0abc2028782c87618854f9c04218ec5f60f579bd9c3fb1882f268f1b19b35c5a

Analysis

max time kernel
150s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27-09-2024 10:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
Size

121KB
MD5

24ac9c6e989b5d7624e35a161746b213
SHA1

ac3e10b9bcb9b5c7f6e7e3eb3d3051e6bf02f873
SHA256

0abc2028782c87618854f9c04218ec5f60f579bd9c3fb1882f268f1b19b35c5a
SHA512

10582c1b96193d4833fe8eaaf8166ea43b646a08f7c6303dddcdd298e774bdfb663c6e581eb9a54dd984b096b8f2695db34b5bf0123c2633967d9cd82e38df14
SSDEEP

1536:CV+YuVqHH7RBxtM9pJmbw+uLszXn6hbRhWjYxUWvUgea4nnF6wRohw3r:E+YGSHJtUV+uozXM6lnF6a3r

Score

10^/10

discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (81) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	OeswoIcg.exe

Executes dropped EXE 2 IoCs

pid	Process
1512	qaIEcgEE.exe
4040	OeswoIcg.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qaIEcgEE.exe = "C:\\Users\\Admin\\hOwUUEoE\\qaIEcgEE.exe"	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OeswoIcg.exe = "C:\\ProgramData\\dUQUYoYI\\OeswoIcg.exe"	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qaIEcgEE.exe = "C:\\Users\\Admin\\hOwUUEoE\\qaIEcgEE.exe"	qaIEcgEE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OeswoIcg.exe = "C:\\ProgramData\\dUQUYoYI\\OeswoIcg.exe"	OeswoIcg.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell32.dll.exe	qaIEcgEE.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	qaIEcgEE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qaIEcgEE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
428	reg.exe
2776	reg.exe
4244	reg.exe
1856	reg.exe
3172	reg.exe
4440	reg.exe
1848	reg.exe
3372	reg.exe
2228	reg.exe
1400	reg.exe
428	reg.exe
5076	reg.exe
2796	reg.exe
3056	reg.exe
3816	reg.exe
1704	reg.exe
1996	reg.exe
2068	reg.exe
1920	reg.exe
3152	reg.exe
1244	reg.exe
4340	reg.exe
4396	reg.exe
3376	reg.exe
4524	reg.exe
2076	reg.exe
1836	reg.exe
1848	reg.exe
5076	reg.exe
4620	reg.exe
2516	reg.exe
5108	reg.exe
752	reg.exe
208	reg.exe
3580	reg.exe
668	reg.exe
4500	reg.exe
1344	reg.exe
3152	reg.exe
3392	reg.exe
2348	reg.exe
4596	reg.exe
2836	reg.exe
4936	reg.exe
4952	reg.exe
4452	reg.exe
2656	reg.exe
3392	reg.exe
4968	reg.exe
4596	reg.exe
2420	reg.exe
440	reg.exe
1528	reg.exe
1388	reg.exe
5052	reg.exe
1248	reg.exe
3684	reg.exe
5060	reg.exe
1508	reg.exe
2704	reg.exe
2556	reg.exe
3260	reg.exe
4608	reg.exe
2456	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4912	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
4912	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
4912	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
4912	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
1764	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
1764	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
1764	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
1764	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
3188	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
3188	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
3188	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
3188	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
3156	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
3156	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
3156	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
3156	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
4820	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
4820	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
4820	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
4820	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
1280	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
1280	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
1280	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
1280	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
3516	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
3516	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
3516	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
3516	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
4588	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
4588	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
4588	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
4588	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
4904	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
4904	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
4904	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
4904	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
5012	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
5012	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
5012	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
5012	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
4836	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
4836	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
4836	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
4836	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
2216	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
2216	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
2216	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
2216	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
5108	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
5108	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
5108	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
5108	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
4540	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
4540	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
4540	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
4540	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
4752	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
4752	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
4752	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
4752	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
4924	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
4924	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
4924	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
4924	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4040	OeswoIcg.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4040	OeswoIcg.exe
4040	OeswoIcg.exe
4040	OeswoIcg.exe
4040	OeswoIcg.exe
4040	OeswoIcg.exe
4040	OeswoIcg.exe
4040	OeswoIcg.exe
4040	OeswoIcg.exe
4040	OeswoIcg.exe
4040	OeswoIcg.exe
4040	OeswoIcg.exe
4040	OeswoIcg.exe
4040	OeswoIcg.exe
4040	OeswoIcg.exe
4040	OeswoIcg.exe
4040	OeswoIcg.exe
4040	OeswoIcg.exe
4040	OeswoIcg.exe
4040	OeswoIcg.exe
4040	OeswoIcg.exe
4040	OeswoIcg.exe
4040	OeswoIcg.exe
4040	OeswoIcg.exe
4040	OeswoIcg.exe
4040	OeswoIcg.exe
4040	OeswoIcg.exe
4040	OeswoIcg.exe
4040	OeswoIcg.exe
4040	OeswoIcg.exe
4040	OeswoIcg.exe
4040	OeswoIcg.exe
4040	OeswoIcg.exe
4040	OeswoIcg.exe
4040	OeswoIcg.exe
4040	OeswoIcg.exe
4040	OeswoIcg.exe
4040	OeswoIcg.exe
4040	OeswoIcg.exe
4040	OeswoIcg.exe
4040	OeswoIcg.exe
4040	OeswoIcg.exe
4040	OeswoIcg.exe
4040	OeswoIcg.exe
4040	OeswoIcg.exe
4040	OeswoIcg.exe
4040	OeswoIcg.exe
4040	OeswoIcg.exe
4040	OeswoIcg.exe
4040	OeswoIcg.exe
4040	OeswoIcg.exe
4040	OeswoIcg.exe
4040	OeswoIcg.exe
4040	OeswoIcg.exe
4040	OeswoIcg.exe
4040	OeswoIcg.exe
4040	OeswoIcg.exe
4040	OeswoIcg.exe
4040	OeswoIcg.exe
4040	OeswoIcg.exe
4040	OeswoIcg.exe
4040	OeswoIcg.exe
4040	OeswoIcg.exe
4040	OeswoIcg.exe
4040	OeswoIcg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4912 wrote to memory of 1512	4912	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe	89
PID 4912 wrote to memory of 1512	4912	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe	89
PID 4912 wrote to memory of 1512	4912	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe	89
PID 4912 wrote to memory of 4040	4912	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe	90
PID 4912 wrote to memory of 4040	4912	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe	90
PID 4912 wrote to memory of 4040	4912	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe	90
PID 4912 wrote to memory of 3372	4912	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe	91
PID 4912 wrote to memory of 3372	4912	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe	91
PID 4912 wrote to memory of 3372	4912	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe	91
PID 3372 wrote to memory of 1764	3372	cmd.exe	93
PID 3372 wrote to memory of 1764	3372	cmd.exe	93
PID 3372 wrote to memory of 1764	3372	cmd.exe	93
PID 4912 wrote to memory of 2316	4912	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe	94
PID 4912 wrote to memory of 2316	4912	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe	94
PID 4912 wrote to memory of 2316	4912	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe	94
PID 4912 wrote to memory of 3060	4912	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe	95
PID 4912 wrote to memory of 3060	4912	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe	95
PID 4912 wrote to memory of 3060	4912	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe	95
PID 4912 wrote to memory of 440	4912	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe	96
PID 4912 wrote to memory of 440	4912	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe	96
PID 4912 wrote to memory of 440	4912	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe	96
PID 4912 wrote to memory of 3492	4912	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe	97
PID 4912 wrote to memory of 3492	4912	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe	97
PID 4912 wrote to memory of 3492	4912	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe	97
PID 3492 wrote to memory of 2096	3492	cmd.exe	102
PID 3492 wrote to memory of 2096	3492	cmd.exe	102
PID 3492 wrote to memory of 2096	3492	cmd.exe	102
PID 1764 wrote to memory of 4816	1764	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe	103
PID 1764 wrote to memory of 4816	1764	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe	103
PID 1764 wrote to memory of 4816	1764	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe	103
PID 4816 wrote to memory of 3188	4816	cmd.exe	105
PID 4816 wrote to memory of 3188	4816	cmd.exe	105
PID 4816 wrote to memory of 3188	4816	cmd.exe	105
PID 1764 wrote to memory of 3696	1764	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe	106
PID 1764 wrote to memory of 3696	1764	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe	106
PID 1764 wrote to memory of 3696	1764	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe	106
PID 1764 wrote to memory of 2796	1764	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe	107
PID 1764 wrote to memory of 2796	1764	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe	107
PID 1764 wrote to memory of 2796	1764	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe	107
PID 1764 wrote to memory of 1156	1764	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe	108
PID 1764 wrote to memory of 1156	1764	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe	108
PID 1764 wrote to memory of 1156	1764	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe	108
PID 1764 wrote to memory of 2500	1764	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe	109
PID 1764 wrote to memory of 2500	1764	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe	109
PID 1764 wrote to memory of 2500	1764	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe	109
PID 2500 wrote to memory of 1492	2500	cmd.exe	114
PID 2500 wrote to memory of 1492	2500	cmd.exe	114
PID 2500 wrote to memory of 1492	2500	cmd.exe	114
PID 3188 wrote to memory of 3496	3188	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe	115
PID 3188 wrote to memory of 3496	3188	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe	115
PID 3188 wrote to memory of 3496	3188	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe	115
PID 3188 wrote to memory of 3180	3188	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe	117
PID 3188 wrote to memory of 3180	3188	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe	117
PID 3188 wrote to memory of 3180	3188	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe	117
PID 3188 wrote to memory of 3192	3188	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe	118
PID 3188 wrote to memory of 3192	3188	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe	118
PID 3188 wrote to memory of 3192	3188	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe	118
PID 3188 wrote to memory of 1836	3188	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe	119
PID 3188 wrote to memory of 1836	3188	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe	119
PID 3188 wrote to memory of 1836	3188	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe	119
PID 3188 wrote to memory of 464	3188	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe	120
PID 3188 wrote to memory of 464	3188	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe	120
PID 3188 wrote to memory of 464	3188	2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe	120
PID 3496 wrote to memory of 3156	3496	cmd.exe	125

C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4912
- C:\Users\Admin\hOwUUEoE\qaIEcgEE.exe
  "C:\Users\Admin\hOwUUEoE\qaIEcgEE.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:1512
- C:\ProgramData\dUQUYoYI\OeswoIcg.exe
  "C:\ProgramData\dUQUYoYI\OeswoIcg.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:4040
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3372
- - C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1764
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4816
    - - C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3188
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        8⤵
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        10⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        12⤵
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        14⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        16⤵
        
        PID:3156
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:4724
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        20⤵
        
        PID:3696
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        22⤵
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        24⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        26⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        28⤵
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        30⤵
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        32⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:1152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        35⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        36⤵
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        37⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        39⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        40⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        41⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        42⤵
        
        PID:4364
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        43⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        44⤵
        
        PID:64
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        45⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        46⤵
        
        PID:4408
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        47⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        48⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        49⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        51⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        52⤵
        
        PID:3152
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        53⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        54⤵
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        55⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        56⤵
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:32
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        58⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        59⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        60⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        61⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        62⤵
        
        PID:3376
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        63⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        64⤵
        System Location Discovery: System Language Discovery
        
        PID:1192
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        65⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        66⤵
        
        PID:3104
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        67⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        68⤵
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        69⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        70⤵
        
        PID:716
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        71⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:32
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        73⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        74⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        75⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        76⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        77⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        78⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        79⤵
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        80⤵
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        81⤵
        
        PID:412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        82⤵
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        83⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        84⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        85⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        86⤵
        
        PID:4328
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        87⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        88⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        89⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        90⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        91⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        92⤵
        
        PID:3340
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        93⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        94⤵
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        95⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        96⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        97⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        98⤵
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        99⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        100⤵
        
        PID:3816
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        101⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        102⤵
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        103⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        104⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        105⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        106⤵
        
        PID:3336
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        107⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        107⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        108⤵
        
        PID:4204
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        109⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        110⤵
        
        PID:208
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        111⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        112⤵
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        113⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        114⤵
        
        PID:1644
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        115⤵
        
        PID:640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        116⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        117⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        118⤵
        
        PID:3284
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        119⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        120⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        121⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        123⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        124⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        125⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        126⤵
        
        PID:3792
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        127⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        128⤵
        System Location Discovery: System Language Discovery
        
        PID:3376
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        129⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        130⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        131⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        132⤵
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        133⤵
        
        PID:532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        134⤵
        
        PID:3284
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        135⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        136⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        137⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        138⤵
        
        PID:4788
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:1200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        140⤵
        
        PID:3728
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:1280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        142⤵
        
        PID:4984
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        143⤵
        System Location Discovery: System Language Discovery
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        144⤵
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        145⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        146⤵
        
        PID:2100
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        147⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        148⤵
        System Location Discovery: System Language Discovery
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        149⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        150⤵
        System Location Discovery: System Language Discovery
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        151⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        152⤵
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        153⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        154⤵
        
        PID:512
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        155⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        156⤵
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        157⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        158⤵
        
        PID:3736
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        159⤵
        
        PID:820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        160⤵
        
        PID:2124
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:1280
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        161⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        162⤵
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        163⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        164⤵
        
        PID:1384
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        165⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        166⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        167⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        168⤵
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        169⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        170⤵
        
        PID:2740
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        171⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        172⤵
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        173⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        174⤵
        System Location Discovery: System Language Discovery
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        175⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        176⤵
        
        PID:4452
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        177⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        178⤵
        
        PID:4328
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        179⤵
        System Location Discovery: System Language Discovery
        
        PID:4708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        180⤵
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        181⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        182⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        183⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        184⤵
        
        PID:4340
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:3156
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        185⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        186⤵
        
        PID:1316
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        187⤵
        
        PID:668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        188⤵
        
        PID:4156
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        189⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        190⤵
        System Location Discovery: System Language Discovery
        
        PID:3284
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        191⤵
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"
        192⤵
        
        PID:4364
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock
        193⤵
        System Location Discovery: System Language Discovery
        
        PID:5076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4352
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:428
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        UAC bypass
        
        PID:4724
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2064
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:4988
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        UAC bypass
        
        PID:1848
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uSAssMUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        192⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2216
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:3816
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        Modifies registry key
        
        PID:4524
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tsMUwsYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        190⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        System Location Discovery: System Language Discovery
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:4496
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        UAC bypass
        
        PID:3260
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TWoMIYwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        188⤵
        
        PID:716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1568
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:4940
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        UAC bypass
        
        PID:2100
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CoYcAMMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        186⤵
        
        PID:2356
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        
        PID:1940
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:2460
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        UAC bypass
        Modifies registry key
        
        PID:4596
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RQIwAcko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        184⤵
        
        PID:2592
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        System Location Discovery: System Language Discovery
        
        PID:1888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3260
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        Modifies registry key
        
        PID:3580
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jAcAMEkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        182⤵
        
        PID:804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        
        PID:2548
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:864
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eWkUQEMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        180⤵
        
        PID:3300
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        UAC bypass
        
        PID:1164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MCMEgEkc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        178⤵
        
        PID:3392
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3664
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        Modifies registry key
        
        PID:2556
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZeAsswcM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        176⤵
        
        PID:1960
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5052
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:1824
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:32
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        UAC bypass
        
        PID:1048
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wUYsccEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        174⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4504
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:2280
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gCssQcgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        172⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        Modifies registry key
        
        PID:5060
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        UAC bypass
        
        PID:1116
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RickUkUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        170⤵
        System Location Discovery: System Language Discovery
        
        PID:428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1824
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        Modifies registry key
        
        PID:3684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        UAC bypass
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xqIYsAoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        168⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        
        PID:512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        UAC bypass
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XswgowMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        166⤵
        
        PID:772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        System Location Discovery: System Language Discovery
        
        PID:3260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        
        PID:4620
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        UAC bypass
        Modifies registry key
        
        PID:5076
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lSUIcEMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        164⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        Modifies registry key
        
        PID:2796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        UAC bypass
        Modifies registry key
        
        PID:3392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tYUMcIQk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        162⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        Modifies visibility of file extensions in Explorer
        
        PID:640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        UAC bypass
        Modifies registry key
        
        PID:208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oqMEswEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        160⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        
        PID:440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uaUAYYQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        158⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xYUMIogQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        156⤵
        
        PID:4980
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        
        PID:4724
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        UAC bypass
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NOYkswUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        154⤵
        
        PID:4716
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wCMUMUQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        152⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        System Location Discovery: System Language Discovery
        
        PID:1280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:4084
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xmsEQgcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        150⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:4736
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        Modifies registry key
        
        PID:5076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        UAC bypass
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\giMMQMUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        148⤵
        System Location Discovery: System Language Discovery
        
        PID:2976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        Modifies registry key
        
        PID:3152
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        System Location Discovery: System Language Discovery
        
        PID:1020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        
        PID:368
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NQMckYcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        146⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:4716
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bKYcsUkE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        144⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        Modifies registry key
        
        PID:428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zuwkYcIU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        142⤵
        
        PID:2036
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        UAC bypass
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OeAgUkMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        140⤵
        
        PID:1132
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        UAC bypass
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LYIUgIgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        138⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\scgcwcgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        136⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        UAC bypass
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JusIQoQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        134⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        UAC bypass
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ywggEwks.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        132⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        UAC bypass
        
        PID:1152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\buoQEwQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        130⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1848
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xkIEskAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        128⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        Modifies registry key
        
        PID:1920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CwcEMwwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        126⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:2456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        Modifies registry key
        
        PID:428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zQIQMAcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        124⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies registry key
        
        PID:4952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:5060
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        
        PID:3816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PysYAQkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        122⤵
        
        PID:32
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        
        PID:2740
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fCkMYQMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        120⤵
        
        PID:1020
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2636
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:3180
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sSwIUMIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:2448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        
        PID:4724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xkcsQYog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        116⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WuUMUkAo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:3956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:3644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:2124
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BSQAIAgg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wYsAkAcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        110⤵
        
        PID:1996
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        
        PID:4832
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GgQIIsog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:1712
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:2436
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        107⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cqYMEcAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        106⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        
        PID:2408
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:32
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        
        PID:3644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NSocAoQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        104⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:4360
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        
        PID:4584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\puEgYgQs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        102⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        Modifies registry key
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xiAIQMsY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        100⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:3392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        Modifies registry key
        
        PID:2068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        
        PID:3664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qEoYQAUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        98⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:3536
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vKUMkgco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        96⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:3144
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        
        PID:4696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ieYEsokM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        94⤵
        
        PID:208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies registry key
        
        PID:440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        Modifies registry key
        
        PID:3152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kMgEYEMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        92⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:4452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        
        PID:716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HAUYkwQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        90⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:3148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        Modifies registry key
        
        PID:1344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lecsAIYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:3088
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies registry key
        
        PID:1248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        Modifies registry key
        
        PID:1400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:1280
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UyEYMsoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        86⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        Modifies registry key
        
        PID:3376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zkYgUYYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        84⤵
        
        PID:1592
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        85⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:1708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:4820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LGEskwMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        82⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:3264
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LOwcsAUI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:2440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:3120
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gUQQgsAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        78⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:1964
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        Modifies registry key
        
        PID:4396
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LwEAEQco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        76⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1996
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZaEckIAU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        74⤵
        
        PID:4420
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:316
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        Modifies registry key
        
        PID:3392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        Modifies registry key
        
        PID:3172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hMcoscIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        72⤵
        
        PID:804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:2636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bywAUgsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        70⤵
        
        PID:2356
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        Modifies registry key
        
        PID:4620
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:3604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fYUgMsAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        68⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        
        PID:1224
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nMYcAIYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        66⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        
        PID:732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ziIooEYw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        64⤵
        
        PID:32
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\seMoYgkU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        62⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies registry key
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:2992
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wAgEwwQY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        60⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1116
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        Modifies registry key
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ISgIQoog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        58⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4244
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        Modifies registry key
        
        PID:2836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MokokkkY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        56⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        Modifies registry key
        
        PID:4452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TKIooswo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        54⤵
        
        PID:4936
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        55⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies registry key
        
        PID:1704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        Modifies registry key
        
        PID:3372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sEogAwAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        52⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:4724
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:1280
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yGcEAkgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        50⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        Modifies registry key
        
        PID:1388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        
        PID:4788
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        49⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sKIIcMoM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        48⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:3520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LywkQoIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        46⤵
        
        PID:428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NScMUMUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        44⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:3372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        Modifies registry key
        
        PID:1848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GiQsYkcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        42⤵
        
        PID:752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies registry key
        
        PID:1508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        Modifies registry key
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IYUckocU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        40⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        
        PID:428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SKUMcwwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        38⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EsEggYIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        36⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        Modifies registry key
        
        PID:752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HOwUwAgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        34⤵
        
        PID:2316
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        35⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YKwEEYEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        32⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lGwcUwcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        30⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        Modifies registry key
        
        PID:2456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        Modifies registry key
        
        PID:4608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BUkMQkEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        28⤵
        
        PID:3728
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        29⤵
        
        PID:64
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\loEwQMow.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        26⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:4452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UewQkEgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        24⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        Modifies registry key
        
        PID:3816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rQgAsoEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        22⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        
        PID:64
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZUkoQoMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        20⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:2904
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        19⤵
        
        PID:32
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QqAMEgkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        18⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        Modifies registry key
        
        PID:5108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:4736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aqUMcQEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        16⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        Modifies registry key
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RUwQYccM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        14⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        Modifies registry key
        
        PID:2776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XQcccYss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        12⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:32
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aEcAsgcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        10⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        Modifies registry key
        
        PID:4596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IeEgAsMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        8⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:2636
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:3180
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:3192
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:1836
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WegkosUA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
        6⤵
        
        PID:464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:1704
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:3696
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2796
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      System Location Discovery: System Language Discovery
      PID:1156
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AAcAMoMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2500
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1492
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - System Location Discovery: System Language Discovery
  PID:2316
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3060
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:440
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xmgsIEAs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3492
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4252,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=4436 /prefetch:8
1⤵
PID:3932

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:4388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:2656

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:3104

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:3716

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:3728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

Filesize
149KB

MD5
7b75fab5da58a50fae33da4ef4726d84

SHA1
ed224f7057a780a670a95f459b6c20fe89d68abb

SHA256
a21f862b81c325d1c03aba0d91ae1846a7158369ea7be151b3dac2cbf5cbc34c

SHA512
24257a0364140918f7801bfa7f51e3738f112cf787e0e6f8ba890209253176a1955f2742286e7d3425b6509c13fe8ad8590848d32030c9f4000ed26d4e186e56

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

Filesize
148KB

MD5
94d0c06de2090f1609001504ccee5039

SHA1
e062b3575b3fa599297864f280cfa3db782a125c

SHA256
edb3513a9cae871a666b21b4d5644034d84f0c0f01a0f97f60f676ec22b90e49

SHA512
3d13b8063b2c99a757d3db9a39be8c1c66498e7fc0472d10eb13361e08baaa450fd4db7e4be57ba487059529a16037f53680ebfb8a0f9b9f8018a8fd8d76eab1

Download Submit
C:\ProgramData\dUQUYoYI\OeswoIcg.exe

Filesize
109KB

MD5
4ee082304b000f5d67bf95a4a0cd1d56

SHA1
7376e5c6a5b076251b2a8d1cde7ae358947224ed

SHA256
e260240bcde8331b02941153e4381686246ac2a8257883ac836199569b2c5213

SHA512
4c0ca6eb76c8b8d615d0ce94279b47f5df59b94bb394bae83a3e5e0d90670c066253c2dc38d3f3ce0f20a3d89f5bd832e47655554235b890d5a636b0fdc63c34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveLogo.png.exe

Filesize
115KB

MD5
5743db4395bc6c7e71a350073b410fd0

SHA1
741fc384c837f1358474205df759df51b390cd38

SHA256
0cf61aa453ab00e9821810a1db11487a0afbf38bc73321acea793d53302f4892

SHA512
03940f75ceaaab75e4cc66bb5a8f5f4156c2691fa6a287838b4ada5fa974469c680e494dcb8776e15f226785abfbe9de3f6b705fb1009642cb4fb00e0edae4d1

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\tinytile.png.exe

Filesize
112KB

MD5
79149bf3fc96b6237051dfd3ad2f5e82

SHA1
3cbbd2ced7acddf8cc8b27d25e410e80cc83450d

SHA256
658191cbaa3cb3d5d369e2919dbf46e28000c292206cb8d11fc63a07d94a4484

SHA512
101b0a05bcde2203f64e0aa3175d4c455f3a810a9dcaccca95c9dc133b72e4e528f8a0dd450f0d02233a542955c43e9689ac0fc0088a60ff49cd85da25b2c4a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock

Filesize
6KB

MD5
992fb6d4212b9da65b5c43b8ccef056d

SHA1
fe9e3d372da0b230103f6e117749bffc42b11a75

SHA256
53ce4b12db6e08457b04731e3f79bb8da2718eda2bb6316a9aad101c9b512c44

SHA512
6de71293d2344fc480424a2613c6f7677149659c95c769c81f2f3d49ac1e6b60334be2a078905f3770d8823530bdc1b0a9c8f89ebff661d2c8c76d45d69da8f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\AEgG.exe

Filesize
749KB

MD5
27ca818a15cc42beb73d668045aa59ef

SHA1
b49c7f0d39a688660fb207aa026f88cceb4af39d

SHA256
11090fa802ba5135abb67580fe9da46411b714b8e819afa0ecc535550a03d88a

SHA512
de5ca392c379b3e1e19bae1e940584bf526af4e16a8cc0e2a0cd6ce0eb59c6d3146238c360a56a598944ec6957ba9915ca7a32f0ec165e5721e0c5e03af41ae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUcU.exe

Filesize
111KB

MD5
8ce5e321e6b9223ebe9a3af254406fbd

SHA1
3021cadfcf3bfcee529f4f68ce470d1f1c5507b6

SHA256
9ed4c5f16c1a51458a32a5e8f49fc13471566b8cdd4d9117278700523f1e9e76

SHA512
bcce380649cc559e18e982f99275fec5ba7838089ead79053abb6fc0c64846bcb03802ffa1501f030059dfedf3b068f6dd6005395e34c14677832283890b90bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\BEAC.exe

Filesize
112KB

MD5
4af1044ff040d8a1ae0bebf2bbbeefb2

SHA1
c84e46f907424e542e243480aa61dbf38aba0c1e

SHA256
ed08675e3738e7f678b5dc1746faccd80aa504adfc35798279079d36dd4b2171

SHA512
03d3e0f49dc5514ba04cd0beb52202a2eb2282d51dbc6d5e96c13ea61c847b7dd574615b9ba3376da4113eface65ac51ac9c04338b53ce8a0a5205f06c647038

Download Submit
C:\Users\Admin\AppData\Local\Temp\BEMi.exe

Filesize
109KB

MD5
e294cdf4d10548ef84f14fb95aaf6822

SHA1
7531bdda50aa47bc3b34a5175684f923b5eb0d38

SHA256
fae86d737de1f5371cff9e7b3642f7233efac84036d4b07dee00585070cb4879

SHA512
f91bda4213a46504a94f7b61af0881a0678a1086e64d557b9d37188f2dcaf79b302e4b7c45c4baf61eff888a2b15dda7587330b8d43e2e794d05e6ce850be262

Download Submit
C:\Users\Admin\AppData\Local\Temp\BcsW.exe

Filesize
138KB

MD5
ee09cc1c04adcd5948f30fc1406cdcae

SHA1
78ad39e0a551dba94fb25613e8fca0d148a686e0

SHA256
9b5a80412f737f4422bcad2c2477abf70fae32973d0184f0edf4c680feeae1f3

SHA512
40b3979aeca07b075cae8549db9da95459ba6a19445fb2d11d6a748fe6f80d5cbfe616a44f2ec5f5c71b9c3ce53cb31ca8394b055e554565fb2e64c57cac5b80

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIEU.exe

Filesize
470KB

MD5
d50257bbc3a152a8711324fbfa5cae43

SHA1
de060ca5a26a94776a6e3be3b0d8fed46ae16476

SHA256
0bbe0d0f20545b57946a40a88a0d16e363a39fdbe9c14c088516fa19baa41723

SHA512
6adfcc9517ee291c7e1e6feeda201b38dcfeee54a5dbf0e9812d5ae51af9875c26e1337967e44f98cd965bc0caeed4c3ef8545c564fb203a8b3985086f77962e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQcs.exe

Filesize
110KB

MD5
a0ca772b10122003e35fd116ab86df2e

SHA1
9218cab40d89283477bd88f31b56431628156117

SHA256
b51b3f9e5c34a5aaa93c563c0ce37cc9449acbf00b5c6c7b631bfe9dab6833ae

SHA512
ca9bf3ea29eab7adbc5de3bd487fbf6a7c716e7a938175cc1721c98d06307ca96a62ce2aed2f7741ee18f19a0375275e380e1f1a74f6c49feb113d760253b733

Download Submit
C:\Users\Admin\AppData\Local\Temp\CgcC.exe

Filesize
116KB

MD5
0a9d814d1192afdcd2c9691d5f1ae3f0

SHA1
6f1bfa749335649d18e2fb1d2e238109e2ecc49f

SHA256
5c986eda54aa56c93f8150bcc64ae6b7473c6904c86121cde7e5c7590a231d34

SHA512
43e4817dbe829f91a4d1f528d35c99786647e2a6753ddf3c6dc306854d2148256996a0cef2365fe0545042c2ddbcf574dc3d3a4afa22646d55b5c70dbc628398

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dwoy.exe

Filesize
112KB

MD5
5e560a570a1a6db54c406c0f274b10e4

SHA1
2dd4f8de4e5deb52acf9ceabd2ec115b886de0da

SHA256
fa0dfd3afb48f7563e11d88ca42bfe6958cec1ba2d3933aa487eaf15f59bf768

SHA512
c4570794aa0175262c4f7a38b58efc0fbd43208e7c1abf6b379d2bc70005b96a0bff1781273ee058ce526c92d1fce3aaba6aae867011f986b4758e05b31ee37f

Download Submit
C:\Users\Admin\AppData\Local\Temp\EsgG.exe

Filesize
120KB

MD5
2728dfce66946894e3020b83649f66ad

SHA1
2ce8e517ce22a8dc83f542a41605ff6131aaf395

SHA256
caad09b68adfb9a379760758b6c4b2e8f99798d1ff7540e106c926c1893a02d0

SHA512
10f72c000d70d6d1d9d9b17baceb7a1361d474c8e243569105c093ebc2e9e1e0b9c0722741897edbabbe5c47559f5832cf8ee098bb4db93c571303319984b38a

Download Submit
C:\Users\Admin\AppData\Local\Temp\FwkO.exe

Filesize
136KB

MD5
839d5b80973af1b4960e6070eb85a885

SHA1
0f626f038d714ce6dbf36bc7b112a2ae356a9509

SHA256
c53bdc5b6e960b286a35882563a7074d9143696692eab584fafb13cd31581708

SHA512
7373f435671262372c8d0e83e671e320f2d26c8b19eee4413f3123d65bf560cc584c73083008b6b904e664b0fe184ddf1383c290ea87c625ea2a2f8e59acd70b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GIEi.exe

Filesize
109KB

MD5
1398f4b30709e6af40ed3c3bf4bfbf4e

SHA1
5f5511cf4948aa799ae5055aaa336821989a9fe6

SHA256
0d0de630dcf42ece2db8dacd9f73ff48d860f84ac62331e4353c5846f2def21e

SHA512
891dda9e45f045fc5f7e3cac789b0f5553e154c58f9fb47c864e445f5697d0d37bb6b328e6ad20f62689c64965d17073b4b8a99a5d79b750fae7a21e939167f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gwsc.exe

Filesize
348KB

MD5
8e420c735d4ea383fcfc75bd698fe92a

SHA1
b79c6adfd0f0ce89bab0cf48746798b86197b98d

SHA256
44847322582d088f173045e21990a33c26d3bb1bc65a2e78a934c7f6f75280c5

SHA512
d91d832fbd2bbb3bf9c77c078f9e730184c88bf26a777edfb07428bedc2a8ab711d4c5ca8eea7668b62efbe760a2379fa925eddc7d40e0a255b3e8550c51372b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HYIA.exe

Filesize
110KB

MD5
282882724d505fd305aedada9449bb82

SHA1
bc2b8580eb55746ae4410f8282bf605559794f81

SHA256
d31843b4cd8396bedfc2b182fbdf0a9e5657d8c4bdd1e5d4c3f947975574758b

SHA512
b643ad643256a2ef6c436886fb2b5a464f0bbf0c7bb29c2a0e7509e89c4a14b641413f7c9f5fea418ab026f381a00e2fd6da9e1d50132a91a3fbf6abaf194854

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEAK.exe

Filesize
111KB

MD5
cdc9e994a07684d7c2265bed7b79cc9a

SHA1
57a61b5f306080210e24651adb28752ed6a6560b

SHA256
b9f76525c396f4c88227ad02a2c8eec3c3a374037357f160f8fa10f3802dd25f

SHA512
bab076056a24ccaaee508a28abcd4930cef76be32e3246edbf6b5891463c331b35c2f9498a5992d10468936a82f85c26b4aef4195aa006fc91337ff2a4b46682

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMYu.exe

Filesize
112KB

MD5
3c2aa130e2e2690f66316fbc29610bb8

SHA1
69e6233409e5e0242f8c71877aeaf624fe3f2830

SHA256
f72a431b1bc0f46d51cdd3ad924eb4ee653c766b43bbd6142827c7c3afd71683

SHA512
1a3b1a6034e0aeb83f6f1f2db7dd2855a432de21a677a895b4e1c4dc30a261f95da7b4f868e0ffa41dbbd8b0303f137f0531ab0a6c502ec5678c554bb4d8f2ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IUgs.exe

Filesize
644KB

MD5
3e40bd90a6a4a21e37a4656c4e691856

SHA1
c6d2296448a5a85884b4155364f2b2ecd7fe8906

SHA256
307a8a2afe87b108e66d699b3a6b2f8d26c84d6b6466dd389a0cc8836d125daa

SHA512
537a37d0e781f54f5905402d2510ad809280760e71b3c6a49464cb49848dd2a2514bd6313797fef3494291697efe6ff59e045750ce236eb64318ce24eb5ebe33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYYi.exe

Filesize
112KB

MD5
2457932f68e4fec6f45ddb728d517adb

SHA1
18ec5a4a7e268fc0c430f48029c3df8a0326a256

SHA256
80122ebc817b3cd0b181302913238862a95e8e3257977784d70ecd8867bb3b6f

SHA512
f6a27e6575e54b3f7ce5ec60b00a0cbd6bec3c81b3e8d687facf114b61927e5cd523474670d700fb3524af639fb272cd85bf10bb987ed7aec30822fb71acd06d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IoMq.exe

Filesize
5.8MB

MD5
770feef4fdebf1cb26497ceb4578f9bb

SHA1
6f49de3dde13473be97ba97ed1f9dba650016560

SHA256
2ee8e5f0cd8def9bb7674f3c248381886698f21c8a34bcb88d76e391f064256a

SHA512
cf4860d50803e235dd625aec7eb89e9591dd566b249f1faafa21b3d90e113899770802fb8df81073bfd249e8ab39a3704490be62d2c2d19f559009022488ec97

Download Submit
C:\Users\Admin\AppData\Local\Temp\IsIc.exe

Filesize
555KB

MD5
8dfce913a3d07ca397e9942670a662e0

SHA1
241a1d505997b82a3270aba6c3b2e299f97827e8

SHA256
6a835bee982d91ed8aa7dda98ae76fbfa337c6792416c07d29d836915679c0a3

SHA512
20fe351a5861d41cf3ac575ee582854403d05271f97d9a58a3183f7852422e8ced81420d8684201b29fb68176b86c0dc1acfa43de9eb19e65c3d415ec503ae43

Download Submit
C:\Users\Admin\AppData\Local\Temp\IsQg.exe

Filesize
111KB

MD5
45c15658f84c8b57b66adc2963829d86

SHA1
6aa3ffea78582c4f02cd1350ff69cc32a92b4c41

SHA256
34254849999ab8df54ae9cd94c9f229d1f18e32f6f8cf6896e123ece577e7864

SHA512
6fc904934d53bc607eac82f38c8c7b67d5f8b57ad2f80db81936e66f4e490c318a9ca5c5e71cfd8e046a7c94b774c5b2951b905c8d9bc30b2660bcb6558516f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\JIgy.exe

Filesize
712KB

MD5
75c416bbe1f6b6b1b2784ece4b207f0f

SHA1
5d43a632104321882f95ca3277d6b72d83ff16cf

SHA256
fef755ad46721166b70049a7ecb67d03134699b7658948c181749b60df11a66a

SHA512
8335e4f0d2db14c88baeaa50becad3f9e6cc19f8022bb8de0efc54d107970b198af14d9300dccf619df8d83ea2868d34e0a0e0f0e82d7e9e929d35ced9e33c39

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAUs.exe

Filesize
113KB

MD5
7c0f855072151094984d2f0b7477614a

SHA1
d65bb3034527d04c47dd0e04e9a66814904b372a

SHA256
5217a380cd98d24146eb814a6c90b87fa64fd3b9f01848c9638e4d2c61299537

SHA512
59c8fe93dcacb982e32e3cc0c96a40bddf63d29cda8879e0b547ae9c6fdf3fc704141e50dc590ae4314686e52ec5155acb484b595f727ff78130b77f954a2957

Download Submit
C:\Users\Admin\AppData\Local\Temp\LMYo.ico

Filesize
4KB

MD5
d07076334c046eb9c4fdf5ec067b2f99

SHA1
5d411403fed6aec47f892c4eaa1bafcde56c4ea9

SHA256
a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86

SHA512
2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\LUAI.exe

Filesize
237KB

MD5
fc9cbba068f1248536940d2b8c103349

SHA1
f2214db201aaadfbcff60283355f13bd5489ccf8

SHA256
9c315acca1055b705b0e7050e543ec623200251a8df0a0a6313183d8bc9ce29c

SHA512
112254b83d21c5f2b34ad2a2d659bcde03eb05374623a475355a91d16996b567af9f156dcd4563a5d5aad4e7dce0663f456236ad1ab83d3588bf4cccaf8640c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIEy.exe

Filesize
878KB

MD5
3b2c3af2b074ff2608e786c2af60235e

SHA1
80a9250dbe1d7e7b7de8856840f9cc548f14a929

SHA256
64a04ebb8f52d9581968bf3576e28d2aa70c203274cae88648b68e5275618d19

SHA512
92e8926b40a3bdc8200490ddf1d7cc6837a2503b48579b740a3c463ed0f71a1c069eb9c7b35c2156a4c9c85b3008bf25125e838db7423717cd782ca89b448e50

Download Submit
C:\Users\Admin\AppData\Local\Temp\MgoQ.exe

Filesize
407KB

MD5
911832ae1877f36bae844908fdd9c3b3

SHA1
d1cb71a1ee18473fc4b4c0cc4d99778a1b8f3c0c

SHA256
bd92c102575b5736fad513997e54cafff672f3d4b62874b981dd3e80cc01dfe4

SHA512
7d6aec0ab95365babb1df1682450706a0af526041dc02458a314945defec60c8dc81d191240f1a8ac87d68631b6f81d5f1dc2c8d37d96311e075cedda9627d00

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mkku.exe

Filesize
559KB

MD5
28a25f2162242315b15f51a1fa5eaee5

SHA1
077f1d4d29f55a9f76076e74e6a4d023308ae8f8

SHA256
35f0bcdf1e07664029a6c4a7e3ed0311ef05ae5c36f3158e1780f17d6ca5c6e8

SHA512
f15caa797c5f65951e5252e016a509f7d215032b0351612d6c655695de907c002f15d61c7f836347b3c98adfeb554c9da464722afab33f3e60c80d2fca46a47a

Download Submit
C:\Users\Admin\AppData\Local\Temp\NQoQ.exe

Filesize
1.7MB

MD5
0e6015ebe68d4b7d4d4892b6c50561d3

SHA1
de85ec28579b7c5ac38ab4bcfe843fb43aaf0e30

SHA256
6eef053eb0b3a8f3b240ecd5327ed85dfc16530893814cb7b36be3509033c669

SHA512
84741b5836d911b36f4ab10393fd2a0ff8fc219f733e58ca8c0f3861c61e1bcba28b1d1f7dc070c401d7a46cfae2f20cb7cb9d58eea1cbf612993d10c17f1122

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nwws.exe

Filesize
941KB

MD5
91df340f1638f28a296d99f95a66a7f6

SHA1
e7196b810fa3dd75ca9e0012bfb8bf99bbf74efe

SHA256
cb97847cc5e4f2f9ab5911f40b83354fa655b83e83611553dcfa058ce92ccf2d

SHA512
165a7cede512084f7fbcf069e06abd5acbc3a0d06b611fce7267fc8e0370ee8f81ca5178832196273522f7a129fba1157103350759f003d54a4dae498d8da3cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\OMsA.exe

Filesize
113KB

MD5
4f3c2cbea3a90dea5995cfaff04d10c3

SHA1
4b9204c49e39764813335cf47dc8d42309616797

SHA256
eb2b1b0f890efd14ccd9bf860ea94ae0aea7d0b96534e19837b9157b974ceb35

SHA512
a036edc0fb2d88a0ebb7000e934f01d1c1a2c525a1b57dfc7a38dbdaad62481f8b0c921fbae873df5326cd26565557121297f0d4daaadbd4574c36196a6e186b

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUEo.exe

Filesize
111KB

MD5
ebdb43a34c5148c0dc2522b4534fec0f

SHA1
82dab7add41d35b7a3e0a884173d6acd1d5e73fa

SHA256
f542cf16213d65b0bf18c3e39374002c07ecb0f0f5538ce8c36f523e854d51a1

SHA512
59f35640dd0169d952a30dbe9982dc31328e7dc84ac1d827c841e27a9706767e6deae64471ddf5c748791e26a727f98ff35e67626e69c70d6f6d4d8507e7092a

Download Submit
C:\Users\Admin\AppData\Local\Temp\OYUo.exe

Filesize
154KB

MD5
9c451ab2a6f9d48c998f5f7c429fc7c4

SHA1
607ef6d05724870e026bdbdc0c77959d8fc49226

SHA256
0c2b20045d0eb7869db3e723a40666ba8c71d194ad3275412105ffbeee0ce192

SHA512
6d9c70688d7d35c5527834b3957a7366bb4c990ae731bfd696561e2827d0f219681a21336602283c11b79179de2cef471d051ab4265180a93b7d5ade84e4e1a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\PEAS.exe

Filesize
112KB

MD5
16c80d8dc2734b0e97e1dd7975126b9d

SHA1
d81b2adb7920dd2b2689170fbd80f55e77030244

SHA256
9871df717405567848d16afba9365ddc8c0ee3c4b03c0a9945381c0130d4f425

SHA512
ce1d526eaae317e35d1c52f53816e4ad474a906cdefc9c2d4b732c3748541868db8b97372c6f8806e42da72df927115129fbb156042bd23f3b3149cf415087b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\QEwA.exe

Filesize
137KB

MD5
089afa43fe17529f89885699c7461304

SHA1
a19fd20f21052e14fc5b633f2e8cd814889fb3ae

SHA256
d040e30942b415528662b9c0c0b031bb4fd45f8590b7867ab77fda876046e661

SHA512
4888d356c2f1d5a869a532cb65d86cda6f00adccbf00b8f1098f9ebc1012a2b1f6ec66988d173fe6fe09711691452ac6af6ce38de82e9c09d3ed6dc8a4cbcd76

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qsss.exe

Filesize
743KB

MD5
52ff9d68e0d0c3db7899a22ac44bb99c

SHA1
d96323ec37e7d745a52ab93e2831e6590d96544f

SHA256
3528a9f051acacb3151cddbded6eedeee8b7096c10ae855faa6ec11bb34b74c5

SHA512
b70856a16048cae0c95256015710d78d50704e65ae12f4ba29191baf46622d878c78f89b188296b5cc52c216c52124ba46f58a465e608fb438aa93a7206145ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\QwQo.exe

Filesize
112KB

MD5
b0124d7615c98e278b296794b5a959cb

SHA1
19a0c238af5ef67335a6b27d8826835a504d2539

SHA256
f5e1e0eadf3e8cde66d75da63cabff35f764ce3970e5613f6cd0b85c54d6f19d

SHA512
2bd934ec85e6bf2b371cf6a234304040b5f8b5c5956b6cc208ef7449b2b47c47230ee0521199accb991d5a6fc0929594002bd4671136376e61a45a67f8424bfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RIws.exe

Filesize
112KB

MD5
75fb7490cb56d4e40377cac97fa4bdb9

SHA1
fbb43d5f37288b41945b4600c8877ac30b74c055

SHA256
baedcf2abb6d1bf891ce6bdd164d4b9fbc2904faf175e771010c5d527d5e5b3a

SHA512
9519964a1506e9a5edf87a0974b597b410779518d8a6c544fb1627b4c56b4fdfb8bf2df4aae92dcb9c46dccc15088c57361a9b584fb9d2b8c14f4b48dac5580c

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUEg.exe

Filesize
697KB

MD5
a878b383818a3926b67be41c320a505d

SHA1
df08ffca3e08bb3969dda85c5f2c21eb4fd07dfb

SHA256
8efddc82f3dc884e2fefd10716dda77afb70902e9bf5acb8e83a238d654309ec

SHA512
a751c3d0038a66267b7c929fd4e825b689acd8efe80c6770bc6b7a2f2d392888e8af7b3370d293488e1263f8e301fd7a627b61d4a99eee2dd457e93b134745c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sgsk.exe

Filesize
557KB

MD5
cae57840a6189c7d12fb44b007b07e3e

SHA1
dc72f1f45ba8b64cecb64ffa2419dc4731204dce

SHA256
8ae1c7d00bfab9c98b33e3a8f725464dbcfcc55472d2b34d28e8616b2053cadf

SHA512
200179ed0bfddb694dea34693960badaa582f93ff02fc309b5e4793e9380880b4b945cb1254bd382e3fe0470cbf8dcad7ece3444170dc1e669e828824d9ded79

Download Submit
C:\Users\Admin\AppData\Local\Temp\TwQk.exe

Filesize
119KB

MD5
01df920a459fca992decf5ded330df43

SHA1
a401ad5dd32a4e0acdb6b300c4dd98bb94547160

SHA256
49cfca7051c18a19db951953ac35b785013b938dbb853f98e6e50f2515b8b4c3

SHA512
20d7a4d87ba72b0732d51781ae21df85f43170c12051bf981e17c31dcf2bb6119fa0963cc7d9cd43204a20f0368c7425dba252a1d60b41f432d653e76c3b7018

Download Submit
C:\Users\Admin\AppData\Local\Temp\UYou.exe

Filesize
722KB

MD5
f8caead7f4100d40a83ad1a21fb8364e

SHA1
0367865e2260216f35f01c2124807fcb5cac95a8

SHA256
b74fad4f5d9453806fcf702f236d2cf467dd92f8b22f86fa0ea838f515d48c52

SHA512
acac0bd739971d2a061828d76352b3af2c4f2c451e7e43636c7f9d5b1be81531c6937ff5baf7b1609539a13ab2b23ba508ee2a115172720c46d04c197ab96c31

Download Submit
C:\Users\Admin\AppData\Local\Temp\UwYk.exe

Filesize
487KB

MD5
e1763de3c2a4cbfc08e4dad0adf6316e

SHA1
f642c4a018d5427808216bcb93fd7237dedbbb0a

SHA256
b642902798b7007d7f2a93da566ef7c18e6fb97aa1a3588b255660f9a2fb528a

SHA512
5d1d2b797d7a4b74e6ad5449927423ad2d16f50aca7e07aaafb001b253f426f8a7e7e02368815e0fed61ba61e48dfdd1c7234c51aa7db719baf6d811857ab80f

Download Submit
C:\Users\Admin\AppData\Local\Temp\VUgm.exe

Filesize
113KB

MD5
4baef6aa5662e5507543cfb3a58b98c7

SHA1
b334fd73aed95d47287db7a00e9a6e5f0837d0d4

SHA256
d063f407261dc2933d6eeec3f3b761ed9476311bdc4213309b9ba189fd6bfa8c

SHA512
291643300aa2d35d91cd011943fc65034074126b82f67e1e42cdc4a2ce187ba5921786fb1d8cba0799d1a44a1b3c3acd13ff0eb6e5686cfda69344b8c5b16c03

Download Submit
C:\Users\Admin\AppData\Local\Temp\VYgk.exe

Filesize
112KB

MD5
c8d9ddd6677c7b45eac5d9abe248dcb4

SHA1
d115566489bc75b29cb5f5fad40c07220bbc304a

SHA256
c1aea34e88db0594353f0d2e8cc2045c13941eb358358054f743376b187fc08f

SHA512
b5f14e31c940ec84d5afd458d057ae99262b124293c0404dbaf1a890b76050d22b8a8afa53584e07e5686a9ef604c067be4b2ae445842d1aad03e792061d06d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Woku.exe

Filesize
115KB

MD5
6d5961379d066e42a4cbca72989ac1e0

SHA1
861011247d121be3cb9ac5594a22bd2d00dea98e

SHA256
b07a31f8358c3372dbce3ccb0134418cc6defdd7a1434b596d87779359dc9f0a

SHA512
9a31af880ae53452a2c9d22564a69ae7526fa4b1959a79a42c42e83816eacd93446d11d47eddce4d1fa10a03bf888b2b8a6bb5e61b05e46b78b7c4ef863a0805

Download Submit
C:\Users\Admin\AppData\Local\Temp\XEsK.exe

Filesize
116KB

MD5
389d5f0a3a8a482864372b4057480932

SHA1
b2376fd35e5f9f6d9c4f06486e920ba5f4385e38

SHA256
cdbdfbc91226d42938879d034c05c65387bb90481ff9961126bc50a11ca6fd0e

SHA512
dc32bd9fd2a82eb0ebbd26592b082cceec5da6e40f33b6855cc3fe3316e353013ea48699995d4e6592ee8c7d4127b7a458ab625297989fcabb99ac562970e933

Download Submit
C:\Users\Admin\AppData\Local\Temp\YUQA.exe

Filesize
109KB

MD5
f1f9d4ab685d11883943f28437c80e20

SHA1
5876448f9f1f6a2082139d46ef4be0cdfa3ec0b4

SHA256
f3d3e10e65d71164fcece294ca0c0396ae8b863d307d07e345d02d4b77e9f1e8

SHA512
5ec250db166da5ed001a475cc37c1b954baba8a42ae8468b927e57242f6c33711d227b08f882678222b44735dce4e1f44c8a595a9badb369ca92afc1dd5e5c95

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zskq.exe

Filesize
720KB

MD5
d197016837d8f83705b8ad8487402113

SHA1
8b21c275fb560063081ad63531623dab275576ae

SHA256
76fe071b27c415454d5bf526ae24a96ae47334328f7f1b99b50b018747ab10b1

SHA512
7c0c9082d1c081da2efb5b29b3e44944ed6693e55e3bc48e0e664770efaa4effa5b94b956b4fa5a9db469361b9bc5aea36bca9a223cd89b672b371121f9b23b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\aAgM.exe

Filesize
112KB

MD5
b7e0e816d2693c39196b712e0c779831

SHA1
dc908ff4b81a59b9128b5882ef3f13aea950f505

SHA256
d58ab7a59f1f6aba87b909fe6f622c5fbff79a03cbe1c62c51db16c8801ead34

SHA512
9603967fd7f6ac73a45189e1df00212e0dca89d4913b2831801250fe16882c3525da029f7e7e1cafa2234af65bfcc619dcbf3695ece8d2f3f0a60ba38eb191cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ascm.exe

Filesize
121KB

MD5
ebcff3471e3e2f35925b26b65f571004

SHA1
48b5e261f67ad9950388cedb72bf62af4f59f1fe

SHA256
04737cd53401850d8e9584b1e8767dc23819f7ba04c4f424efc94ef0324fdf78

SHA512
ab0b9729826776cbc1c3a2b2cde71702aad4238a67e4485d06506687525515eacf415f66878e59941f2b7a35b0dd2fbca5c2d781aab008dcfe3033cc93da663e

Download Submit
C:\Users\Admin\AppData\Local\Temp\asgw.exe

Filesize
110KB

MD5
229d9798e2e02e797a563aa98f8fcd6a

SHA1
c18670f7ecd26c3007263fb51e6610766bdab295

SHA256
83e9b1072d0be2b14524e9235cb0d279dd106cb3d4fa9ecd39b2bc3a8f9d0791

SHA512
6d6123de80e7432ce0089d71d49400b42ffca0eb070f63e82404259d9ef3ddc390648998c5518b0348ad39d18fc5560076b226ae0baba3d4556e5b38305f9bbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\bIEY.ico

Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\bIYY.exe

Filesize
119KB

MD5
a0870164b42a9c7d9594d8887e3fe65f

SHA1
cb27f80436cc2da793d69bd684f53efcf0d46773

SHA256
6140f9d50fa60c2fa07acc62e419a5ba933eebdcecd9dd24e9fa48405713f05f

SHA512
8d5ed2e903fd414ae5f2d24dd8f20f365eb8d3cc961e11215325aa2afc0fc202c82700091d14d982bf6103d412bb4500cc02ec95bf3863d4a16df6a0be5f47ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\bkkS.exe

Filesize
111KB

MD5
16ad88d35a8606e5992ec0ae6ec736c1

SHA1
8e1fbe2ca534f2fbb882cf8764c9585cee2f3786

SHA256
79651554e50a144e6370948e1fb36e03a70fd3e6d1b290de855a508fc64da95a

SHA512
54ba35df17e92e0f59ffd598d15f1b9337ae33cb98e3b094597283340b9c497704bbfcff3320d35352a86c2ebffd36f0e53b5e9a27a27cf23afad9fc80ca32b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\bogm.exe

Filesize
565KB

MD5
22f45a717462425e33ab791d6b3ab7c6

SHA1
399b5861ae4e8b23c79a89f97321f7b87292a2c0

SHA256
771356b417cb4f406cc00e9bcf2cec01ede9501689fe9e1dc76bbc65a40808ab

SHA512
3225248be1df35eeed7dc74d5d62a8166c18b76e8eb9a8778ef5de51555d04d6ca4a54c3a02910b17465899272e9586ebec42492b97a41cdc51700bbee7dd9d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\bsYg.exe

Filesize
115KB

MD5
2120dff9dccbd7d32bd9a165603ba51f

SHA1
c7bc54a8437f638201dd01e12efce89fa332f40c

SHA256
6e5ba10ccf8ed13e91d5fd33cf2386450dcebd19beb1243ce7e12d8852c1a4de

SHA512
6431995b263ff4d9e512aaf50c4555bd4f4831b76161a5d46ef35c894c65589d5524987fd33e54319d1da1971af0742ff37784a46aceb65f8830e0c64ab6ab46

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIQA.exe

Filesize
409KB

MD5
9ccc53f11330dcce615416915306b7a4

SHA1
39b6cecf0a8c16abb327f33e978ea21355ce961f

SHA256
c7796f4b038476ef5a91e15d38da5e3f88e7b640a3ae9e07e8ac7efa26a5c725

SHA512
9bb899a5dee6f2920765724fc8cd181c80c75f5508b65cf033d772dfcb05db8303162dd78c3cea39bbecf71ce6241924d55b50c4699b7f7be586baccd8e67923

Download Submit
C:\Users\Admin\AppData\Local\Temp\dAAC.exe

Filesize
112KB

MD5
3d6e98718afdd30d060eec18f94d9b20

SHA1
ea49e9719592241482c54f3e58424d2112ac5b1c

SHA256
d928ca66a570cc7c4ee77a42d836d549fc9387e657d57b69355d2237bf594da0

SHA512
5e8beec0bcaa7726e3fb572e1f5f3d72afd691a65adbe829a8a30b080f9764660a8d94bf43c3508f2aee096a270b34ba702bcab261ef82ce1f6c17f1f10a18d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\dsEo.exe

Filesize
112KB

MD5
6cd3ee9ba24f1506c40fd3562f582434

SHA1
456497941a409323f55bc97ce871fbe9b407a178

SHA256
b848b5a2767e667a9ebaf99c0b02650ebdead0ea567274e0a2f8211ea699ebc3

SHA512
90abed2f924b7b114f037dfa3ec00626ab246e2f8535fdcf40597267e637111619d3e615b30f5fe1c1b29fe32a5e1b71f6ecbfe2f854d41a73cf9f1b15b1bb1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\eEQc.exe

Filesize
111KB

MD5
98489cd9da578d6f888216aa0a1974bd

SHA1
69f8fa1e553539b820bc8dd29b16ee819b3bfaf0

SHA256
0f189f6a397e9c042653f92ac93eb47e5d1291e0731c996a2fdcfe90aaae6c03

SHA512
cc3fa92a6167a5eb4f1d54aa6cb8384476c7ed0fc0f836a5a04dcd2153b52335c5e2c5695837e8dd38fc6b51742fb6c7e3e37d7823d83305eaef9a813d333e1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\eYUU.exe

Filesize
113KB

MD5
ab21d5618cbaa9003e29a4471f063227

SHA1
34a024f7d045a15babe946bb6bb007a7890d887c

SHA256
2c937b37304b478891f8f66b0e1accfce190c246b5d6ddca81ab002dbce0983b

SHA512
a8f836d4e57e4e19790bc7dbb51279ad45f357bafe93e521d8ce5ecb85313e977e9fae6aff747ad148e216afbe90d8b2b3ba4b9bc7545c54e3779f4f5586ff40

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewkI.exe

Filesize
120KB

MD5
db8330bdcfddd5ef8eb222dec3101d13

SHA1
4f4f90dc26987993dd66e2906fa57bec4805c49a

SHA256
936d076332545d5f2caffb9338d2b337474a1071d276a1ee99a61bda3d4e8f0a

SHA512
62d0b489e584d0da13a12630afc5c726f92c181ba5c738f0babc39474add75064c694272b1b280b1fcdaef21df1dad770983b3755f9c2448e57e3ee04ecc1984

Download Submit
C:\Users\Admin\AppData\Local\Temp\fAsg.exe

Filesize
136KB

MD5
aac5d1709b157d6f7b17eddbb69b4694

SHA1
e9a53d6a3c23fecd43a8620ae0335662556a80ed

SHA256
ff5aee9848afd9344625d8f893a764844acee4f4a2bc203e23a737aab505f136

SHA512
1fcd6fd5c29ae559eaa7597fbd296d7056874d64f332d0f177f8461842cce9c0ca471dbddd75546e4b58200c4905bec390c8061329d4e5ea50584237d490d5ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\fcwi.exe

Filesize
110KB

MD5
a91531da9296bc6396e1b95c3db7205c

SHA1
0c8b66fc0591329678884d5087ee58a8b5de8547

SHA256
5fa83b3e3a9b21536d0d70e40d8432b389f52d1e4dca462015e3793258d1ba6e

SHA512
53e754c94427cf26b926307d5f45086cb865342b9537d59b27b1645c7c2be1b6dea85255c04175c9e7bae6f9b03140d5bbc32d3a670fbcd565bef3918c93090e

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fkcY.exe

Filesize
236KB

MD5
179f6b843f25c554e5443070cd27c171

SHA1
500e9261725433e73dce92d39755ffede579dd69

SHA256
21d58ec047d40e31356b623884fea0a90b3eb872952b5be6c4b67c1af1b7593b

SHA512
c0dbe54c17294fdcfe16651b2cd7a531aca86d2fc3af348887b83a5e24adff23de8e8b6291991d712d89637f5ef894df858e132e080f98967883e13ac049dd6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\gIYs.exe

Filesize
523KB

MD5
35ed646549fe733c151664710714c555

SHA1
c64cfae7b4c8d506477d364fda140dbdebe3aa34

SHA256
de2ee5d6e87a8f7bb65f3e71284c0dc1c81413c37fc63de9fc466b952cdd8d1d

SHA512
b1e2e3ee6f727aba3445de0f806e0d8f982057542876a1475f444082b33a2650fbe487ec5a6c44b997a89c8daf8b3d13c1f92ddc9892683f7976ac0de9b28add

Download Submit
C:\Users\Admin\AppData\Local\Temp\ggwy.exe

Filesize
111KB

MD5
f2643163a1974d9cf6f527313813fea8

SHA1
b8efab4255fde9ec86d9c0e9fcc048025d428833

SHA256
070e852b5a4c9eaeebacd477c34e498d17feb977d63523a983e14dc7e82a8e61

SHA512
ca65023fae36a5299deeb2663ef203b74b44db48ec3c51a9d8605b4f7884d5d4ee4fbc2bc2a3e824e2e0f3b782a8a7c21601d2a873964a25593ef0591ecad954

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYYg.exe

Filesize
110KB

MD5
c789eb3269255f2c30ac5e36b83c8414

SHA1
386777a8cfd32b33702dbe0b1323a703bb7f05ac

SHA256
f3fad4b44ab40e3d726e4867d9c27a98275f6b3e745427d2e23cee7b791f6f0c

SHA512
418ca7097f9541b05b7ff63b2af2207bfa3aa952d9b79e8cc4d98e0397e86d3a51908231c5b6498061722185841c5287dfcfd45217a574a7aef93f5b1bbe4ba7

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYke.exe

Filesize
698KB

MD5
c6f6634886739dc0cf46a7451e7be56e

SHA1
761fb58033579fc5c79e41edeebcb92756f8b97f

SHA256
5f9c33274c57eef44d99c811c9ed99830b8abcb889836f65b2912cca1c8ff068

SHA512
0801e6077bc6440766620c81bcc282272fb99707faa03d4f0be713f2206691611258b6db876c9f427b09c8106aff2d82428cbae123d4bd92e798d354ad6eb890

Download Submit
C:\Users\Admin\AppData\Local\Temp\iwMK.exe

Filesize
117KB

MD5
4e08e46c251a7f2b714a5a15334a7aa7

SHA1
e251cdefb96232d8743c5407690c3d80e251d5b4

SHA256
0ed9320d4cbd9f2976f4c97f73f4fdc07bd8958b4bd6333596a2bf565585c185

SHA512
d6c8e5cc7f4fd9ba11fe138fc82d5c7cb25218d6ed5a795b77b5fcdd9e49eed55367f781f018fb4f507397776a3a1692db2cdf6a8c572066499daa53b707d22e

Download Submit
C:\Users\Admin\AppData\Local\Temp\kIUk.exe

Filesize
155KB

MD5
b16ebac766bc889d32dca22ec0b4f200

SHA1
bcde59fdcb93588a7bb97d60a464f949204d5c5e

SHA256
9ce2231edbd1ea7a64f5b5b4bf51a2004bbdf9723ff4a7b3b2fa99fa85b9786b

SHA512
757f841418b675a5f072ee7bef97e2271fe63bccac3a5c6882558a8373deceab51b1bdbb7f34934f6df637a43e1582bf3bb4c0d60b06f5a1b0c62ee40ae39312

Download Submit
C:\Users\Admin\AppData\Local\Temp\kggg.exe

Filesize
111KB

MD5
37678bd742d0a3856d650485510d181f

SHA1
29debef00034b04b13826c087f19c4ea9e8439cd

SHA256
e3ab2ef38fcca4ff69040586008e0444fb8a5e85508ca3c7287ac2dcab08db3d

SHA512
bc032f6ec9440c256afe22b3e7c119db15d5c6ff04f13a8266a132ea88b4a5f47f8af10f09619c56984b3d639fa3d984be02a169cc77205b8541333b80ed4cbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\lEge.exe

Filesize
112KB

MD5
d98abc95cfc6ef7a7ce650f2f0b4da64

SHA1
ee61b2da64e0b032c5ea391061ee93ac733baf0f

SHA256
f331f572f06109cdd217d6ba326b1b66c2761a4187c6bca7b147bca0ff0b1149

SHA512
4c53a4e19d534c9ef9abadfe58369e7404869c5f26c223026164d7f1077e9a43512b5cce130cd550e233aa8b338ca355da995e122caff94b61c19cd13635127b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkAc.exe

Filesize
566KB

MD5
cf09fb5972be23bd919aae2db141e64a

SHA1
3291b5a9ed376f12642b9e8c216d728ef2c7ebf3

SHA256
b9c89eac3345d55cc0faa78af1f2fd6daee8778eb4ea0e286feabd63a562100c

SHA512
398187c97d4a357633b221b6aa03cad0fe8af712dbcdb19f7ef0491abffd3e2a99f83348a8f5a9e3bab17f084532b2b7cc0a6790457f1060104832d4c96e0a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\nEII.exe

Filesize
720KB

MD5
5a96513d59ce244999bbcc422d3149bf

SHA1
964970fc4d9aed96e07f0a51dc5e47aaaff9f780

SHA256
437829cd3d3f480ecc1776078279826e743980ff695fd1f82b05419ea935a585

SHA512
2e3e181a370cd6a84cf503b662029aebb732c22b41c599d2f39a90e2486ec7669f04935a1c9013bd96b9d00c45a9207b780303494e9177326908be92532c51c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nMIi.exe

Filesize
111KB

MD5
5dc9b3e12c9ae9d72f80e9f5b5c4d88d

SHA1
6ce072ab587543c11c3c61f601ccbd8f3591d5a3

SHA256
fedbabdbc04d0baefc59413434b57a92a7dc1dda2d9198c1125b29bc03e68fc2

SHA512
2ddeb8daf46c6f1ad9e519c0642cc3b449a783d36aa4306a30b57e41e9625ae997edde93f8b79708863be007b76396e18fe02998cc621911698d3c89517c41d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\oEow.exe

Filesize
112KB

MD5
00600a215f20abdb07d13d0909ae05d4

SHA1
d8801a298fb38fd7d5308386a5bd250c8a6eccaf

SHA256
c1827fac05a35e7893950d45c05b7aaef5814912a3105b6d1d53e1a6dd8ae7f1

SHA512
fcd1deb9085a7a58d142befee611957a95c22c9284188801846d99e0011ab8475b52d35407c97a3f50de3f12b819dec0943542b5974c59436bdf6cfff68f30be

Download Submit
C:\Users\Admin\AppData\Local\Temp\okEk.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\ooMs.exe

Filesize
118KB

MD5
1586574689e63b55757ee42879345f17

SHA1
7d0d6b536edca7e8b0e7d831038d087df1096f34

SHA256
e986a9eee378a775934f18808369a9b04a9d143abb86c7663dddfb6527b1f658

SHA512
0578c4b742b27d43346db729f687b2fa2b78861c4be041bd5d28f187fc9c5727799755e6c7f1ac6c5eb361454b0d4adbde231dac24f510124426b2dc55a89f57

Download Submit
C:\Users\Admin\AppData\Local\Temp\pMss.exe

Filesize
115KB

MD5
5eea079f43e2be18d979019e7e65ff2b

SHA1
2667d7c4e76a83e1b5f8e8d52c342e08e18b5006

SHA256
da3c9782ad356bcc052804da41846780523ae9f4974d4ccd45c7a48355579c47

SHA512
e1e322e689d87e093283d415d5fd50af803f05e7e9744625db72ea3942de96b9dbc20204ed62a7cc59e93e671bc51f994849d3c064f56ac7e231f5baf7648294

Download Submit
C:\Users\Admin\AppData\Local\Temp\pQoC.exe

Filesize
566KB

MD5
3647a459a105538c8cc2b1e42bd7e0f3

SHA1
c83c4b047128070e59409f529953a88dc8b22c12

SHA256
72247fa11bae9e05d54f84ef93c6a6843f5d7564a3fcee34bd179b2729357b10

SHA512
2e33ab212e5bc93127c50163d506f05f017d681da45e5f39b79e94005884e4420ef9e267ff5ef18ec26dcfa81e8055ad8673a6f5c74f48ff808dc990c838c79a

Download Submit
C:\Users\Admin\AppData\Local\Temp\pQwG.exe

Filesize
115KB

MD5
72c704418988b902f3f4a6f9f8e11131

SHA1
3dbf09b82e94c4c7f7582a4bd7ed8f34ba01b7ff

SHA256
bd4f926bd048aa968fb2fda49884389d1dfa64e4027854bab2cd127f58a78194

SHA512
2fb45e7f0d6b13fa8a9179bccc8ea9a0c73b213422efbeab567b7268eea81af82d6672b33c019d4503705dd1f3213706796bf3cc689b95090fb911543db72a23

Download Submit
C:\Users\Admin\AppData\Local\Temp\pUsg.exe

Filesize
5.8MB

MD5
3a832d1501f12e660cbd2f6662ce06ce

SHA1
ffc56214f9cdd7ef9455b7badd7b6274348ebb24

SHA256
5cd06d8a65caa95f9d94fbde7dff5f57cbe3653dff1bbc8b10561bfbb40c3429

SHA512
fcd1ad296e2c4f87e6e3b50a9e4120dac9dde7d3017989e08dd0eee90f0a48c947dc20fef4e7f4bf5ed458e7e16be784b73f6737972c976a2369db2b3088f3e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\poIw.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\qogW.exe

Filesize
236KB

MD5
0a4097473232dc9c8f00616b05477375

SHA1
cf4862345701ba5e3f1f1612ae72896f3b528ed2

SHA256
5d5ed2a6ef88fd73d1dd2db2095f0787497ed375eda46ace8c2283cf49671fe7

SHA512
d7d46d58bd7c4f8bf7b045af1b1bf15cf21939412d892b63e42f4669f74a122da7fca0c562797b49461673f423e8b6a979215d891c5990465be64b8154f8cb97

Download Submit
C:\Users\Admin\AppData\Local\Temp\rIQS.exe

Filesize
111KB

MD5
967d1ba4649c829a5ed3f74ea86ee42f

SHA1
27e713e7199cc55a4268b81319d06c26cce53d4a

SHA256
de175b40adf6cd361b95d6e488f541c6d537ab19e3764cf4e0be9cff72b61a10

SHA512
05d7e6b8eae2c788251c4332ddb6ee50dc3d260cc0b87f117b98bcfc8b5b19842c8c2c9852b15b70876ecde2aba8b0e7086d9540820a8eecd8813df9d07d7944

Download Submit
C:\Users\Admin\AppData\Local\Temp\rQIM.exe

Filesize
741KB

MD5
b4fcb42f6d2ae1d6aacf8c9b0eb6237c

SHA1
e4c943af88e48df28bd170a99a29f5752af77782

SHA256
875ffad893df6555a3c0482c4818ba9eb99d1224e2cbe72ebdc707de13d9687c

SHA512
243b3f9b51dbe0181d4287e5d653ce0235c461df32423992c138877b0d3c8b5a18674e4dc9b48c0544d3b536c14827351261554176a6cdbf2ae4364aa922aa32

Download Submit
C:\Users\Admin\AppData\Local\Temp\sIYq.exe

Filesize
661KB

MD5
5d06a1c2291aecb188a5be41f65640fa

SHA1
c9bacc32b990291148b70c88779be630300e24f3

SHA256
44e1c5df59fcbedf2bc4129e1f3cd03ecca286c37cc3b0423c0822f635e381c7

SHA512
bcafd78b0e1d36b5ab4f6a0fc317deb8bdc45d5fc62c879020308678d27f44460793e4c08d5f9b721acaf5024dcc55511d454a0fff1b9ba2a97abc69ea4234e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssES.exe

Filesize
421KB

MD5
cf9f6855d3aac4927a45640f7e7b4faa

SHA1
a618a6b15cfc33c147a0dde48941ae60ded6403e

SHA256
e0753f599be52ebda4a9668459bab1ab0030fbdf1540dc1e4b29dba4510fe876

SHA512
3fc3edf2d13bb76e58944e98050b840f9668a308f04789fe0bda82d087dbb4f23c229220d91a63fa0e377c0cb87844e3b1ba52cf2fd389678039582eedd8d2d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\swYW.exe

Filesize
237KB

MD5
404b15f8b22d3b7e0c9a0a72ec84b7a8

SHA1
e79c666d4719bc7f1221567d73cab4f8b95fb180

SHA256
b956c964b386ee316e91a2bbfbb5881ce8a2bfaf2021d93f02ed4c1e19e9963b

SHA512
136d7a9054290337838a4b6118b89432dc5fc2834b2bd2b2b1aa75f9fe3af4da46934a34870511f46ad9bcb19f5bc0eeaddc6cc283ae97cbf4951fac8f4318f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMUQ.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugkW.exe

Filesize
112KB

MD5
e23254e01716b86e4b21aac47a3f28d0

SHA1
735cd4944d1455e59fdbb0d1ae6978441beaca39

SHA256
6d9068593d19ffa117e4d13ea1a1499b135612b194d861eaa8fb4a0cb60217c0

SHA512
2458a3c6800e4b47a05a2cd2cd32b643219e3e52accd94bf81a5e127baf2b8262ce41dcd865de6ac17eb6978fff6ee0537fb7eacacb1d33bcec1d098c57e9629

Download Submit
C:\Users\Admin\AppData\Local\Temp\vAAG.exe

Filesize
124KB

MD5
519b621094434814273dd6530b99e0a9

SHA1
298f67c52867eb989412bef2ae2bffa068e52287

SHA256
888913ff3af2c8958e296eede1e313191c7407c87b73e6ff75939f49685963e9

SHA512
1ff289e6f3cbf992ad35fd19fbd9e552f32464bc6accb08937aaec6014e7ece59008713e87643c246ceee95633a57df2685a68acd51fed0be519c83be1616af8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vIYG.exe

Filesize
138KB

MD5
8d5f0a111857d172ff1f67d9feb9efbe

SHA1
a20135f7c62ebb32b80badc521a7a51dfddfc5a6

SHA256
fbffcfdc97198e8a2aca2990dcf426eba96188f125228e6d356f08788023c058

SHA512
701e77fccb3d6e9a3b91efcb05e2fe9be0eaf9e71c81e14208113131c44676973f60a21bc56294db6619fa8e9576445976fb51e7df778105c991ec4618433d06

Download Submit
C:\Users\Admin\AppData\Local\Temp\vkIq.exe

Filesize
119KB

MD5
f7c98077c9f4ebb102dd53a5f2e1c28f

SHA1
080467c2887d35d80a936f1046c07e814c6fd3d4

SHA256
87e6ff5284b757c44a82f949fd411ecccd9adfe07cb92fd81999f75b1623197c

SHA512
ec259fad38ce437cf6bdbf16f8997dc4a5a3d0d4f89e04cf2d447475d24fcf29a67ce369d1311c82c1ef46c718fe455eb0bb0f20f97f5c39f42aab1a52887f6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vwsE.exe

Filesize
114KB

MD5
5c2ee2c3609340344e1c2119e674332d

SHA1
002bfce19f2be42d7c5947923164de5787834a2d

SHA256
3dd00f32dbf18a1ae67ca1bed84e4d31a93749c522c54344ee9f316e24303999

SHA512
ec1059e415756491c3f46678d2bde02075f855d509edf694448a92d125bda961a63eeb1a1030a87f51010f8c0d8f6168d6c825b4d1aa58120854462a0cdcd3c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYgy.exe

Filesize
111KB

MD5
ea7b660c4a957234f28ed98b12bbeb9b

SHA1
5371ce66a97f318d463fd83e273834b33032220e

SHA256
d5ebf8e8a77950daea33359b591f999bf1d61a2f4477540260f10a777e02676c

SHA512
580f7c45d5e9d1a65aa813dcd3d5c71120ad407243451fff9ae91224ce2e3b54d56fd26081823193bb5f74bb3ad0a46d0ee2ce2f04a273c5cf2c1402040891aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYsu.exe

Filesize
112KB

MD5
ff0e8a8b1f1d3a22aca7909ab8383241

SHA1
d1cedd9645478209a9a38ae6f980c1fabc75d042

SHA256
57f1349de03ec51ad6453b80fe0b32166eadaf0b8799092bc02f8fdfd56c9612

SHA512
1ac43a0bdac7c93e64660a65d72cf37661d1d4404739dbb71518e7701c402dff571e42f340d50708be92149d5a002ef87ad71e02624359b63898defc30c29837

Download Submit
C:\Users\Admin\AppData\Local\Temp\xmgsIEAs.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\xoAW.exe

Filesize
596KB

MD5
f2f90b62144ed7bac39f6b55ea625592

SHA1
c9ca5fc2e9ffbd29b4ee61a52f603ac7c971431f

SHA256
ee86af5084eaeff4d7fa4e54d0661cc7e82538f6c12ca7b36af9066218fcf0e6

SHA512
5e766aaa0579f89d5c7fee715da1e6e3b1636d852cb64583fa1b3db209478007cdf7a78cd570a26727dd8bc65bab71c12c077fcd5f600976143f44e2cf2a0c83

Download Submit
C:\Users\Admin\AppData\Local\Temp\xwEo.exe

Filesize
113KB

MD5
0b8c8ac577a70427c053bbd1f345dfd5

SHA1
d8337cdab5d535192e6bf1f718977af511592f45

SHA256
c22510049e06757da3552406279910cd0a1cf2ffd46a9e0ba28b750cfca0900b

SHA512
4296daf84f8f8753ad0c985ab9192fb979ffa3aa15baf667520cb2a1ef8e906f04096bed3f208ad87631dc220aa21e9591fc534520d893ddc307dad8eb0b047a

Download Submit
C:\Users\Admin\AppData\Local\Temp\yMkG.exe

Filesize
119KB

MD5
e438e10950c65030473867b95064baf3

SHA1
acc6a0f40533bda4ccc3896eae9f53b8c9658601

SHA256
9da492fd0715b9003ef8966f3cedbda2c4f8d7662708f3c4c502b8295d144fe9

SHA512
e08125fc1078e62cf62ff45bb4de36761fa0886ccfe248a5ed99a880416aae94c6619e9fb744698f0b6dd8981ce8833efc1380a67c141be9a275bee321389195

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQMg.exe

Filesize
521KB

MD5
ac4e563d644ee8d8efc64008ed2cdfa9

SHA1
ccf26756a75c24f7653d4c8b34485800ddfb91af

SHA256
80e5a9d30f7c3325f39fd35e5d011e440719bd54f2d41e5fc5b03f33c4e471aa

SHA512
8fc1e1a1d2fce7490be532a727fd466a6bc20927225203485d91938f723ce8b6ab9a3675336d385d734c3f4445e33f0dcd2ff4cc9d2341006b4db42923860334

Download Submit
C:\Users\Admin\AppData\Local\Temp\yksm.exe

Filesize
120KB

MD5
4ca1fa683528e4c979095280d0bd0a48

SHA1
4725dbca2915363b29f82243d190643e9ecb658c

SHA256
e2557d1fd02fca7bf8b46a31f5ba25bc5a9cc01f125546ea45fcc98b2c9a90a8

SHA512
1f6c74fe8a166cee387d3f0620ee6fca269619f9bbd4be54e901a97d938f82f4a0399ef6ae58e66b716dd2db05bb5369b000fcedebe4c8e98f71937be8a08777

Download Submit
C:\Users\Admin\AppData\Local\Temp\zAsM.exe

Filesize
5.8MB

MD5
3515c2718b10d3bb8c23429e24089341

SHA1
0efab63b65fca6d3e66949d05a235f0a1286fd5a

SHA256
f4219ff917c25e611ef117173fdeec54dcd95ee1f431bfa5cefce035d01adeb7

SHA512
c1c682045c3b7732392bb6e3e7f997df7871a50f462cc431196a3c7e67b8f047976f6026fce31474bc3b6b686d54bd4eeca5b0458d98a9261b63011ac646cdf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\zEII.exe

Filesize
111KB

MD5
1c8c573743967834600e0547ee097cc9

SHA1
5484672fc4085f30dabd895830f935bfc61471cb

SHA256
c469ea239e02853c462a7bfa0e03f0332c2584ca4b2d05d4e2d783fd35641c43

SHA512
d46c2fe9082d48fe0503e0729f3b2ef2ece19839607590b2287c82e02d91b09406f9536064fb699f224ce8109ca4b70045350aecb68fe5a38095d311fdf4b8f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\zgEg.exe

Filesize
112KB

MD5
e19b34d4b907605a49b6b808dc9cb12e

SHA1
3f4d177bc505028bbe41e9b128f1b564b69041cc

SHA256
bd7c788a974e8370af5dd8b875b30e888270207d1b83229faf9a3c350df40aa7

SHA512
9a23f9d1ef9debc2b9e023c2ce2865e48a6d39d7e1d057858b34757835f3640bf6b73cc28934e4f1091093e047b2e5806e4a22c95a33ac239e6121433c583002

Download Submit
C:\Users\Admin\AppData\Local\Temp\zkII.exe

Filesize
114KB

MD5
8e7c067d3f6b5dfcfd015ca415ffcb45

SHA1
dab11abfa63beccfb02d448487bef5ea94ce4a59

SHA256
c701fb4574f71feae9d374a69d647513ead75abd52f80d75814b8ee3433a8309

SHA512
caf702471603bc573835d788885f9a97ed20fa98331b0661f2da03f0f04e5d3d36f69f2720a7e2ae43f858dab0b75fa36022613af774dce80f4ea81c85303e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zkQA.exe

Filesize
5.8MB

MD5
23e27d31e6e2e5fd65b4391eb4005c18

SHA1
603e3c80603c67ab46d9fe7e2273d05b8c8212ae

SHA256
238dc042b83bcb781f19cf95909c9f87ff9d7041f02f5325dae5d8e9d2ec6404

SHA512
ec17cb2f4e09f6fc9be87069f47f85e48ae7b4938a63299b2fb758ae04fe73aac7eaa18fbaf2a1669478139b8ebf383497e6df0dbb6d88eb4e97345b0041ccd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zoAw.exe

Filesize
113KB

MD5
b5361da8fb2d80766d37fc56b708c25d

SHA1
7f62667180018879a477fd82eb55094687c992b8

SHA256
66540557ef864f693dedcd20f554a87bc699c9b6cbe16208484772bc89f38194

SHA512
f6a12726d202ce62673c4290c8986bc0124599eebae18b6129548a47eee46c74e82234b145b7a8425b8ad56b35bed8481d7225cd8be347dfc796f9fd412b14bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\zsos.exe

Filesize
110KB

MD5
ae109f9e9673f2e0d3ee68976f605737

SHA1
06af9b317d7fe3bf640bf92d18801673d2be2164

SHA256
bff73f9c710b9bf973cc165f203036ab78b69f36a40f3764279d3c85bf16d11d

SHA512
fd17aecd02fa9704ece1ac1c9ab58468320f13e2e1a301e7a2044ec63be780e7c7864695887de68af0e687cadecf1c0c12595c1c9502eb6d653c5ce1afe851a4

Download Submit
C:\Users\Admin\hOwUUEoE\qaIEcgEE.exe

Filesize
109KB

MD5
440fcf8f93d48041d5b21d750d833a2b

SHA1
c1e7907013b461c589205875e9043d613bdb0cb5

SHA256
241f44e89722784f28eddd21635082ec1ab83da7366129d58ad83dd9bc2a9f6c

SHA512
640b02d6f146563ae542cddb06e17b4349639a8cc3a6b10c523d0d99495b7fc9751e22af1549349572ba708f2e5471e880df18fa06b5380238b9d6313bb2003a

Download Submit
memory/32-310-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/412-404-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/412-411-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/532-1702-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/640-1139-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/872-402-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1128-1253-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1152-198-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1152-475-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1172-327-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1172-294-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1200-1853-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1248-1419-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1248-1483-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1280-64-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1280-75-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1280-1908-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1280-210-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1280-199-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1388-302-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1512-5-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1612-428-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1764-30-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1824-937-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1824-988-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1856-252-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2100-436-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2216-132-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2216-143-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2404-233-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2420-1932-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2440-575-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2556-221-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2616-244-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2616-232-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2656-260-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2656-269-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2756-271-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2756-278-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2952-1725-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2952-1698-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2992-352-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3144-1317-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3156-52-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3188-41-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3216-511-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3260-1038-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3260-780-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3344-831-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3392-1354-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3392-1318-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3492-360-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3516-86-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3580-379-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3580-386-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3716-1561-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3816-1624-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4032-286-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4040-14-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4084-319-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4084-311-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4092-261-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4328-1404-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4344-938-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4344-860-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4360-328-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4360-336-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4360-452-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4380-377-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4396-625-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4444-344-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4540-165-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4552-1951-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4588-97-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4596-1203-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4708-1039-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4708-1075-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4752-176-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4776-413-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4776-420-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4820-63-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4832-444-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4832-1721-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4832-1790-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4836-361-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4836-131-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4836-369-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4904-108-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4908-690-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4912-0-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4912-19-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4924-187-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/5012-109-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/5012-120-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/5048-394-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/5108-154-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download