf1abb75b4df4cb9b38e5d0c2dfc6165558910ae971bbfb8943299488a530a4dfa929151e513aaf52e9b98189533f99d77395af517ef53f717896e36c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\FIwi.exe

Filesize
193KB

MD5
050bb8ff30aac1aa1780cc82bc0a1df2

SHA1
7e0265dc97b254a701b25021c562638d4d5006be

SHA256
aadc6fdd3f6f5c8f482e00489e2d20d139161d218980e98e48fa5b8a8a6f969a

SHA512
f6c312586ab592bf002b89608960241f69f800094869769e120cde9533a7142e1d691e194dcf77af966ae5e0711581c1eae0effa37422bdb4ee81d772b9ad3a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\FYwA.exe

Filesize
207KB

MD5
9a532c7d97400f6341b36ace3fe05b17

SHA1
9426c2ac2d1a4b2f37b3c987642617720bd857dd

SHA256
8ecac47decac153a14dc37375797f8ece7ed21877132e3332be036ecdbf00158

SHA512
0d8ee9a7df12d55b2e8f51cbb430a1fa58da20cc4432cc471268dee94bb18645f5ad7f05bc4cff593c8144fb22258652e22bd0b1617940a1ac7e95dcab49540c

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUAu.exe

Filesize
200KB

MD5
9f8fc974ddb47305ad7c4bdaf1e3e430

SHA1
6424eeb8e81e1d7348f26a9ea5b73441aba39bf7

SHA256
6c78a229dac7cadaa7fc5c9c28d2af5d3f2ae357c8069e764dd0e10d049d02c2

SHA512
be81c0cf80785e0587a45ea4a0a2d209a23343667621d56b70d62dbbdb18776f7d07e01a8d848c8b26cad2a3a6cc4404a74b319a00542f9983272243e8d8fc06

Download Submit
C:\Users\Admin\AppData\Local\Temp\GsEM.exe

Filesize
201KB

MD5
f151078448ff37abc65850f710b8f5ff

SHA1
c311788b8fa47e78177337a28805ce181fe0a5ed

SHA256
b46aa7bdce26c1ad612e2bef2a30a3a2b499b72c89105bc15777bd726dcbe9e6

SHA512
de451da76ab68ad370ccd493b68c383b5ff1996ab839a19ad1faedc2d06fdaba4418fd3fa7221acadd4842e4c90c77f29f8953f8364ef6614a90eaeae2fb399c

Download Submit
C:\Users\Admin\AppData\Local\Temp\GsQU.exe

Filesize
206KB

MD5
500089f68434f06862ab310551cdc245

SHA1
28c1b3cbdad21c7277b62eba41434a442bbe108c

SHA256
8157c3c5b58029778647b2784be248dc1d17c086965ba12838219b115d456598

SHA512
6a8efc3df1d61599429732a08cc30d305bce64e68cca54db35d8c6b08463411c94320bbfbddf1809597958007ce7ed16f63fa3787abba083397517a1bf840b8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IAce.exe

Filesize
307KB

MD5
46757fe4e996c9b6086a4301f3e80dd0

SHA1
f746de6faa170a5aad64a60454e71377320237c4

SHA256
c7b6ff2bf58a70b04541aeb356bf0707cbcc4f8577824c4907ea543b81974822

SHA512
ccf6d7fcd78222767c8bf7723276d725a61378779ae06f010ebd691b553fb8beea08c8987f000e93199fd85fc15678617ca24de73ddf83e3798fa1e3e42e41e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IQoa.exe

Filesize
194KB

MD5
4bb8c301c75d048a1d4009cfadcc6fd3

SHA1
35163bc837d08aa297d32bb9f1e81495a72862e7

SHA256
80f981106b4557a17dce2ed2893329469e9761ddfdfd97a5f4375c2ebf25d9d0

SHA512
516c87ad643f39507d21ae3241b626834d480f1c12d45032c1c56ab30848a8f21b944d9b6730dfca488b35fab3d6a00bd239f260c59b7ff6d7390a3cbc14f8a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\JIUI.exe

Filesize
192KB

MD5
5aec0ca29d6f92b374ed6d3d09cdbc94

SHA1
20aaf1cd8a3a051f01c6bd60c20ce1f8b4914364

SHA256
a6d401fdae7a8a9ce6da30779854a17852da781fa0dd3740df9c92252e891df2

SHA512
2a838957bdcb0865fdc5f58829481add0020277499039469888c179419446409a7c637e1b45fdcb75487b6dcf3448f4242346ede957b9c907680b4169de3536e

Download Submit
C:\Users\Admin\AppData\Local\Temp\JMYq.exe

Filesize
222KB

MD5
baa716fb95a148bb602e60ffc689c92e

SHA1
7f40d4fb7ed7672532cbe02c5741bf104a139f09

SHA256
def63d53e8374241e691107dc17850d3b8288141bd59aadc92e00fb5af8243b6

SHA512
01d8d8f3c968210a1f62819a0a84869ae002a44f3df3991433344f90839958e57eda24f89f6b4135869d3cbbe3e9de7c993e685380afd8d9c2c4924e3b2a130b

Download Submit
C:\Users\Admin\AppData\Local\Temp\JsQC.exe

Filesize
201KB

MD5
f1d3ae05437b4c3a4ae491d742cb3214

SHA1
9373108fef7e48c713b7e1a611aa2b7e9a142235

SHA256
6fe4ccfff3683e9268e08bd0c864e8dc0df5db2288fd1094f5f5ac877934bbcd

SHA512
10339e1c7309263f66176b973ef7816b37536b675341a684db9fd8aa51ed16cfd0147a70f987f5f3cd3d1008460267d91599d4326233d0917d41564e3d0d18f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAoq.exe

Filesize
208KB

MD5
de946f15e18b90425c568ff50a980c55

SHA1
702edc197ea9cf45a8f1bb4a2f910a2b844567e3

SHA256
d03f701800a5bd9e6266df928e87f414096ea0b3cc6e6f0cfa8bdbd85c4ac7f2

SHA512
bd337dbb6fc0e1a7eff46e0a8c47578021f8a57443de237600d8de7eddb10f1d027a27a62e76214f2546313fe226fefd3d92af7be99f7fdf3b04ca8b5b21618d

Download Submit
C:\Users\Admin\AppData\Local\Temp\KoUU.exe

Filesize
189KB

MD5
cef80cbc70abdeb009250d60fec7fca8

SHA1
a94c3467c1d9eb4f258a857cd1cd80fdc0b79fb6

SHA256
ce000b01095a418d21753e819394e821ca943e1fcc35e7c7ce63e286e8f9fe47

SHA512
465c2e396275e5065fdb0ffe1a925ec552ac6153a626faf3eb3bdc500657c0cc3ec9fdc97c9d02ea90f7e99c76c0a0e379abca84cef2c2c6fa69b2ed868d5647

Download Submit
C:\Users\Admin\AppData\Local\Temp\LEQs.exe

Filesize
1.8MB

MD5
cb981d98d6168b7933da16e275d964e4

SHA1
ef8f195310140a86d206d92694a509a41111bf40

SHA256
3d38331e7144350febd2fa0e5c5c3f63521198074bd55c8655d85bd1acba09fa

SHA512
a869ace22a39a13489b7aa71d9e1394679aa465ed3dd7adcca8ce1b5491de72658835590c7e043319d71055ff1dfbc39cc28de4d076ddeb3e5858bc2d14b4662

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAUo.exe

Filesize
195KB

MD5
44e336d08f5ad270c0ac065e0ef610c6

SHA1
90ca9b02b99ecb243109c7107271ec3b1ab6bfda

SHA256
d7967e285bcdb8502cf2c439e2bd62c1a9ae8d472c7b30550adf5c1e9153b10a

SHA512
e3300fae77aead99b8e381b643aa0f88f34cf32dde257e8e3bcb44582ff63b3a7dbc6dec33881cd64789236416897892e4b9c6c96d9d82242d11cfa754439eb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAoe.exe

Filesize
638KB

MD5
ffb448ad38d2bb5fed22c12be4a73dd3

SHA1
006033ad70f08e643ccb01f5fd10e5a14802dde0

SHA256
57f0a55824108f97f5111661594d2b6241d7461a943d1a01d339b5ab4dadc5b7

SHA512
5a1587027e110c8f8b00aaffae2cf006e3d23695c3619121f9fcb737b946da375092336e06b5dfe798fd30eda28229e5085971129da7ecfc72027d20c1a253f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYgw.exe

Filesize
203KB

MD5
173a646cf074ab869e3f2edd3d04b6a4

SHA1
b04893974c64122fce84a445714c882325b35b50

SHA256
b5b681030cc549967d51ca009eecf8d45b23920ac94c2a73593728f823fa65f8

SHA512
663f4b62ed90cb580098049ba9a50d9ceed4dc6811b9114aa295220fcc77bb3f8ecf83d9ad655904a5d6c369abdaee5bc2f5598cb67dd39208f1a68a7b5108e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mkcu.exe

Filesize
323KB

MD5
1d25baf837b0b06bdab4d4736ca429ce

SHA1
405b16cd0563d1567f4a125940da407a4b99bffd

SHA256
591f071505b4455d15f866e6f5d031d0e6f64edbf410652d59efd048baa7ae4c

SHA512
b75de196709bf4000543d09624fa1406b7a497b88e564b83bc1f518ef3b42d841ee5a02a915f4a2ab236486ec41f694b87210e4b24922d2245871a81c8b033f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MoAA.exe

Filesize
192KB

MD5
b017a5db2b19f54ce9e81a6d677964c4

SHA1
7a7f3d3629a62e5c70b3ed5f2505360fcaa63742

SHA256
a665dd4691c4e619cb3786868bc1e876b60290a6f19d3656d0954b534fd20bfa

SHA512
6698e392fef85cca31030e5449189025518c9151da268a686fdd30b41ecda814df45bd21fbcbe225a4a06a3c504996cb69255a0f32905582bbe00d4bdb4f1696

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mskc.exe

Filesize
193KB

MD5
6ca5293589034a42df1f9dd04b7240a2

SHA1
3c815fe65ecbb1af5e78ba3cbcf4a035c59a7315

SHA256
600efabc681d218a08f48af6ff2627dbff28b5b33fb52985a016a1f49305f563

SHA512
a7df5946d646b76d38326f47622aa24bc68f2a40dc495633f78c981a2ba607545d032428c8768fe44a147ef25b66a0c6eae8ce6d855a01221758f6302cddcaee

Download Submit
C:\Users\Admin\AppData\Local\Temp\OgcK.exe

Filesize
198KB

MD5
9a416b2028e4e5732bfdb8cab3620f58

SHA1
15472f9355b4c9cb797117b83e6a5cd02b715892

SHA256
2dbbf3502df9818771270c97168656a3355d1272b68ce291450b85a11a8c3fd7

SHA512
e0ab48bf9b3ca43bdb8eac53c768163108482621e110975e50ad6f3edc07891de70594fe38a72f95b09ee94bae5852c7141eadf3f15aaeb421b99f61094cb3ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\PwkC.exe

Filesize
210KB

MD5
50d09a7d810af1e565f366c43667b9fb

SHA1
9335552ec35e019dd81023978584a4fe1ba5f092

SHA256
e96b6f51550a5ec76a1efc12b89261f2bcee6933eafb55bc5aeae0df1541dd4f

SHA512
3b9eec048a0314a507d4427b6d856fbd3e64a5cd2fdc6570d3d3d989386fc75894ba105c6c88d460f36d67ec1675cfffb9ffcbe9ada91a9251690e553a86a9f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\QEkM.exe

Filesize
466KB

MD5
a7c5727e8d339cd054d35b202d227ece

SHA1
91ea938ce361faca2a227e4f3e21ba133476cfc9

SHA256
c2650ac7f8e078082ba8d4df513e2e9c45d3521e77a0da91dde8a6dfcc8059f2

SHA512
a2e0217a2df34cadf1590934b354558272d8f8a67bef437fa010663f17438fcf2268d36e337e7ad6930086e23446769b298705695d60e4abd7f8b711d4937060

Download Submit
C:\Users\Admin\AppData\Local\Temp\QMYi.exe

Filesize
236KB

MD5
923f6997fffaaa6f7765ce9229a5cd0c

SHA1
a3a2c37ee98dc696da9a58109ba30f94594ff48f

SHA256
dc8a96280ec8acf0c071fe6858d0cfad2f8660ffe7027837a24617d03b1cf92c

SHA512
81155e39c66deae6c59f6de8f3c74f7bdbb8c3bb3567619a8105d67eca60ed9cc805540b13925795878097d7825718b6998b7b32ed8a322a8dc69f8b5cf33edd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qcsu.exe

Filesize
186KB

MD5
557f51fc5ca199d4f585b98d21c6e0fb

SHA1
126ed66d64be89d4c235ac6436260002fc845b6f

SHA256
783017e1cf88e744f5291cc58cc7540adf067afa61be124fb61c1dd12c246104

SHA512
ee352eda59fa70540e1acc175529e8d8260d84f4ef85fa4245a0b98fb6b02a90867d250d74526dac35760a68b7fe97d8b7500fbd1ea719ec1682bfb9eb785620

Download Submit
C:\Users\Admin\AppData\Local\Temp\RYUm.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\RwEy.exe

Filesize
201KB

MD5
43ca75c0b53300d0664ffb5cb372eb5f

SHA1
c09a3375e88ce11e5fdd1c5af2d2b94d02510c66

SHA256
daf5f904727e74b0c3fbb582e483d480a246de98e0674a92ff8752f669954b2c

SHA512
9d710709bac89f2b111840409b8ef7cac90269d0a423af38555ea3f578b38017c6c24ab67fba7aa4d502b3bcf4e2ce1d311a1b4c21bc66dda1b64525366c1c87

Download Submit
C:\Users\Admin\AppData\Local\Temp\ScwQ.exe

Filesize
641KB

MD5
3bb032fb11585433cbcac31d0d134512

SHA1
6e988ef2d095d66a28817b049dc3a1782e557269

SHA256
82083985f948742912a015c762738161a30364e99b2456a8abef40c9e424abc2

SHA512
82ea9551b1112b38667f4b210e7a4424359e6cbb1208fe7b8c7dd994183e2419cb8ddb2fe0409970afe27f728647f79c1494a52af1759caca0aae31fee07f002

Download Submit
C:\Users\Admin\AppData\Local\Temp\SkQu.exe

Filesize
225KB

MD5
cb3d68692c5de778d33c68af899dc962

SHA1
43ef1e5aa7074b11e092d29ee771090e9bb6f990

SHA256
224ed100fce0e3c5c0d4a5b07fbff31f7c8f143e7a8409d94871b11d72a28f31

SHA512
0f221961a6e96c3284be4398cd2676db65470346f4d2af0dab77f2dd5bd35bebdd63e02665cde46d515943522400481a54fc8876189d95e306cc585aa8db602b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TIcG.exe

Filesize
203KB

MD5
b78067f55f9173d666cd0de7b0bc3f7a

SHA1
92c2631ff9076b485de0e11d8ea4f623ca7fe344

SHA256
d20de0c841ea4e32fc27a6f6eec3b894338d21aa0401b1023e97c28248086c8b

SHA512
3b7190d50105d462a6193ca0c96ee7aa6cba59e1e3649451a2ba571902ace92ebc7c7708f6aa5c22385f9df11a6c3e918d8a3512acb1a7a1bb26941f8ce405a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMQE.exe

Filesize
692KB

MD5
4aa903114f1fbb8e36a1cd3572846c1f

SHA1
cd230b4d7feb730bf4e8264be41150d375578ef2

SHA256
d0743aa25a4dae34302f4f1f10b851a5a19a40df88befe58125c04351cc4b24d

SHA512
8668c2f5b241694184d0cb0ae0b7fd1f1389cfac1d10e77af5dd714fba138054059f9474581a969670c8efee0c12b19999c43a935cc4c490d857716c233517eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\TUIS.exe

Filesize
602KB

MD5
d29125804cbe5b375941b0ec7f80f2e8

SHA1
66923e77be20e78638cb122233a7d96d11307850

SHA256
46412ed20c786a33cb8b6b9b492fea8d2637eb1e5f0c0c0b15952c1d0a754078

SHA512
14d6f5668df20317cb586a3fc7ce8f8ac113a259cc3f7d6275df102d062c641f112360535f332f2ed4ce58179c72e0c8deb9f56aec6d561cf91968a5c7c47ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tsgw.exe

Filesize
186KB

MD5
af29403761055f9a9f0a6d71a65cc81d

SHA1
badec504da9412043b1851d4f2e42b2b7b7604fd

SHA256
b65705cdd9dd87f0a4dce15ddbfc04597597bc36006a40ed885b4dbfb6389430

SHA512
b1b8870c3ace38a5b93177a028b029255e8a27fb4241fafdf665ef85890671973a5571e7cfad1244923365156ca1153ab4cb0cd780b04882d3fb03e36b069d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQUk.exe

Filesize
904KB

MD5
db1c093f180acf5afe8109c61bf90bd8

SHA1
f9ae897ddc5b46ad561f47781a79507d7dbd7511

SHA256
eb93fe9eac20cfff7bc88373ab13bd640ce7140dd80e5f1d3107782938bef936

SHA512
1c28451e73fd6038a7f83e306128375c45d7210e74bf8c981b877c85c074c6e7dc5a97e90b2749c352799609d82072796b11bcfdb4a66a970b75e1716079f22f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WwYQ.exe

Filesize
809KB

MD5
626fc95d0e55b7ccf40dafdce83702d9

SHA1
59fb8d01f62400cfbed6facb5afb2ba77534194f

SHA256
eaaabe264235560f4aaf0c805004fd6e038cf88588d620a6e3d316248976f94c

SHA512
3dcf5c598df579788f4974c92eda9d0987c040633210f206e61f183a6acbf0ee34ca0ee293df3d33e8ba7609517a9ccc7f493e9ca8a0a5ddced41dd479628106

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEUC.exe

Filesize
185KB

MD5
6d30076dd264fe2df30a5599a6a548b3

SHA1
cf806d221cef46e4096a1bb57559dbaa472919cb

SHA256
4883f871ebe98128cfe4003cbd6c20400d93a509a1e3433270acc34d161de714

SHA512
cc6dfc6cc7d583418a94a91488d2337fb1766384a623209421143441be714d4c42d2824cd78a7760f03adfa38482c3e3dea2d571e8e2f808a9bbe4903138a1ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEcg.exe

Filesize
200KB

MD5
9a9e5d4dd2e2e0bb6f8288c1d52299c7

SHA1
1c82a922ab5d5ba014c52633fd20586425366aa5

SHA256
c8729a408b10f1838275cd19d60c6994476f97ae64fc159b26be400e5d48f247

SHA512
bff6057f8e007f53a1cb5828495f89ec93dbdd43ffe0ab5d20c73aeb5d1fa6ae2875300bca08d0e30eecd77cb45eaf1b20157b8158a7a4bf1cf3c9a234e4a591

Download Submit
C:\Users\Admin\AppData\Local\Temp\YMwY.exe

Filesize
241KB

MD5
7f99507e476cacbd454cefa0f87f292b

SHA1
2ce17461c14fb5fb0b594769111b2d81fea69f9b

SHA256
cdfd4959a14479402a49e5e75fa81a1f8bc167a370d75a0c8472880a47c51334

SHA512
eb789d825df025acc822f217d792b9c26d7daa21d45018d2d4e0a118565cc3fd53fdbe92b262b4bd354835be721148a08221671d033094e5576001ef50644d5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\YsAy.exe

Filesize
196KB

MD5
fbe89fa4a9b50e135fbfe6b9642c4d19

SHA1
5491c641a66a68baf63a65d465eca68181383698

SHA256
2df932ebfa7ee16d55e44ff070515fda965d0f805c8c72aae4332e71469bfd6b

SHA512
d51f78b4fd6f06ce8035ae61e9ca2236f0881c9644b0994ebd645654adc4e8542a1b64f6927e249d68fbe008a7f5521ad6b749c9327d1422ba4dd23bc9627568

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ywgo.exe

Filesize
797KB

MD5
75ed217b85fb875710a394893749647d

SHA1
e41ca51557ead614eef385c51fb73497e3c92c60

SHA256
95440dd5ba075967a5dd4c84d09c199bc4635719c9fb279b654b2c493a02bef4

SHA512
8cb0c665242bd5dac586147496f2aefe178dd725cbb668a668f7b73d7275849626f19dbd898e4daf02f5acf27cd569181ecaf49390c78b69ede17bd620a29f81

Download Submit
C:\Users\Admin\AppData\Local\Temp\aEke.exe

Filesize
660KB

MD5
59daba8321538286aa9fecfe1d202d3a

SHA1
8782dc481974cf2207156b3a7295b8f9726dfc1c

SHA256
6eb995dd07133b6a80110475845db1ac312f7bc49b5af6d1cae84eedea95a556

SHA512
4a653f8cc4e85b8fe7a37b5e3dcb163acf05a4cfc472c2eb663ba7a35d96dab2ad8d1dfdd890b98197c1d69ce3f63228c7cda88cf5a9e08851a13a88134c1e41

Download Submit
C:\Users\Admin\AppData\Local\Temp\asUU.exe

Filesize
312KB

MD5
ee5192d9c39e3a6a279dff0aa0b94315

SHA1
c2ad54cee4af64739802ade5f35780f953dd9dbe

SHA256
ac47430521748f4029733e0c0ee12e06ab80bd401f6c4c4da79a918deeeafd92

SHA512
a022cb44b55b095bbef741626b086563d9cbca5de7719929d6f8362266e178ac905103958ad54e7273d51f60506d927d9338fd8838c19350f544678e7558d0ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\bcAO.exe

Filesize
1.1MB

MD5
5147bd593a4959d72761329356832eac

SHA1
fbcf959700c6ba99d3cd3276cb8492ad4698f190

SHA256
edc0fba4a5fe08cc6603bbd616e21222f46d6c2b3abcddce3fc23e4f177617d4

SHA512
ed8647f533d75dafd3516bc13eff66f59e235dd635001b0e042b5286550378884e4bd13991878f518659b2fe8df3d257915eb9a9d09042f105ad4b400059d528

Download Submit
C:\Users\Admin\AppData\Local\Temp\bsIE.exe

Filesize
1.8MB

MD5
bb1985dbb20209602a8772f1478e0ff3

SHA1
64a8def4cd912c7eee91bf7ab2a4d5e92776e929

SHA256
5f1664d30319014df3d9a8a03974c37f262e1121abad623dc3abe8abba7cd5ff

SHA512
1bd5f613836b0198dc27f9673fd08c8905366a3f2d5cd94fcce2e7485fbcd27af88be1ad6eba446ac11437fc41f20255d8a6e4a82e46948253f961daf002487a

Download Submit
C:\Users\Admin\AppData\Local\Temp\dgwq.exe

Filesize
237KB

MD5
8ffdc46109e1cd2111bcedd500de4aa4

SHA1
16ed1a3b34a14ec42c0762b79f9bdb8fd3059e7d

SHA256
4df6d2c8f07ffabdd048daecd08c1c506de7e06f2ea487c08b1900af70502a13

SHA512
ad9cd154982e55d33334c0234d04e7cc9e938e10cf198e38f2aa7513bc97e26724a28a7746861e3490e6a591dd0c89d0bc09c51c7892a47e9757c8db3b1291b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\eEQW.exe

Filesize
794KB

MD5
d57f95db4ea243f91be2c45cf7636fa2

SHA1
97214ce084ff6659bd8b037513f29542659eef9a

SHA256
c2d4bf5a3786aaf2142d1e2a0defdfdd69886a686963a6fa9fc61ea6b0334f1c

SHA512
678041b421e2bf930b9ef866057e9d9fef19ed52de6f3b545b4b9ba911d1b42b2ef3923dd2f23dcf36ea1f241dc3768e3a2f8ccf82cec848276b6d1b4ec05ab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\fQIQ.exe

Filesize
785KB

MD5
d810a1c9b55d4af1186b52ad39cc26d1

SHA1
039ba6fa9bb5e3ec23083bf6eb62215395c56375

SHA256
7c2600fa704560b57c55ef995b3546abb3644f0b41a8d9cf654d86a0d343918e

SHA512
eb46e1ed6cd0a948bf19ff1c23a8ede68bf0828141f2039b25b8dfe108cab55c6e8170bbf4e3ec27a61fedab8f1ac0a80e4b0b890b962b0133e72a140f1e17de

Download Submit
C:\Users\Admin\AppData\Local\Temp\fQsM.exe

Filesize
205KB

MD5
17bab68bfb699f1eb359be999224b5c2

SHA1
cd24cb9e26a860d9523390799e417693609a9dd7

SHA256
7d7e8de4e009b81cc93674dcfd28a92fd824f7c2333ed0531f9891ea67531692

SHA512
c8837b87f1f8007673c258f034374c8d8bf12f00068360db2f71ba5d40fa81d736f48dcedbabb04ed6691fdf0b7bae70871d8f981b20b04d0c6e25fdb9f709a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fowo.exe

Filesize
828KB

MD5
456ab3ec19fdeb8738e7cd198460ed7b

SHA1
e0965b76a410bfdc5d777557cd5cd109eeee1818

SHA256
82c81932b339a5505b7d785d790d296c33a161a085fb4bdff75579be7193ce38

SHA512
1b2457f56bc5ee83914204e362fdbecf95a5ec74c3473c8d7acd91b8390681f3ebeb8d88f16cb40704b7e72413559764f923b35074c748d4e51b5363b9b85e9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcYM.exe

Filesize
200KB

MD5
031d3a031ab3bec58489e28581579e3e

SHA1
679642eb921bf99f3d7270e2564f85c12535e299

SHA256
faf873ac070ad0fa67ad83e8311c09e622f3ff4fefb45967dd34ea663105d32d

SHA512
5f256175a224cfd34ea9f0e969fb4bf34be1fb121515ce6732819bdf1e3be079b661f53b23ab66534612f84c22285c269aefc04c146c71c8a409a8d375b2155f

Download Submit
C:\Users\Admin\AppData\Local\Temp\jUEW.exe

Filesize
181KB

MD5
49ca4a053f70aca6887feeb673fea382

SHA1
c36d997422149e6be765f1f12c78a8d9bbd701a0

SHA256
8c9c7e5669e5e3a736ff159b4e45c792808ae69818ca17cac12ddddab3f94ea6

SHA512
87b321a5bf1700b9e5d23a4b28fc5e125c73051146a26979407801830dd43a89146ba8f61640595a321b66e00f71a4a4bc34ca505d5757bb2b57cc23ec6cae8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jwQm.exe

Filesize
833KB

MD5
33a01d269699e40d83e771d31236ac33

SHA1
8a1ef838d85576fcf292914ccbbe0d04294d125e

SHA256
9c66f1a9c0522afab8ff13ca71ce9be38d3e077d8dc68856e75777f93806cdda

SHA512
d8840f1b04e7440596624ef775b74e5e9b128fd431ea4ed33502c038cbad7c7af0913a1c8fe7f6acf620e5e2467ff9e14d7153a97ef586fdadc3369ba17a1567

Download Submit
C:\Users\Admin\AppData\Local\Temp\jwoW.ico

Filesize
4KB

MD5
7ebb1c3b3f5ee39434e36aeb4c07ee8b

SHA1
7b4e7562e3a12b37862e0d5ecf94581ec130658f

SHA256
be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742

SHA512
2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\lEYw.exe

Filesize
626KB

MD5
2f835e57a296cc6a44ac1d205fa8cd5f

SHA1
908830cc5200d1ea06c3be5fc5b70ad892a5c2a0

SHA256
fd93e56a3ecd707a32c01edcf16ad57b5ab4cc116f59a8eae1d9e56cd19e7f44

SHA512
fd9abecfab92c81d62aff0565025502c394e116bf075456a2044f797b9b51d4da7a14107b8bee715ae5cef85a31440453a5542f637f540c019f1873165355f75

Download Submit
C:\Users\Admin\AppData\Local\Temp\lcUs.exe

Filesize
200KB

MD5
7e4bb0378eac118d3d057648c5d1f12e

SHA1
945df4875b653622221876d4fa3bc1f02dece7a8

SHA256
bf1a660ae15e930dc95c5e7329cb1f0d423f8e24ad7142edd5d357c2440bf22a

SHA512
adfbcdd67f83b5a039dcea9f56316e153a2591dc129621ede71a521c768e67435dad38a9ff1e2f30c17cffe864bcb678786605db1db0afd9f78ef9487041ead2

Download Submit
C:\Users\Admin\AppData\Local\Temp\moQu.exe

Filesize
202KB

MD5
a24102d336810c7f01557882bfb63740

SHA1
9f99211e1dca2cb1a4c1983d0a14e65ff7cbfb93

SHA256
95e67383cab5571ba11dfda60bd1ddb352f83aac74a66c83276ffda6a70636f0

SHA512
3a3075e7edfaa611832a3a42c8ca5fbf21bd262400a49dd330633a0fa54668a23c7ea8552ee0be3b5ba1ae63a86782f5a3ed85182c45732147903584bf8c0a45

Download Submit
C:\Users\Admin\AppData\Local\Temp\mskC.exe

Filesize
225KB

MD5
8b545e53b509811fb2bcc14a243a7de8

SHA1
2a9374d844ae3fb0a7c2dd636728f627934f52d8

SHA256
fa9fa85ad897043abf455174f8b8b4bbfa6c0a5bd4eb11d421d6500748a370b2

SHA512
8e04f9f703ed7a8981f8712226ca53116d86fec530c48a33c3e271c14b066dec50cf3edc453d8496cb68786f448f2d254ef7aa445a39cd2a61f5d3e7ce30a43d

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwQu.exe

Filesize
582KB

MD5
cdcf09ca079faca82893e92ae9fb3c60

SHA1
9d99a03a905533ad0c41476f151ef801357ff802

SHA256
d9cdc2a60355ca42bf9a8ee1b41301d7c6b7e62ab704e712e5e143c5dd79c221

SHA512
98908ba10924beae23d7033740c2a08e580a3c7becc5ee4b9c6afbb329efc0cf6a9913e2c1ca89bed7521ebe6ea6c4c241a5a7628e2ce24cafd071e745c58b0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwoY.exe

Filesize
199KB

MD5
fe383dde9514452fdcf9d2b8f920b7d1

SHA1
a2ff5e9f00026519027348a3b63d4e1e6313e8d7

SHA256
b71872f2515c713d7b48989485f7ea5f0523825c7a4fb6360976a934b2fe755f

SHA512
db1e486ddf3516d51468a27d7f366ef6315e9a61b0e7af24a7433a0ffe73dd8b0a2c7f270beadc7bb1b31c24a66720defe0df06bce738a2df36f026e322a9d5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nMEe.exe

Filesize
735KB

MD5
5ab2355d0ec456825d4b211ad47f079a

SHA1
d64b18849b2fb014952cac0bf0ed0427bfb1be1b

SHA256
e27871616eaf1d377001ae39c83887347057320fb110d47b7052b070f08d8dcf

SHA512
44036d18f948473c66701d818e508d6b36810b1f65c6c975bc7a75e897f372cee76bac6a8049f30c7b3d639498913f3227e5bd9df193d68a52585c21c2ef0a35

Download Submit
C:\Users\Admin\AppData\Local\Temp\nMgA.exe

Filesize
499KB

MD5
8f30c2ec39c3eda42395f2322277c138

SHA1
58c105d6ceb9115ac50d4bb8ec63e59f0743738c

SHA256
a2f51338be485ae3df02528911aef410b5d81d36777b1db08ec0b1a24f21697d

SHA512
d1b8caee3fb05a5df77176be80a69724c329ba6cc471f023bda88abf0abd96f83eca9391dfd9aeaade84afd90bed82136430d1eeaa60a0868c5c3d9069c5b275

Download Submit
C:\Users\Admin\AppData\Local\Temp\nYUS.exe

Filesize
201KB

MD5
5cdd00b4429112e52beacafbf724a032

SHA1
fe2da09c1f482513db015461ab46b97aa682448f

SHA256
cf7a242a151fcac5af4b24d66e71fd0fe13b1e63efe320acb12e547ed931bc21

SHA512
f2afdb4602582e015d23c7ed10cb2cc049c5794be496ac17bae35d1c16bed42167ef700fa03beffd66926a20f68cc6593b1c585d22d60410343d3ddba005a983

Download Submit
C:\Users\Admin\AppData\Local\Temp\oAYa.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogIo.exe

Filesize
201KB

MD5
492528212c4351088adac875833eacbf

SHA1
6a703f1740bf1bc82f27b5df0f2be3e65e184f3e

SHA256
4b04aa694b7a4bffbb76a78c0a107439002d1cdcd54689ee3c97ca2b7cc89f5b

SHA512
8de3b670d31b00b0a223555750fedc3b8596893924c752e821ed37986678950107f7cc95bd018e5d2c2ef0acc9d6601ea1d0051ef9f3119dbecfa2dc308c66aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\oggY.exe

Filesize
189KB

MD5
acdaed912f0805a0d163f96628c5ffa5

SHA1
f2171ea0ba4ca124a48a5af8b0ae003fc513551c

SHA256
eb84960b9df64b248b3feb9d9223d96bbebad43cab580c5710d906e95fc05f9f

SHA512
5bf4b7dbef2732d872e3db5786c626d19c358879f92e551d61937f116d7b280ff4c573b70ba6187a3e58ba8142eff1844d733b5be81640750bf08d2aff8b79b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\pUog.exe

Filesize
198KB

MD5
7fdaffac4874aa2ea5a3753cf7fbcc52

SHA1
a536cb4f82a5f40c172db9e9f6b1c5d8b2b4d8fc

SHA256
efca625e01536653b41f10f744f08a45a0bb764a3e0a42f72bedc15614ee93b4

SHA512
426f6cc1fe59ac8f76a1d7031366a1f74a4077ed944433b4163b51d1c5b37fad04a5a9f3d107dfcad0d20890127d1236860b70b9c716088a019446685028e6de

Download Submit
C:\Users\Admin\AppData\Local\Temp\psMY.exe

Filesize
644KB

MD5
4328f31450b9531d10900f4e5390de3a

SHA1
7a0fa96f6809499e0a6e5e9252c988fa3466e538

SHA256
b0e6fb31a9732b4b61d2f6c8c91a9be436c2a5ff0aa31a8eb248080cc61786bf

SHA512
f440ae5b1777662e2fd0349dd6f2c96227b2ac107d09ff01a1a23c150389d7e49463bbd8d359406c2d107780a9be27c331b1ba9e13e619f19797d37865442406

Download Submit
C:\Users\Admin\AppData\Local\Temp\pwUI.exe

Filesize
574KB

MD5
5634240799fedf7d98293ea594ca92a5

SHA1
5086050c5ae850073e562dc986c910c61c3f9ac6

SHA256
2577d8f426021a8f5b317940d316235933f51dd39ba6fc1c94cb863b40abab31

SHA512
a524ebd760ac1af855a5d4785a7ab99cf22994bdfc2102e306d84408e46e0963d3ff5c97df1c76b11b558e6e7c2fbdb1085d9c98b2fce01a6fc2d65fc7428268

Download Submit
C:\Users\Admin\AppData\Local\Temp\qAIU.exe

Filesize
189KB

MD5
d3df36b70ceaa83f5c51f2b84da3127e

SHA1
11e9fbf44e8897c7e7f47fbab6d954ea122361d9

SHA256
e2a87a468179633114b7ab832d0bc4e3996bd9aff3e279eef1536a4eb348c75e

SHA512
9aa16897a9092b1ea2b7be2e4eb949db69f05f451c629b79a7e4d6a17aee8c513325e2ae20e7a322f5a688e747c585d75261ace306cfff83f668d00c85c1c138

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQgA.exe

Filesize
196KB

MD5
4433eac20390e4cb4b0f6669cdc415fa

SHA1
eb23c3c07a327618721ab42f0905a2855c6e2960

SHA256
eca6d580791f86966369f77fc5074d87770270aee8877126889d6fc237cf98a6

SHA512
3b764b2d75dc70c29f5ce454adef154f1ba6f9c7daa0fff7cbd895943434a7d9791936e6678e7988bc23bed237222668c8d47eec3b784c0e7e65af36bfecd21e

Download Submit
C:\Users\Admin\AppData\Local\Temp\rCgcIswk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\rMkg.exe

Filesize
182KB

MD5
1734c3870dc9db09186555f3c0a7cfe3

SHA1
729e49a7fe881a78bf772906ade663cc22914822

SHA256
310aebcd8ef6bb45d21fae0a66f66100bc23ad3ce8af8431c0caf6e7eccc23a2

SHA512
25b9485e0418b12bfa7c47f4d033bf042ac91ba53c3787a03a7a661cf850e4dd869927257274018ace441c790957d3ecbc4902b54c57e1ef24862208bb57bbec

Download Submit
C:\Users\Admin\AppData\Local\Temp\tAYq.exe

Filesize
264KB

MD5
c726f0a4c9f9dc42acf05369cf43215a

SHA1
c98c88b8d9be05c0434017591aaefd900cfe4ff3

SHA256
c9be4edc45c03948cecd638640db364abac16f93a7704df081ed92b7d0fa8e85

SHA512
1dd0cc1c867cb8ebe3f81c73b72c6858daf20f3caedb4e9be32102813bc674313fbf032c1892a42092cbe07e502fb3b1c027aaecf8d58a215c88dd68859c6a10

Download Submit
C:\Users\Admin\AppData\Local\Temp\uUko.exe

Filesize
192KB

MD5
46c89d015262295fd24655aedd030c63

SHA1
4bdbc0d803b2d6a207fb6c4d5e04f68b0ea1ed73

SHA256
b6d020da11cdf5565897d6218eaf373a427b37afff45a6c8758faa12b16ff8a5

SHA512
9a902d3e85c95faf890a32c99542afe0a7b8f3e9d8a9ab1b8f984d40411f48b9b91bc7b9e8c2f81e63557458dfec51ad652424e666e55f3e09ca54afa722b604

Download Submit
C:\Users\Admin\AppData\Local\Temp\uUsI.exe

Filesize
233KB

MD5
0d1d4e846c13a53cd4520ae0bc6f7783

SHA1
dc482050012d760f83340645f003fcf5d83dc9ac

SHA256
ee38e590738afe0b3ede117a0069d7915963c0d5e80d2759dcde99f545bb46f0

SHA512
ea313eb71a63c88d8cd9f37228fe15ec19ca4a56cd234d1d664aa5c3fa0dc4f38625da12c2b31af59471db1245a6d7455d5749eae8699ab2f7add23e93043a9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wMAO.exe

Filesize
201KB

MD5
32f34f0aa9e4fbec3d8ccbee0c5c5928

SHA1
1b3159f7fc299bb0f5b8ba7d49e1518930cc1ee9

SHA256
c181d9e363fa34c7e77d5c4f96862503928b962bc25de1edaff92b3ed458ff53

SHA512
fec984b2bb15db76bb29b88f58365baadfdf1b593546b6c2f8dcb2d8bcc8984c8543d4769e1944f332fb7ef0fa5471851a1eefe1cb877f38633729787703130a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wQUa.exe

Filesize
189KB

MD5
d84913fcf992622ef1f0161384719ec8

SHA1
d78b388ad2555309b29a4569c6d1c169bdcfe098

SHA256
a995075c1368b684e1c925092872e1f2bad207ea24699b63cc0d1cff3897b28d

SHA512
4003af05fc3ca77296ff0729dbfbf26a920bcc433b581827a14176e4a35b8ceaec2ab24e2665bfbcf700c98107a5b1945117003b2a63ed6994e8cd6b76c6d864

Download Submit
C:\Users\Admin\AppData\Local\Temp\wgwa.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\xAYI.exe

Filesize
201KB

MD5
96b83bea79b8dfea1c78d04b2bbce289

SHA1
8619e0df9b91681b6e840b1e6b5a19876385d565

SHA256
6224fc926921a1ecfc8be000a1af97174ec1e31e444c836dc2e65098b273d9e6

SHA512
b3b16bc9aa4a2958690e9ec4da40ad8394ebf7fe38309accfb27d6eeb5e5c0ebe6b96d8dcbb96902d63e52f470419f962ac45b0ac9d3f76bd8f318cb0c0b4b7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\xMQI.exe

Filesize
188KB

MD5
8fe7d1da00f1c2d617b83bdfb26cd82b

SHA1
46c665459fa79a1c54b25cbfae58f3f25ecad305

SHA256
375753cdb5c4f8d4d7f13e62f5b211ff3c2e03528758efb0804325c34e2be0e8

SHA512
86cdfc252988cd7dc6ed803e5d92cc2b759cd69cac368b336013b75ea9643dd55d019f8ddb1b88ba7515f9455d8e5ce84f9807f9b7cc2c4a7bf52e495db2432d

Download Submit
C:\Users\Admin\AppData\Local\Temp\yEgs.exe

Filesize
772KB

MD5
74deac93f7fbb09f061409e51f1f2591

SHA1
e832c6b9a6f821c14ffb918c0c301e7d1fd1d2b5

SHA256
5bb55f42922e6b59c2b1afa5ce8bf71756ebc51b657ae0d75077f9ca41366faa

SHA512
2cd55c04c16fde76d0bcdf89be0a6d7c848e8fed7e7cea18c3c3036586fd1841cd6fd613df6f4649503769d2ba98f48ffd08c175e029c644e21805727c912ffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\yMAy.exe

Filesize
221KB

MD5
30186e1cb016530214ebf800a0e3cf77

SHA1
0b2f05c36f560cf96c76296f15a1ac2d7bc74f1e

SHA256
ebf9cb95e75e80c898449ace6d80c13e715ca3a6c11f6e0d4dce7ace04fb8cc4

SHA512
299dd963a6798491c907c67b12f39b0db79047550b510b81f335646e52ab57543706ff9be11fe7a20a61813c8ee80306ffe2d4e1db1c47f9d118a77572033e93

Download Submit
C:\Users\Admin\AppData\Local\Temp\zcYE.exe

Filesize
320KB

MD5
0b58a1b205eef0c8971fc8395803a1a6

SHA1
a5f4e7ef53821c46000d1c8fabd6a151085da683

SHA256
068ce5b1a41180c2fdc4edda79658d5bd58cc30dc5f78e97ee9f4391f6864b6b

SHA512
90ac31ae20cfe8f11bac6947ae8346f13d15d9788c45be77fef0f1adffc19728d466e545799cdef2e02b5f9b87f4166aca34bd39de9040030a350a3771b73f8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zkIc.exe

Filesize
208KB

MD5
08731ca011463f50ff1ba2b7215032dc

SHA1
52980e2dd32ce4ba63c5e9ee7fdc37504a413dc3

SHA256
d758d5b6ef29dedc465d97d81430d3770c087df2d99221d37db3883069665584

SHA512
0dcb107946ad01cbdde1ebcf214a9f8bd7b46a841bbfecbf30e2f6fb2dbd2eaea9a1bddad1ddb66a29c15313c3d94f013c60996bb4b375b28027a8f8662c8f13

Download Submit
C:\Users\Admin\AppData\Local\Temp\zwcY.exe

Filesize
197KB

MD5
8ea320112b43c8bdbb05c60eeee2161b

SHA1
25e1bded02184714c6e94bfb352719d536a19f14

SHA256
87a250a0ae0c5b9850f37b6c2032d8458358b5b92e9cf9dd51be455781137917

SHA512
29f83d0747068f69d35353925ffafed71c0bc9c6668aad7ef8c1360d88e45f5adf44a5f5464b202ecb0c87ea6a261278699abead1d3c1cc12dee03eb6f05ca0d

Download Submit
C:\Users\Admin\OGUwssEA\hCkUwgwQ.exe

Filesize
196KB

MD5
9dfc68ab674b41b7942042bff448e461

SHA1
bf219fa1e8996a28a17fdf01c0ef623db41b44f0

SHA256
a43b92b00ca1254aa09d897b63e7641a3843173ee521d7913c2df300048c6afe

SHA512
8152beb674c63143604911e53c7984820ddb0fdafd28ffc32d5f6f3cf979b7d12a71e07c2b225aff6ebaa6e22f7ec0b9ffb7899c2f37f3fc5d5444a613b6b31f

Download Submit
memory/60-226-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/60-237-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/216-414-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/392-694-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/396-344-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/396-335-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/400-104-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/400-91-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/516-652-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/748-249-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/752-362-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/752-371-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/844-379-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/844-547-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/916-529-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/932-634-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/932-644-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1116-54-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1216-571-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1244-306-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1444-598-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1444-607-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1448-537-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1564-433-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1652-288-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1712-260-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1712-251-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2016-11-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2024-316-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2024-324-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2040-163-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2080-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2080-20-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2100-387-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2268-68-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2268-79-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2288-513-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2288-397-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2288-388-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2316-441-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2392-660-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2460-555-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2464-67-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2736-451-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2736-460-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2768-416-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2768-424-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2772-625-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2772-617-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2840-360-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2888-9-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3124-581-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3176-597-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3176-563-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3228-225-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3228-216-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3236-503-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3236-669-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3236-661-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3248-127-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3260-352-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3444-744-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3548-616-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3600-262-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3600-269-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3612-823-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3636-83-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3636-92-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3748-176-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3784-198-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4084-406-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4148-187-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4160-478-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4416-589-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4468-289-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4468-297-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4468-116-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4520-808-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4592-141-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4592-152-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4596-326-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4596-334-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4616-487-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4616-479-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4644-270-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4644-280-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4680-468-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4732-43-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4752-450-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4800-495-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4832-32-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4848-315-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4848-633-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4908-212-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4988-521-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5028-140-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download