38f8ab30ad8b455fb43a8ac3f067270df8a694aa25a1a3f1fe1b25e0175ac99a

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 13:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
Size

110KB
MD5

92f7d5f7ac3f057a1327549922c438b5
SHA1

7121142f80d0abfccf9a99f6d3e4fa071a760075
SHA256

38f8ab30ad8b455fb43a8ac3f067270df8a694aa25a1a3f1fe1b25e0175ac99a
SHA512

05bd1c7241a0594cb069ea63bac206c181516b5efbd137cc1f7101521fc6ec8989997993edd2ad97ecacc654e6cf2406b872ce0f459b5bf147e535b4da91186e
SSDEEP

3072:4yn7YTtqpeACe2whxxQHmOVM8kfebUb/7BXmMP:4OYTtqJCBIxQHmOVwfeS7BW4

Score

10^/10

discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (85) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	PSAgQEIY.exe

Executes dropped EXE 2 IoCs

pid	Process
2620	PSAgQEIY.exe
4756	MAwgMwgs.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PSAgQEIY.exe = "C:\\Users\\Admin\\OMQggIQw\\PSAgQEIY.exe"	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MAwgMwgs.exe = "C:\\ProgramData\\YAsUosYg\\MAwgMwgs.exe"	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PSAgQEIY.exe = "C:\\Users\\Admin\\OMQggIQw\\PSAgQEIY.exe"	PSAgQEIY.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MAwgMwgs.exe = "C:\\ProgramData\\YAsUosYg\\MAwgMwgs.exe"	MAwgMwgs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
1840	reg.exe
2692	reg.exe
4872	reg.exe
2340	reg.exe
1420	reg.exe
2872	reg.exe
1504	reg.exe
4724	reg.exe
3056	reg.exe
2972	reg.exe
4832	reg.exe
1592	reg.exe
2072	reg.exe
1508	reg.exe
3752	reg.exe
416	reg.exe
4796	reg.exe
3820	reg.exe
1480	reg.exe
632	reg.exe
2964	reg.exe
4052	reg.exe
3992	reg.exe
4368	reg.exe
4584	reg.exe
4592	reg.exe
400	reg.exe
1700	reg.exe
4316	reg.exe
1508	reg.exe
4424	reg.exe
3604	reg.exe
2480	reg.exe
464	reg.exe
1592	reg.exe
3620	reg.exe
3056	reg.exe
2396	reg.exe
1420	reg.exe
464	reg.exe
4744	reg.exe
4740	reg.exe
5072	reg.exe
2460	reg.exe
60	reg.exe
2148	reg.exe
2448	reg.exe
1064	reg.exe
3460	reg.exe
4508	reg.exe
1516	reg.exe
5004	reg.exe
4892	reg.exe
2568	reg.exe
4960	reg.exe
2328	reg.exe
1600	reg.exe
460	reg.exe
1864	reg.exe
2884	reg.exe
3480	reg.exe
64	reg.exe
3716	reg.exe
3428	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5004	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
5004	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
5004	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
5004	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
4052	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
4052	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
4052	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
4052	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
4544	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
4544	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
4544	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
4544	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
216	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
216	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
216	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
216	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
1104	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
1104	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
1104	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
1104	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
4228	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
4228	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
4228	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
4228	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
2716	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
2716	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
2716	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
2716	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
4576	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
4576	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
4576	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
4576	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
5072	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
5072	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
5072	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
5072	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
1664	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
1664	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
1664	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
1664	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
3428	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
3428	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
3428	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
3428	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
324	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
324	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
324	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
324	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
4436	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
4436	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
4436	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
4436	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
2420	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
2420	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
2420	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
2420	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
3772	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
3772	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
3772	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
3772	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
4112	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
4112	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
4112	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
4112	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2620	PSAgQEIY.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2620	PSAgQEIY.exe
2620	PSAgQEIY.exe
2620	PSAgQEIY.exe
2620	PSAgQEIY.exe
2620	PSAgQEIY.exe
2620	PSAgQEIY.exe
2620	PSAgQEIY.exe
2620	PSAgQEIY.exe
2620	PSAgQEIY.exe
2620	PSAgQEIY.exe
2620	PSAgQEIY.exe
2620	PSAgQEIY.exe
2620	PSAgQEIY.exe
2620	PSAgQEIY.exe
2620	PSAgQEIY.exe
2620	PSAgQEIY.exe
2620	PSAgQEIY.exe
2620	PSAgQEIY.exe
2620	PSAgQEIY.exe
2620	PSAgQEIY.exe
2620	PSAgQEIY.exe
2620	PSAgQEIY.exe
2620	PSAgQEIY.exe
2620	PSAgQEIY.exe
2620	PSAgQEIY.exe
2620	PSAgQEIY.exe
2620	PSAgQEIY.exe
2620	PSAgQEIY.exe
2620	PSAgQEIY.exe
2620	PSAgQEIY.exe
2620	PSAgQEIY.exe
2620	PSAgQEIY.exe
2620	PSAgQEIY.exe
2620	PSAgQEIY.exe
2620	PSAgQEIY.exe
2620	PSAgQEIY.exe
2620	PSAgQEIY.exe
2620	PSAgQEIY.exe
2620	PSAgQEIY.exe
2620	PSAgQEIY.exe
2620	PSAgQEIY.exe
2620	PSAgQEIY.exe
2620	PSAgQEIY.exe
2620	PSAgQEIY.exe
2620	PSAgQEIY.exe
2620	PSAgQEIY.exe
2620	PSAgQEIY.exe
2620	PSAgQEIY.exe
2620	PSAgQEIY.exe
2620	PSAgQEIY.exe
2620	PSAgQEIY.exe
2620	PSAgQEIY.exe
2620	PSAgQEIY.exe
2620	PSAgQEIY.exe
2620	PSAgQEIY.exe
2620	PSAgQEIY.exe
2620	PSAgQEIY.exe
2620	PSAgQEIY.exe
2620	PSAgQEIY.exe
2620	PSAgQEIY.exe
2620	PSAgQEIY.exe
2620	PSAgQEIY.exe
2620	PSAgQEIY.exe
2620	PSAgQEIY.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5004 wrote to memory of 2620	5004	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	83
PID 5004 wrote to memory of 2620	5004	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	83
PID 5004 wrote to memory of 2620	5004	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	83
PID 5004 wrote to memory of 4756	5004	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	84
PID 5004 wrote to memory of 4756	5004	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	84
PID 5004 wrote to memory of 4756	5004	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	84
PID 5004 wrote to memory of 1504	5004	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	85
PID 5004 wrote to memory of 1504	5004	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	85
PID 5004 wrote to memory of 1504	5004	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	85
PID 5004 wrote to memory of 3716	5004	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	87
PID 5004 wrote to memory of 3716	5004	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	87
PID 5004 wrote to memory of 3716	5004	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	87
PID 5004 wrote to memory of 2448	5004	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	88
PID 5004 wrote to memory of 2448	5004	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	88
PID 5004 wrote to memory of 2448	5004	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	88
PID 5004 wrote to memory of 3892	5004	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	89
PID 5004 wrote to memory of 3892	5004	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	89
PID 5004 wrote to memory of 3892	5004	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	89
PID 5004 wrote to memory of 2404	5004	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	90
PID 5004 wrote to memory of 2404	5004	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	90
PID 5004 wrote to memory of 2404	5004	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	90
PID 1504 wrote to memory of 4052	1504	cmd.exe	95
PID 1504 wrote to memory of 4052	1504	cmd.exe	95
PID 1504 wrote to memory of 4052	1504	cmd.exe	95
PID 2404 wrote to memory of 2368	2404	cmd.exe	96
PID 2404 wrote to memory of 2368	2404	cmd.exe	96
PID 2404 wrote to memory of 2368	2404	cmd.exe	96
PID 4052 wrote to memory of 1140	4052	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	97
PID 4052 wrote to memory of 1140	4052	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	97
PID 4052 wrote to memory of 1140	4052	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	97
PID 1140 wrote to memory of 4544	1140	cmd.exe	99
PID 1140 wrote to memory of 4544	1140	cmd.exe	99
PID 1140 wrote to memory of 4544	1140	cmd.exe	99
PID 4052 wrote to memory of 4964	4052	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	100
PID 4052 wrote to memory of 4964	4052	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	100
PID 4052 wrote to memory of 4964	4052	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	100
PID 4052 wrote to memory of 3424	4052	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	101
PID 4052 wrote to memory of 3424	4052	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	101
PID 4052 wrote to memory of 3424	4052	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	101
PID 4052 wrote to memory of 3480	4052	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	102
PID 4052 wrote to memory of 3480	4052	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	102
PID 4052 wrote to memory of 3480	4052	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	102
PID 4052 wrote to memory of 4124	4052	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	103
PID 4052 wrote to memory of 4124	4052	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	103
PID 4052 wrote to memory of 4124	4052	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	103
PID 4124 wrote to memory of 684	4124	cmd.exe	108
PID 4124 wrote to memory of 684	4124	cmd.exe	108
PID 4124 wrote to memory of 684	4124	cmd.exe	108
PID 4544 wrote to memory of 112	4544	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	109
PID 4544 wrote to memory of 112	4544	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	109
PID 4544 wrote to memory of 112	4544	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	109
PID 112 wrote to memory of 216	112	cmd.exe	111
PID 112 wrote to memory of 216	112	cmd.exe	111
PID 112 wrote to memory of 216	112	cmd.exe	111
PID 4544 wrote to memory of 4808	4544	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	112
PID 4544 wrote to memory of 4808	4544	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	112
PID 4544 wrote to memory of 4808	4544	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	112
PID 4544 wrote to memory of 1420	4544	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	113
PID 4544 wrote to memory of 1420	4544	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	113
PID 4544 wrote to memory of 1420	4544	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	113
PID 4544 wrote to memory of 1696	4544	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	114
PID 4544 wrote to memory of 1696	4544	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	114
PID 4544 wrote to memory of 1696	4544	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	114
PID 4544 wrote to memory of 376	4544	2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe	115

C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5004
- C:\Users\Admin\OMQggIQw\PSAgQEIY.exe
  "C:\Users\Admin\OMQggIQw\PSAgQEIY.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2620
- C:\ProgramData\YAsUosYg\MAwgMwgs.exe
  "C:\ProgramData\YAsUosYg\MAwgMwgs.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1504
- - C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
    C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4052
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1140
    - - C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4544
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:112
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3664
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        10⤵
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        12⤵
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        14⤵
        
        PID:3752
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        16⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        18⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        22⤵
        
        PID:3520
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        24⤵
        
        PID:4124
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        26⤵
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        28⤵
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        30⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        31⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        32⤵
        
        PID:3236
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        33⤵
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        33⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        34⤵
        
        PID:3856
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        35⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        36⤵
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        37⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        38⤵
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        39⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        40⤵
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        41⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        42⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        43⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        44⤵
        
        PID:1184
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        45⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        46⤵
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        47⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        48⤵
        
        PID:2132
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        49⤵
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        49⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        50⤵
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        51⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        52⤵
        
        PID:4124
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        53⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        54⤵
        
        PID:4364
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        55⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        56⤵
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        57⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        58⤵
        
        PID:232
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        59⤵
        System Location Discovery: System Language Discovery
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        60⤵
        System Location Discovery: System Language Discovery
        
        PID:3376
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        61⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        62⤵
        
        PID:212
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        63⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        64⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        65⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        66⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        67⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:692
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        69⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        70⤵
        
        PID:648
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        71⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        72⤵
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        73⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        74⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        75⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        76⤵
        
        PID:3892
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        77⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        78⤵
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        79⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        80⤵
        
        PID:3408
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        81⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:3820
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        83⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        84⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        85⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        86⤵
        
        PID:4164
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        87⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        88⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        89⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        90⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        91⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        92⤵
        
        PID:1516
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:3376
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        93⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        94⤵
        
        PID:4428
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        95⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        96⤵
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        98⤵
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        99⤵
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        100⤵
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        101⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        102⤵
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        103⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        104⤵
        
        PID:3612
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        105⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        106⤵
        
        PID:1384
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        107⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        108⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        109⤵
        
        PID:416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        110⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        111⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        112⤵
        
        PID:4872
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        114⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        115⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        116⤵
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        117⤵
        
        PID:244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        118⤵
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        119⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        120⤵
        
        PID:3480
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        121⤵
        
        PID:416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        122⤵
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        123⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        124⤵
        
        PID:1164
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        125⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        126⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        127⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        128⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        129⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        130⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        131⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        132⤵
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        133⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        134⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        135⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        136⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        137⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        138⤵
        
        PID:1704
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        139⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        140⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        141⤵
        
        PID:240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        142⤵
        
        PID:2484
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:1280
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        143⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        144⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        145⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        146⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        147⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        148⤵
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        149⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        150⤵
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        151⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        152⤵
        
        PID:2464
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        153⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        154⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        155⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        156⤵
        System Location Discovery: System Language Discovery
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        157⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        158⤵
        
        PID:224
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        159⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        160⤵
        
        PID:4764
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        161⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        162⤵
        System Location Discovery: System Language Discovery
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        163⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        164⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        165⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        166⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        167⤵
        
        PID:64
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        168⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        169⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        170⤵
        
        PID:3868
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        171⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        172⤵
        
        PID:216
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        173⤵
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        174⤵
        
        PID:3188
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:3804
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        175⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        176⤵
        
        PID:3228
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        177⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        178⤵
        
        PID:2480
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        179⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        180⤵
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        181⤵
        System Location Discovery: System Language Discovery
        
        PID:3212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        182⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        183⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        184⤵
        
        PID:4736
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        185⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        186⤵
        
        PID:1844
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        187⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        188⤵
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        189⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        190⤵
        
        PID:1372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:3156
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        191⤵
        System Location Discovery: System Language Discovery
        
        PID:4600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        192⤵
        
        PID:5016
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        193⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        194⤵
        
        PID:4088
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        195⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        196⤵
        
        PID:2668
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        197⤵
        System Location Discovery: System Language Discovery
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock"
        198⤵
        
        PID:3272
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe
        
        C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock
        199⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2340
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        Modifies registry key
        
        PID:4368
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        UAC bypass
        
        PID:4520
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        
        PID:1860
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        
        PID:1432
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sGAUUIsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        198⤵
        
        PID:4832
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TOgQMcUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        196⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        Modifies registry key
        
        PID:64
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        UAC bypass
        
        PID:2364
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BkwAYEUQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        194⤵
        System Location Discovery: System Language Discovery
        
        PID:4460
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        Modifies visibility of file extensions in Explorer
        
        PID:400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        
        PID:2100
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tcwYUMIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        192⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        System Location Discovery: System Language Discovery
        
        PID:4796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        Modifies visibility of file extensions in Explorer
        
        PID:816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:4368
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        
        PID:3292
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YYgIUwco.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        190⤵
        
        PID:1032
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:4444
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        UAC bypass
        
        PID:5060
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gMAcUEIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        188⤵
        System Location Discovery: System Language Discovery
        
        PID:4420
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:460
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:2244
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        UAC bypass
        
        PID:2692
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IMUkEckQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        186⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:4652
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        UAC bypass
        
        PID:2968
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fOIsoQwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        184⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:1956
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        
        PID:344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bcYQAIcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        182⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3156
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        Modifies registry key
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        Modifies registry key
        
        PID:2568
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\naUsMoMY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        180⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:5072
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EmUoYgoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        178⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:3232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QUoQMQcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        176⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        UAC bypass
        
        PID:3240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KsgYcokI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        174⤵
        System Location Discovery: System Language Discovery
        
        PID:3204
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        System Location Discovery: System Language Discovery
        
        PID:1492
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:2512
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        Modifies registry key
        
        PID:3428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wqwEAgsg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        172⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:5060
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        
        PID:324
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VKogYgEI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        170⤵
        
        PID:816
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        
        PID:5052
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dKQgMUEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        168⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        
        PID:648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:1392
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        UAC bypass
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tGosQksw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        166⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:3020
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        UAC bypass
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OGoEIcwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        164⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        Modifies registry key
        
        PID:4892
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        UAC bypass
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mqcEEwwY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        162⤵
        System Location Discovery: System Language Discovery
        
        PID:4880
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        System Location Discovery: System Language Discovery
        
        PID:4628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        Modifies registry key
        
        PID:3480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gqsQUccU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        160⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:4872
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        UAC bypass
        
        PID:4620
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qewkEgoE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        158⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        Modifies registry key
        
        PID:4832
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        UAC bypass
        Modifies registry key
        
        PID:5004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nIEQEEEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        156⤵
        
        PID:116
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        Modifies visibility of file extensions in Explorer
        
        PID:752
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        Modifies registry key
        
        PID:2972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        UAC bypass
        Modifies registry key
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fYkssIMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        154⤵
        System Location Discovery: System Language Discovery
        
        PID:2744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        Modifies registry key
        
        PID:4052
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        UAC bypass
        
        PID:4368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dAgEcAgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        152⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        UAC bypass
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LwgIAcIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        150⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        
        PID:2896
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mSAcMkcs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        148⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        System Location Discovery: System Language Discovery
        
        PID:3224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        Modifies registry key
        
        PID:4740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        UAC bypass
        
        PID:1884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AkEQoEkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        146⤵
        
        PID:400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        UAC bypass
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OcQIIQsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        144⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        UAC bypass
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bAAAoEko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        142⤵
        System Location Discovery: System Language Discovery
        
        PID:3480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        UAC bypass
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xigYIYcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        140⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:4976
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        UAC bypass
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\leskgkcw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        138⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JiQsIUwE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        136⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:4768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        UAC bypass
        
        PID:3696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ogoQYAwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:1228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies registry key
        
        PID:4744
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:1956
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SIAUgoAE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        132⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1696
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:4740
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        UAC bypass
        Modifies registry key
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gWYggUYE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        130⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies registry key
        
        PID:4508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        System Location Discovery: System Language Discovery
        
        PID:4504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        
        PID:2092
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YSsgoYII.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        128⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        Modifies registry key
        
        PID:1864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        
        PID:2060
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TcMkcoIM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        126⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        
        PID:1844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jEUIgQMI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        124⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4316
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        
        PID:420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        
        PID:3752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jWogocsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        122⤵
        
        PID:240
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        Modifies registry key
        
        PID:460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        
        PID:1280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QasAskQM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        120⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Mwcgcckg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        118⤵
        
        PID:2168
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        
        PID:464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sOgIsEEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        116⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:4856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        
        PID:2336
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YsMMQcYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:4508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        
        PID:232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        Modifies registry key
        
        PID:464
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        
        PID:4768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fEosoMwU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        112⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:648
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        
        PID:3988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DYEgQEEc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:4400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rWooYoUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        108⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:4872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:1112
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        107⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aKUQEMEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        106⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IkIgssgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        104⤵
        
        PID:4836
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        Modifies registry key
        
        PID:3460
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        Modifies registry key
        
        PID:4592
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cYgoIkgs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        102⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        Modifies registry key
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WYggIwUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        100⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies registry key
        
        PID:4724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        
        PID:4564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JmgIAAIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        98⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        Modifies registry key
        
        PID:1420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        
        PID:768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DCQwIQIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        96⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:4452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        
        PID:4944
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jGckEAAc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        94⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        
        PID:1660
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        
        PID:4780
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qmoIQMgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        
        PID:4368
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        Modifies registry key
        
        PID:2396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YiwwEsIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        90⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        Modifies registry key
        
        PID:1508
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OEAwAwcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        88⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:4584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XaEcQock.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        86⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:3648
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        85⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hGIUAcAw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        84⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:4084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:1492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        Modifies registry key
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JyIcMIMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        82⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        Modifies registry key
        
        PID:4796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vEUUcYck.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        80⤵
        
        PID:4440
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\omQUwcIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        78⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        
        PID:4740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kQYUAckw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        76⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies registry key
        
        PID:3620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        Modifies registry key
        
        PID:416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\giwwEogA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        74⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VcAEsEkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        72⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        
        PID:2696
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:2072
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:1044
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xOEsoAMU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        70⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:3604
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FiAoAQIo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        68⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:4568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        
        PID:684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        Modifies registry key
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:4316
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fkcMMwcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        66⤵
        
        PID:4172
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        
        PID:2752
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        Modifies registry key
        
        PID:60
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GYQQoIYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        64⤵
        
        PID:844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        Modifies registry key
        
        PID:4872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eOoYQcYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        62⤵
        System Location Discovery: System Language Discovery
        
        PID:2172
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GkMwMYoY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        60⤵
        System Location Discovery: System Language Discovery
        
        PID:4600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        Modifies registry key
        
        PID:3604
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yqkQMYgY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        58⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        Modifies registry key
        
        PID:4316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:3368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\luQgkccQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        56⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TmkMkEIc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        54⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:4904
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:3264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jwEYsYQo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        52⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:2060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1420
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        Modifies registry key
        
        PID:2460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:4600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MeIoIcoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        50⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wQQgYIUw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        48⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:2456
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:4172
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EAsssAwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        46⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies registry key
        
        PID:4960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        Modifies registry key
        
        PID:2692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wsAQAgIw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        44⤵
        
        PID:3568
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\umcUcEMg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        42⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hwYIcMEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        40⤵
        
        PID:2460
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        41⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:2596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lcQMIAcE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        38⤵
        
        PID:240
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        Modifies registry key
        
        PID:1592
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZwMMUQQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        36⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:3824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qEcUIQEg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        34⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:4052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yewogscM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:4048
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:5004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AYEoUYsk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        30⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GocAgkgo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        28⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:3156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NcggsYcA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        26⤵
        
        PID:3504
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:1516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tkIAkcgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        24⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        Modifies registry key
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VyAQAgUE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        22⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:4484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:3936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bKscUcYs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:1084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CwwMYggw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        18⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:5044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sgcAkAYo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        16⤵
        
        PID:768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        Modifies registry key
        
        PID:1064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\miYIAssk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        14⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        Modifies registry key
        
        PID:3716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JkQIEYUU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3000
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        Modifies registry key
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rOcskEgM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        10⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:3648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nEEUwUoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3940
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:1108
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4808
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1420
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:1696
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PaQggMYY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
        6⤵
        
        PID:376
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:4380
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:4964
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:3424
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:3480
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AqoUkcQE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4124
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:684
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3716
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:2448
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3892
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mIUsgggw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2368

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:3276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

Filesize
236KB

MD5
fb0254a97964f335e743a97084269d93

SHA1
6254778ac6e809c2bd214d4feb406f78f41dab3c

SHA256
b5f4d15c00b220045db8e633f719076f89eca0b0195e062c8a91fbd5f884cc5c

SHA512
92b0828d8f2f30df0614d0b7dc63c9b32c8eff0c97b5e586c861af16e1c6b0ca72f82365c0012a911867721c790813a2baa4fca938eb4c7cdd5110178779bc48

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

Filesize
158KB

MD5
1154f6cc2251a9788dd2ae094fa89e61

SHA1
78d76582ad0b01c4295dbc132fd0f9818a1f5c50

SHA256
7d916ed38d817a07aff484cd8bfd52a01dd3d9b49194037ae84b6d4a9ab07934

SHA512
60cdf5051179aa08b6486c6bca7718c9b64c10de21767a6dbd3da5d4bbfc6a81b285e384061b8259d2cd26e9761c0660d138f21f6238557f32a975da5a1823eb

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

Filesize
138KB

MD5
80008b5d8000a85ea9a02d486517e452

SHA1
60df65f707395f9ca94243ca3ba7bd6b67e94a05

SHA256
2f27ff2b55da86d6cb4634af26979b1fb62d546ffe84ef6f931563ac47965952

SHA512
0c89aadd9a444d39a5ee247489774079cb939e9e0089e209f8b353501b45abe5dcb0e632ceefd28304e0a629e7a0770d20e5ea86535fd0653d33f804a72d7288

Download Submit
C:\ProgramData\YAsUosYg\MAwgMwgs.exe

Filesize
111KB

MD5
baf19f04218481615b5e885848ecdb58

SHA1
209e38300279461b846ef53d36cb3b95c54e5c06

SHA256
9139a87628c920b0714273163c89d2573131e43d63e72957047cfe9a54a94970

SHA512
3b720285bd280677934f1d5df7d370ce56316ee1ea50c69d242a778b529b537ccffb6a6c81714bf86f4e5f2b08b457276ae430a54c8be09dd9552fce8c61a973

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorWhite.png.exe

Filesize
118KB

MD5
a03c46ec7c0c5b10c2b188cade305b10

SHA1
10dd18ae24c569448b718bbdc157851bbe8c1f27

SHA256
e47dc835675077562387e8e7637449dcb1568ff8d9cc7cf859615699e87ec4e7

SHA512
1dc2a2403f192383c4a8ae5640a3c9d777f712e7bf644174bb42f2a9f8a8eb41eb2cc69c2c66f02bd62964e80ca1e5fc90f66872b5a7c89ea683963484b56aee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ScreenshotOptIn.gif.exe

Filesize
348KB

MD5
ef5041809466abe3471c7c2994c94197

SHA1
e0ec05d66dd22489696aefd6e78bdf6a1c68fd19

SHA256
755c0a56509f4c80dd27553bcff066034f7011137d45b36b1c0a2908974ca008

SHA512
59bec0d808516503803777b54cd822fcc637ef846779727c52f6bce2730fc71b9fe3380e5fadfed4c6b358b0143666c1105c072c84dea77d5e2f65faf3b93c84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-200.png.exe

Filesize
112KB

MD5
6343e925fc589de3a8019bebaa2c0082

SHA1
ca0a844e6a3df195fa45435ec043c99f93e3d022

SHA256
e0783ad69f7048482b92729487202bc5bacb7ac5b1898cac1c56ffddc56f90bc

SHA512
6c5766f52cff6c39f849c8aac003fda44ee6b0abebe15270cc05f3fc9d4b799d4ec9b6bb3c84b8580352dc1ceb0afa9c81d9255db29e00f6efb71fc8bd23e0df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-125.png.exe

Filesize
110KB

MD5
6507f31566fa300b3ea016bc62aa8cbe

SHA1
47d705e9c4d1c1d8058cdd430e12a1eda15e8f90

SHA256
218758c7534b11883cff3788a782e845a4d9abd6e912bc3dca7e663b2bd688b5

SHA512
4239c045b5031f181d9f272255cc200ad4d89ecb552781b1a305d71de5ada71519ac87ddb0c624ae0fdca22369b9e1227293230dea51d61f290474181a1d5554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-125.png.exe

Filesize
110KB

MD5
41cbb8d85b790c6fee682907ea052ba1

SHA1
1cbcf64e7322af93a1e38dbcc80d73f2975ec535

SHA256
968f21742093ce5353f21e6ef202348cbe9ac124ddd2113b8791c766ad91e1d7

SHA512
8a77fe3a08f37299211e6863c9cc816383da0d8bd17903a3a824e461089916d6a4fafdc3416eaeba3317c1f7b55a803e7ce50c792b3eddba8d26f5b1b484941a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-11-20_92f7d5f7ac3f057a1327549922c438b5_virlock

Filesize
176B

MD5
f3489c18d9a2de4a86bc2a10c70572c5

SHA1
52a2330cc05ca0fecb31ddda3db2748eb680b124

SHA256
5acb672d97f4adf4ae8d31b3968a1a17dfa66c35d74a1da262f14c12615d3f56

SHA512
067fb84bde0731bbbdbc616fe49572d5082c6abf3e2f09b5d0ca46ee1c872e485f6a37c9a2729f15c02e772355deb4c71db13a23cd9742e47747a398bc0ab756

Download Submit
C:\Users\Admin\AppData\Local\Temp\AYEA.exe

Filesize
1.3MB

MD5
9d14102af7f855d30e6bdb53c8ca7152

SHA1
8402a1ce7ff189afe67196d8d70825bcacf8ce86

SHA256
86f671c93ccaa54ab8768c55d1052ecc6525431c53daccf673ddb65d51d249d1

SHA512
5b2ab665e7fe1e1eb2b6fa2b4ef6e81a0c0719cc08ff9976097eda43dd4056b2a83a35530df7208dd1d99b397f19da62bb2312d379917e2d7ee76b3ff8c78893

Download Submit
C:\Users\Admin\AppData\Local\Temp\AcgC.exe

Filesize
115KB

MD5
1f87117348200a6bcff48c272a906b6c

SHA1
7f881e444a1215947e5d0a2d462c95f094dabd88

SHA256
21d88f327a053baf07505a3ac27dbee8a5856dcb43695d3c2ac2b83f79970d75

SHA512
f02c23d44144fea79838a4ca21268bd3809f238edf0c17ad24f8334ff8a13129d8cd3ebf8b8393cd0aab67a14a8963e2eac4f9a2524077d9e440f48e9f7e56b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\AoIC.exe

Filesize
111KB

MD5
18f918a3afba568624f94f2fd27e40b1

SHA1
458a0c421b544ce3c163e63ea0be7e98c6b1d571

SHA256
7c8e540adc947381ebc292fb58ae05f2cf1cd8d05615422f852d8b8b213071d7

SHA512
efcc4376354183efcc5a4a5142e35d9b6fa34f9c6106aadd74e556a25e359f5f7300b73ab79948f43c6700191b4d33f8e167852926afc1af13a4edf028bdab05

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMYo.exe

Filesize
110KB

MD5
35e8ba41fc83460c6a0f119806beebb4

SHA1
b2a3cb954801a80a13e4b5135556043df33872fa

SHA256
8ac0be692d596539459a03dbda8b28122ad2af77ecbfe446a4662519301d13ee

SHA512
fcb79a90665a04b1edf231a7fe0c6792e5d0f22d8c8733f3e570ce690ea90fdbabf681aac97fd06a7b2113fbf4797119183825afefb67bd01f80b4964794583d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMYu.exe

Filesize
126KB

MD5
7735d9b307ed7ef818c564468f4537e7

SHA1
fae07b8d103086cc8e8a24085ee5348b44e37f8a

SHA256
c9468e9ad4723ae9de73d7e611746410d0b71789f33b15562eb386177a951a11

SHA512
5921d64d3e69d9ba035fe83138c2048bc794f9d14855147281aaa69277644c514fc4ba912e8cd32f58c6926889b4a68729f08e58d4636d18b5cb9d78ba184edc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQYM.exe

Filesize
111KB

MD5
baa44594cc14e66973e60b88d7d25e2c

SHA1
8f40379ca18b0a2647b00e61d61fa4ef7372019e

SHA256
3cc6adefd522cb74df31d4f6a90eed4a39f36b9036f8329c993aaeb28bcd8113

SHA512
e56c31e9d6d6ea164273475394da308bfd423cbf70fd932d9504a20708f4c2023f043ef59ba2eb9949d3e5f2d1d800f6182bff89b772743948944c88d516031d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUwo.exe

Filesize
111KB

MD5
e03704800b05bc0d5c6bfb91daf29399

SHA1
a39a7275ce60b52a808963e0741dc54b2090650a

SHA256
c89bb164e61a8b81a52f8c13bb8e4f57632fc63fccab6e4bf3905fb5b2991cb8

SHA512
d464be62dd99cb5efa119d36fc9d13c5311351a76d32e42a04314625b0bb387a80b8d7e4a151346704813b1ec6cdb0be1607f955b600bc2aae8ab93994e71e34

Download Submit
C:\Users\Admin\AppData\Local\Temp\CcAI.exe

Filesize
237KB

MD5
d854a26ee17a0602c09849d4ecf3f266

SHA1
f546b14d4f0ccc2ffc4a4ab47d9bdd20a3072b9c

SHA256
ce3747cbcb967f2e752d2160da2cd13125355334dd1e572549e10296c5aeecc2

SHA512
53352629bd1a94178b5144a8c5cc049b12e7f68f49d7245297df662696d58eac7b9083ff026689f35c084cac9eec00bbe5eae63cb90c35e3b10e04161587e1ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\EIQG.exe

Filesize
112KB

MD5
7be733395475124a4b80fc66a066c935

SHA1
f298d40fdb624851dfc6a68be34a875de20a2465

SHA256
4529489ec11ff13fdf7feb5941f997d907d8bb08b0bd901f5151ade034e03265

SHA512
88dd8a997ddbedc5764d19170eee0561bc8f3495f06a984cecb3f3fd75755117a73b8ab9dde66452af3485bb16d56c1e1f5cb4033ae8b0e442b4cb9cb9cef581

Download Submit
C:\Users\Admin\AppData\Local\Temp\EgAe.exe

Filesize
117KB

MD5
f122bc9aa2f74e58de19763204c0c3ff

SHA1
3963414cfd416912fa5c99678a66f430b65dfa9f

SHA256
78310a5fac563194beb742e55cc2356ff9a54eedc5995bd67a4f8e77ea5fd66a

SHA512
ad1b4292f715f994cffeec540c73efae63d8a4c38cd1b5a4625ecdea1ecb6000039b1c0ae03a93b9e406a5c4d848ee6e5a637ca91b6b87af3fe7807d2d29ecdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\EgMA.ico

Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ewcc.exe

Filesize
111KB

MD5
a3cae1d6081ca4188039ff4972b8b8e3

SHA1
980b66003b011a18bdb7b06d8a1ab7ed13d16e1f

SHA256
f6c41399ed78e70b0112f63372aa7c0078a1b340a13279c7da9ad3c586785274

SHA512
112e309ac2bb25ab64ccecd645d84d7ab731606e4c23e1078cf0aeecbca1315d81beca09d855ae52e66c26510c5e7cc3c85f31c97dbe2ec42eaa301a06800d80

Download Submit
C:\Users\Admin\AppData\Local\Temp\GAMK.exe

Filesize
920KB

MD5
bfc45fd6e0fb07d5aeed814a92300dab

SHA1
a177a9c612c55d8f29f75679786c56c75a7dec14

SHA256
2a6cfa67e3e5e51822963bd4eca91a1f598da9b9409613f82a7e75f438994a9f

SHA512
caeed5f8ad254d5865ef02c4f1f57a710c6706ba2b9a40cd65053a9dd063e5608e1c3b0683c0e687cf4428aceb95565641d87fc018dff529bb0695bd1be32a18

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEcA.exe

Filesize
112KB

MD5
e674a81d82d8fc52191498597191b3b7

SHA1
849348ee654f0058a000f143fde0576773d4ec12

SHA256
aea39c526cbfbc5a3d08aa22b7093ec6666321dc089373ca170fdd6d156944bc

SHA512
e6f371885d2bf0d216e06412a0e087fa01fbc0918be84385e9ad88f74bd6d725b449d58e51375b174f97174d0f368745bb25032cfbe0922089a49d82fbac8246

Download Submit
C:\Users\Admin\AppData\Local\Temp\GMcy.exe

Filesize
111KB

MD5
48d495dc37a3b7e159532a20da080303

SHA1
bc0da7326c38934f7ddd63e7a61834d337be1caa

SHA256
e3209ee2377c80fd1524425d358de51db8aeefe49b8b2f852180a96c7c99d8d8

SHA512
4dac7db82b958e8122e73370dabc1b64983fd35c49fef148e57154619ce80babbd00e749f01e3b1e1e9291551efd7ea66d92cc327574f8cd9a079ff5cdb783aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ggkg.exe

Filesize
153KB

MD5
2a2a0439bd75ed2e0fb7d00f73788a30

SHA1
a3e0df9406d16dacf2c90a0324962092c87ca9e6

SHA256
03f7970aefbda8feb7b07eb755eddcd8eca051718aa21ff8544dc60aa2de8323

SHA512
f5b0be96753b12a755a8155019e87983ca673fae6ab42312828203518e201a9444ec176d4df0ca93ffc5fb1a011999778c3aa783146ed380808382d2d0c5d9c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ggkm.exe

Filesize
111KB

MD5
553513371e2403c4165a5cf9b21a2ff0

SHA1
d439285f1bb798b6a53ef2e31686c41c34768cbd

SHA256
2dbbafa671dbd413f87ef06a6ee801b3cf2e8a373e60e20c659a4c6aa7cff4bc

SHA512
f7c40e503b124b483dbf21153b180287916c5045328bf4682dbf62bd2db8d24b67c8d31ea161ec73d84ccfd0bafa7c9fda0dc0732a13e17dc5c71816a44715ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gwku.exe

Filesize
112KB

MD5
9958bd859bfcd011991af7031302a21f

SHA1
3fdcd1708f157aaf9249a6f56fd9afb6445b2d86

SHA256
df05d213ed19fe591129daaf4680c3d8293f94e38524fb4e34f5448ca38ae51b

SHA512
b4ddb56f9abb95d3e1c8724cffe5c2ab52e547af09f06e188be001570b2a7edf771956433b4521eb86adb1de0f30a295e9f2cf3ab7e30913398bdd5e8fc60122

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gwom.exe

Filesize
114KB

MD5
b6c6d6b2dfbf9c15051a3bcb4063e2cf

SHA1
120ba872b5c2b357fd66c4540f0a0218358338aa

SHA256
e8952f4ff7a6b5d50574a6cecffc1c4a6b9cb85b45331bf31ac2b40935326683

SHA512
f1a18d501733cb51299d78ce742528a6672215551ace43e8e25dbb3b3d437ad205e1a149e067549d45802439352de35570a6c1cb911238be9c53ea391cf0d7de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEgs.exe

Filesize
112KB

MD5
8cb9c46c13b9c95474b3a7a1a19afb66

SHA1
d237926a665b0c7a1fa626f084054a5fc28b1542

SHA256
5e682645021bcbe144755439dfbc95cdeb6c77a7ce98725a6dcb0e8b74aa6b2d

SHA512
7a6ec6450ff2964b8495c2115de9f07cd6e4454bae658a6faba097b241c26d9d8cb6366f82045a4d471ae9accb08953b2258ee81a8e06d7923c168a130d440fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMQG.exe

Filesize
111KB

MD5
2020d75eb4e26b3ec5732e789385ea4e

SHA1
4c01fff731f1a7d2871b64839cd1f321b396d0a3

SHA256
c1ea2be5b58605baa15b7dde9d2bebbc639976ef77e83f6db6463173a7fe9bc9

SHA512
82eba819d167db7333d35c65db8b8e7e4a139dc613bb856ea1a15faa011325c6a89255d614b475be88d26a0f46b2ecd3145abc6d08d162ba0496ca29929130a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYMg.exe

Filesize
118KB

MD5
ee2050f31de41df5895982c98e4e9e38

SHA1
77402d2dd62d8e645ae15f588f65a11d24b6b8ae

SHA256
01950f20e5c41a116c9a43f7c2af1d07fecff2471a6d849d2ae8c6e53a3eef9a

SHA512
885efcd963fe6e0cc8b825d1a72cb5c7a915e7cb91f6dd00ad6470eccd37826d6c21a066552165af4f4cfe3c381227da839a042b44113b76e5ceafcb295ebafd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IcIc.exe

Filesize
110KB

MD5
873f411c03985fd770a8ffc23bf68c2b

SHA1
7cf5bc6558d0e471ec30f776f5d14e3227606b00

SHA256
911ff6f4403df3451a3bd0f6986d8be7ca0708a302ac76a154572bb65c2f78e5

SHA512
ddee11c8133a570535a65dc920a3744dd4240bb2ea675038cae25edc52dbded9d3ffa6b480f2813de749900613b6d3c2f072736225035d35b7452356ab64e379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IwAa.exe

Filesize
114KB

MD5
4643afb2f615b802f8a1f19a22239146

SHA1
9aa9838ff0bd1139ababdec28dbedf2e4b292cd6

SHA256
8d3450e778696505ea4e579998f48938e63da204d4faddc3da6f620c6e61fa9f

SHA512
2fe11d2dfeb9961db74e7252b763af6d4015f3fd09821b9340750de57e986f124e8398bd979eda95b698ada5ae77af9057496917daacc2e150632cdea776a53b

Download Submit
C:\Users\Admin\AppData\Local\Temp\KIAK.exe

Filesize
546KB

MD5
fc27d3bd2c12c6036a79fbc593cf9457

SHA1
32f374f09f6d4cf553279f994f9b171fd66deb60

SHA256
b81f9710c5f3ba53c6fca344175fa3e3b81abfc3644950f206481a7efdfa4aad

SHA512
e3faefc21b8b43786e9eeeda09f1add6155377bf3927a727568c91f90bff4ece0a7dc79668f08a618f7df5fc0c500ebbb05eb2889405454c2df8741bc06e7a29

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMkA.exe

Filesize
149KB

MD5
b8ac59bcd9ed9bd82d8842db8e1b96d6

SHA1
9c72d0581e56aea226d2baa92585cc2e93d066ab

SHA256
7a25dea51fcb4633ab9fa3800650d0b620c1bc582017f35944cc16118dbb48f5

SHA512
2edc2c7462e85dc8e4168efa166b7d63128131244eed98e291f888a8841bd90b925806651329451d040c1b261b54a8c4ce2148215a60f34d82146e8878cd740c

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUQg.exe

Filesize
113KB

MD5
6e239b5484dec5c6421fad150f1f0c46

SHA1
920ac3311a80e2a3cf1f1ba21bf783d022a1a166

SHA256
58df8c3e9f5dfb20667eb515138937f2443250dae039cad8b55537dd143c9056

SHA512
89874aa90ac393419bec1692c931a78b9b72239af01aa82d1839fc1704c7e6ba5f9f2b538893542229b6d6f7962dbe59aaa9ed95051b0cd73f0156e3150d9c52

Download Submit
C:\Users\Admin\AppData\Local\Temp\KcIs.exe

Filesize
110KB

MD5
4e0a282717eb9c0a21e0abbb7df4e1f2

SHA1
c408a5f9f7449494cc7e8484e9871bb8f34d71b7

SHA256
3c08fcc2e4e9882b4af4c5af9475cb1075df91e563ed56e1b16ca31cbf908392

SHA512
4af9ab37d103d26328eb403599180313061ab8d32465b1ddf0c6ff66347692cbb9a89f520268d25780d7429a48e5134d36e66a4e089644082b869c1bbb3ebe29

Download Submit
C:\Users\Admin\AppData\Local\Temp\KwsA.exe

Filesize
555KB

MD5
d94b36c7a81f606977ec34a5bca5d8e0

SHA1
5637dc0cd2963584a2bbbf12884bdfbcfc3d7bf1

SHA256
b0b5a5050ae21c7cdda6a74ab1343e1e274fd33fca1091a75bd17af8aa09491d

SHA512
1dbd52f7b9a35ca6f321356a2d9c7f9c309fc90ffd6eecc4d7bc73903767ee1d1879c48c1b713c0f807992e8876d408384326bda41d548ff147c35fe0d93c02e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAoq.exe

Filesize
117KB

MD5
5fa8e28c39385e3c38ce1093644d663f

SHA1
29d8c0f4ebc66f50ae1fce0816ad32b82c0456b6

SHA256
4a9b61a96c4ba4abcc71adf43fcb58b1711c9320c8ce0d606991e69eff877218

SHA512
2c8ed9d2e7fa73b1fc55b6884fbdb7b4716c6f5f30262b1e7fe9a95f2254d00881387618aaa7cfae9dd906edc1b4e08f7968b96360fa662053f4f770825b6f22

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMIc.exe

Filesize
985KB

MD5
9e9c0793e80638e8a3865a17dc043ba7

SHA1
ac60677aff39480f617e51923ade17adb9543145

SHA256
c92177774f00783f10c03d223cdbdb1bd88a25ec703b9e0b9d0b9a2a1fd02999

SHA512
37a3fc172d4e48e78480ce3032127c55e0118a9d39adb725d2aab313165e36841d1ecba5e8a6890a413e459e145f83b81c81c7163ef4800d57497706ff2df235

Download Submit
C:\Users\Admin\AppData\Local\Temp\MQcc.exe

Filesize
121KB

MD5
31600f6ee6e67ccfdb470d9c73bf44d6

SHA1
b9b6e784d383fa4e804d2a6d572c09cc9c4e87e0

SHA256
96cae2f22c83fe54841c511358cc96eddd3ef1934d8245de313901b0f376ede1

SHA512
0b7eb216394623beffef824ede106b0debca49742d067726680bc447768da454f1949be80e4a364e46e66c270e924d4e07435308ca3624e5e7e9c763930ed54d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUUA.exe

Filesize
111KB

MD5
2ade8d39022abc30c7b0d12b8deeaafa

SHA1
44efbd03288533d28e5fe184eb45d3999505bec4

SHA256
29296f2eddaf006b87f4f8f489edbbfda1c0a4c71c5c64f849e9a4c3d832f15d

SHA512
72cea106b9cbecc0dc112ab4adf80634db66afc18c782cb6086ef3ed4fb4e346881dce0e0bc6f55a84e91824988cbae0b1640e7b108544b38055aaba588bb3b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUkM.exe

Filesize
114KB

MD5
c95c984b7c021d9cb206c48a34f27359

SHA1
fd76db8122056a062667124ed0efc5fb766ca536

SHA256
1fa4b70497968ca0f35034fb226c57163935cad872d2852b22d3a1a1549d591d

SHA512
d4f7cace2a6aeab28f131cc1e15a718539e188bd9ab06074d7c68a73caca4645a529551b7be3d763a7800741fb3ec13d8554e7fa328fb60a9722db981ff7c285

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsUg.exe

Filesize
564KB

MD5
81c9f0cf8a68934c008376f7dc62af65

SHA1
4e317291d86f38d99b4e4c861a081f66258f5aa4

SHA256
4c7fa18bb574a8ba57577f9c98639cda6e8f349f931841379720fdcff1828095

SHA512
fe20e89e3184e19d63995c0b20ec79cc2ebd6107d202674ee46c9209a6dbca462a44aae859e28d8b6734628045869ffb3311f083788c0802d224aa44a8483462

Download Submit
C:\Users\Admin\AppData\Local\Temp\OAUm.exe

Filesize
117KB

MD5
48b2f060fc0c75546ee8f76ba4816621

SHA1
8dfc07142cb708607552a5abd331c38c1a97b338

SHA256
17fed8002bb0bbf8e4db16087becf193523f2318fcd453e7fe9452a23a929dcc

SHA512
f6e2134d09ddd76383a1892891b0b1d1aa98c391acedf56ad1cd8742868163408e3756150bed2252d99af7a11e7120fb5b38c6af69adcc087da18557863041c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\OAoi.exe

Filesize
120KB

MD5
fff5a839c64daa4127c95c7d827dffdf

SHA1
38946c0a3d1621adcaeb73042a883e5d2926e73c

SHA256
88be59e4474961087bacf86ab4c1cfecde84c89945865570de512f0af58428bb

SHA512
1d193a1c93f125ea2c644abb20862c97d28465b69a37264e69fd64385350a3c2cc583384ca71e818bb646b736a1872920f2c51373d7212673140f80bfe9356a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\OAwM.exe

Filesize
564KB

MD5
5e2f97e05471a63448a8de2970b5244d

SHA1
1c7b0c6f97157258ed935dabedb13c8cafcce45c

SHA256
236f1bbb4985d45e8ae5c339ee41ea2747a60f1c48f9049f9a023830a08fd8c3

SHA512
9570a6c259139c01f5b8b7de18fb7bca705c681450206e6d0754812a0e77be09fbd6561b9ee439201fc6337cb2448121d68908027a6c3ad819af0ef72dc219c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\OIEK.exe

Filesize
1022KB

MD5
1345e6271805304bc8572bc717e09dd0

SHA1
6ff91ddab68564b16ed49d802ecdd05f902a5da8

SHA256
20a12c54ea6a564f60d1c93829d5bad99a1e002fe71f407a6526854c9c5c08c6

SHA512
58101058fd93716d97894c0064573d75c265e06766fcae377011cc8b72150db8c92a73a251ba88c0fcde9d5c2da12863683ce626eb99c795b74b37c16fb3ec24

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQki.exe

Filesize
110KB

MD5
392fa17298cbf60e4fc566f22acfb121

SHA1
76328a54c0b0fc4a363c551028a28de398ba3e0a

SHA256
64650ad61923449741e6834dd5dd51050e3e3d98b8fa40044613bd683dd80b01

SHA512
37f9fe317093737ff7d38ef9dddb6f4cc94924ea5e33a7cd7f196e384755fc8e64d36ec5a06cc57afb51d3b7c9450c825b91b0b0e1a23b8d6b336dc15c2b9a05

Download Submit
C:\Users\Admin\AppData\Local\Temp\OgYu.exe

Filesize
112KB

MD5
0028fa80fa59509c1326ead35c41870d

SHA1
ada7852a8a025b6547e0a30c8337d901c0aba642

SHA256
41e1f4eef9f8f52ef880c2c9d98e4604eeb434bf79e71492bb8c45178f94bbe2

SHA512
1f4a6bc33397a16c85e7ab14d1da9cec7e0dac467c3856b3db77c64bf1e9fba9063b787a3329c517e1e46b0c3df1152eef34ff5ffbd78dbb6b76253db26d4e26

Download Submit
C:\Users\Admin\AppData\Local\Temp\Oock.exe

Filesize
565KB

MD5
b8128e39071ce53a6c15deec5387505f

SHA1
1ac11451a292e13c48e926a30cd3dfb149a8922f

SHA256
52ea84f5fe5b28eeee6ba13d1394f06e1a049ed4622000f244de4092bace1351

SHA512
0cf89f3e4cc2e5781df4b464fbd911f745de17d54c3650a89365bf0e1693191a094b36607c602635d40ef7d67e16f0b650cb85a891f598567db20b2edc08de4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQEC.exe

Filesize
116KB

MD5
6234d34932abdc30f74924db15127bc4

SHA1
f945d7daeaa5b2a5528cb76eba3ceaa7d08fb142

SHA256
68b25f1c6e814594bc662b48ac94705647175b250e1fee1045d724459a0b7c8e

SHA512
50df73965d7462a33fe7f3c422752799dfcf99306d0e935c66ceb9225a69f7712752a82b4e4bd419eda03c055cf4eeca0a1d121d78f1c7d06cff228041b76303

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qwgo.exe

Filesize
721KB

MD5
27a5b0ec5e97cfb5467daf578202e0a1

SHA1
4558c8651916b0b79bcb00912ad080bd2d3996d6

SHA256
49c9cdf907e165f40e646d5975854e418793c4479d1a64500727765a23027f34

SHA512
fbd07b08ecdeacbc37442578f3f7b3dc329f831852abae36cf6aef76611baca810cf08c69054e9cdc5f32a11330d9e0179f627b5f7f6f801526d498c373f35a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAss.exe

Filesize
113KB

MD5
0c8fbbcaa53fd28292ffa696d59c87fa

SHA1
9f8f40a9978f3d14c9cad2c8c7b64fd857ca781d

SHA256
8f003ac3d5f35a2b27bae32031e8414d205b5c4c977ac966a2ee3bc0f0cd15df

SHA512
a0cd581e723380d3689bdc2661ba8456a71b6b1fb89d194f804c2b4991f76a3cd7693412298829ceae511d4a8e7deff466de15fc1187102cb20cc744c64cad9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMQa.exe

Filesize
235KB

MD5
2da2cd8d7a0ea767b1d7ce07a27e78b3

SHA1
a4093cad0a99eae983d035e90505a4ffc89e2b6e

SHA256
9b55a7114b2b5cdcae9a9c9bf32dae58a989378cfe24e07515087011ba2d2671

SHA512
5cc5ad89e37a17129482bcf66fff9c199787c0d28c4ab0fe65dbd3de71597ccc404f0f052619b1b0cd746c86b9b29f7eff369644059f07da0b22b2beb880f6c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYEM.exe

Filesize
116KB

MD5
9d2f04d274e00d7ebb584c9981c78675

SHA1
0b7f02a4834424990c3b96d3203086b09e7cec7d

SHA256
9fd679650015d59a39961b0bae5d540ec2ef4afa7267529def6a4dad209d1874

SHA512
cc4aaf8c21a50c6e80c6fad96c5743d494950797fb051bb71f5a114169c281b41d5bedcc127245dfe3ef97ed10ddb26329a671a300dc51bb7ffa4bb6c07c689b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoEg.exe

Filesize
1.7MB

MD5
27448553bbce595376cc509ea9321bad

SHA1
c33db60fb573e6493f8b390180c5f6312afa686a

SHA256
bee000f97893b8a12601316755d902fbeb87a894d6a0e8063a25c1efda90a80e

SHA512
91ad7ab0eeff6ff88dc213b5a0ba99994333223edd8a2cae1b78fa4de9fe4e15e3d4c7e55ed79916014472ae71771de984db008a2c20bb24a0db11338a7eb08d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ukwc.exe

Filesize
111KB

MD5
bad044b98772a328fa128b87bbc204e4

SHA1
997dd1349c5e498fd52d576ecddfd28fb2debc34

SHA256
2d1ca9b3feeb459439e778c519e2b3fdb0831eaa07f7aebcc571850cde1dc568

SHA512
ae9d2cb4b9daa11da9f05d64406c76800a2fcc9eaf51d8d3244d3f92653dbe64ce1c4885a91302a0ad6398875c40961c9c2f1173a93f420c7ee0386dc8e577c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\YUgk.exe

Filesize
111KB

MD5
dbb441989d66df19474ccb064dc5431f

SHA1
95c799f11b19b0361bebe5b616ef27ef56a1fa8f

SHA256
26b937e7ac6047f2ea0cddbbf28ddd7c34693e9e5a8c3f496560088a4f7d59ab

SHA512
4969c1f0b2db52527ed3d95701a91ed56c4c830e36229ea03655376a7f41c8f3363e17bd97a7f7ff5d5e7c9ec8d2198d1625c7e67e724d1cceb06aad6c7a0c38

Download Submit
C:\Users\Admin\AppData\Local\Temp\YUou.exe

Filesize
111KB

MD5
fbcc8b1c16a074b30582ab97cdbf6ee1

SHA1
bb31a03c7c467bc82035d8c1f742483cb0661ca9

SHA256
9659f024e6cfe60cb3ab90cc1a24fc52a472d3c305c05216606190afe020b479

SHA512
278936d3315f6240dd00dc2ae5c841d762c357e3d02b2b9a7d5d4da2d6c0bd437dd4280e8d2bea89219315730fc98aca11fec0cc4117b0bf75ac8e6e165e0dcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\YcQc.exe

Filesize
109KB

MD5
390f29fc68cae6283f78e0e7a3009b42

SHA1
e09ae57bfffc01064ffc7a89eb5c1280a05688e9

SHA256
a97c652f76f6ec9b3f9a9cc042d5fcab8f0c9f51e2417a59aab447683ce4dd1f

SHA512
0b5c5856eccb73f4cbd83d1bb6eefea65527ba4099f4f36ab7c48782bfcbb48a9682a12881934f75915332c04e5db428a76f5d7854034854940044a0607f9a01

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ykoe.exe

Filesize
905KB

MD5
03c0ce0a50aff86df630bccc6232e70b

SHA1
f532b027e30c0062847d1bcbcef3ccf0278af8f8

SHA256
d868c2f5f5352ea1b216aaa217063faf85ff580eb5a839d772f88be1d71c0ae0

SHA512
293744325ab50dcf7586224406c12fa52ed74f8010e9b22375c19eb163391d1216b4019e22099caca54eff54149a871b4bbd10591e58896ba4d23a12c94b52df

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMcI.exe

Filesize
119KB

MD5
52f03059538db8e39f6fd5378561895a

SHA1
c4dc5f90b996ba4ef5801395dc983d3fa4f6c297

SHA256
0678b5b331f113d746c6e6ee76b166eb5c051fb5aa7b2b678752c1087f593b8b

SHA512
47cdd290e63c26de7d1c61e5db653a165b55ecf22cace293e72fd2abd6776283a6982a233e6d1fc60c711a42369461dd4eb90e120c0d9bd9563a54f6aa5a7e69

Download Submit
C:\Users\Admin\AppData\Local\Temp\asok.exe

Filesize
595KB

MD5
566caecb71e7b2b2ddbc1e5c285db21d

SHA1
54cbe03f386a217d67bc448c3a5659b3c7cb18c5

SHA256
3dd55b87993182d9f93ff626b6d6142d3e8a11c1873743e2d2eed8b42140a356

SHA512
7e90b3b082f56f2e243827abf73f45c3cceccde8ad49c88e2eaa5c7c6884ef1a94ec169c0e1c6158e7607a43d9d20e7ed8f7f2dd91dad1b8bbffcbf4e7838d1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQMO.exe

Filesize
110KB

MD5
a0faf90565d91b0d3d2d16cbae339d1f

SHA1
0428a4354096bbea4cfa8b897a9bd03c446740cf

SHA256
f287bf1f2bba43a64f7ea2f7b12dc3e297c12222459f1966aa15d9b7752f78de

SHA512
f2ba758f4b3635b996d6b3c0be801551556fdd148aa703c20aed06909eb08ec9755ecbbeef90fe596c296c50ff9361190cc6fefd305805985d667b437a4a3b98

Download Submit
C:\Users\Admin\AppData\Local\Temp\csEW.exe

Filesize
254KB

MD5
3ab7e306fd131165fabec757d5943992

SHA1
d601a1f55b7be3ef6054c5a33c482f243aa0c70a

SHA256
9001779dbcef0b4a0b89b12565032a0abbe9684b2902c13c286025e92bd4c64c

SHA512
bb2de96d88862c13faf6b58606accca5faad57ccb3cfce6423e6f13da9f2581e0e2ecff5a962d47be935ce19b4a9f5323c5185bf0d68946164ceb6a3f8d53ae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwki.exe

Filesize
745KB

MD5
cef06b17582124edaa9d61100fc24263

SHA1
5b20e8cd229950863c22e425b580f793011049aa

SHA256
70f267941d87bae5000f7dd0a8cbbbfcc976b3f0bf9d39abe90a78d64c07679e

SHA512
525b0b9df7dcea3decfb3a4568d873784f713fe08eeaa8cf9268a47df3a31b1a5da4c7abc816fb0e7817818bb7e044cecc1aa5aee74c1558c5c1f232e0da04ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\eEka.exe

Filesize
697KB

MD5
de2d9a4eebec9d423df1e25cea01f5ec

SHA1
8dddf90b88be040ab3d40620bc14294f937c25f7

SHA256
99a3d7d3847e3789b86c4d6e2e4b7196bab4e970d25289f2ac7464ad5dadd231

SHA512
9e82e3d4975744284738f16a2164cd0422e3fe1b9f92e2db9c868c52b8f3c083d803ed731ef3eb85af5eaadffc5890d155fc21eb4fd2cbdf235285bdfe448c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\eUYg.exe

Filesize
113KB

MD5
7ba75f798294fecf4868d63e6d65e6b6

SHA1
61f10229d638afb710ae5791bdce1e5a4102430d

SHA256
6e44e7d33e65e3f150c5a096686cfe28809e464ffd8a259387eae2ffd8c80724

SHA512
a9f96005a863ade247c15859d534f877e71c2ab15aa6ef1a173d9ed72d1047737e65bf16c69f2c159cbd7d10ed5f59c30aeed895b29e49d9954ed37648b9e3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\eYUw.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\egAy.exe

Filesize
110KB

MD5
f681347a5068230000c1482dc2e3714b

SHA1
133456e6e9ce55d8755bfd78370d687711a47b92

SHA256
bc24b945d86c4c0c31419e285e805ba1eecbbaa2f7a63cc4ff68ff704683ed9f

SHA512
358c4430d008c8848d7f2978ddf693df22db092d13cbb8cf68d1cbe6ca2c98a2a47590a0463c69fee7b9dcedeea5dff8c118521aa608becfa0a92181b23a39d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekcW.exe

Filesize
113KB

MD5
8c09b902fc9480c30d36fff201af6b53

SHA1
591aed7a6c81a71a332a61d3d4b4711a19272b96

SHA256
ff8cc1f7a224a38652b7b30d5b9bacee9236d4aa7ee6e6ea7321663ec0c82c2f

SHA512
fb72abfe8d0fa5dda9e1bb09e7e0df299543470dfec4a61894aa77b8cb24a7ae3b6ded44abb1cad050d983193f042d78322e4ca4ece22c9f1e7861a159154858

Download Submit
C:\Users\Admin\AppData\Local\Temp\esAi.exe

Filesize
139KB

MD5
4ed3a5813926cb3dfe66a7e203292baa

SHA1
f0f33a79849c3c7df7039e1492d07980f791fb44

SHA256
b3f417360c43aa9579ed2c1b5b8c5ad8d39f8a9836a13d33b735f383e7ce8b2d

SHA512
c04294a22805abcaa390bc07d78b4f0f5721ec30cca41e1031c15478cca9895295c8ddbd799a2275472b7b0676a995c6baa04dbc10712fe689b9958fb73bbd1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\esoC.exe

Filesize
237KB

MD5
5fe86c0ff220bc3ddd816b9690918f9e

SHA1
797ee56bd6312394ceaa808da517828442b6f892

SHA256
d370d7ce7dd0dcab9c0d9d6eb7c8c5793c79af1f732f1c9f9ecb3a2a3f0cefda

SHA512
9ac864557df928a6111a9dd7cce2dfabf5c6893272a276f9943f4f0211ffa8cb455847c69c007c296e7c8d3f5ff688c2ba04e1f2fdaa345b92eecefde040d33f

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gUYy.exe

Filesize
743KB

MD5
a3614e8a8eea6b87feaaac0e5b9bc597

SHA1
e2e8f40907a0743907af83fcfaebc9dadbb1e3bf

SHA256
434904b3d5820dc847f0c8e265f14ba932c45093b0eb6c59f4cc5d95a614cbd9

SHA512
eb10cec5d6a427347bea6b2b301cb8752da1adffb758357e4532a0e69519b60ef22a364c91f321b30170880056932e204a303782d61473f88c3d71b01768e2d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcgs.exe

Filesize
398KB

MD5
29bc9293bb29d7177c84606cba016f7e

SHA1
501436ae508714a3e811a493517c30352fb5c4e0

SHA256
ca23d1327a84d0d95d3d6452ceeb684d2604217ba6a17cd6500631e63233c6a3

SHA512
04d71ff1be819d643ccd6f9a321d97fc61f7a2e0c45cbe1290f5e979db62eeed064f78ae356ebfd70a380915cfc66f4acc96655af6642dfd00957648eb37d09b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkcm.exe

Filesize
121KB

MD5
46d93249b9817d4d402c9d8dbed08fcd

SHA1
8c9b3948d5aa87831cf71aaf0ba2f93111712b66

SHA256
cb3741cd6bdb54be593e0666286f3682be39ae44939e3f273f7ad2eaf8b84156

SHA512
df39c6527b5529edb6ce00624caf6f185873b3191f81c4cf3f884f3779954eca73710d499c5bca6d004ab7d85beebc1098ac2ca891de970aff207337e67f8b01

Download Submit
C:\Users\Admin\AppData\Local\Temp\gskU.exe

Filesize
114KB

MD5
194af1b0fe93317fdf368fb5f3de7dbc

SHA1
34623ce129f85c3b49c5eecf4ab735380dfd90d8

SHA256
0289c078c49f578e88dbb47e1732aad6bb4c7e7a4ea2db296d666eb5eab5c8b9

SHA512
d53f22678dd59a486d5373e478adb3805d36ae04f260e32dd1236b381b804b29ee09b72995c4e9e6ad05d2b93fb5a5b37a6aedf92392bcda6c59c4da7eeee737

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwcM.exe

Filesize
719KB

MD5
16b8e7bb2efa805f4d07ea5612a90ee4

SHA1
e7786f7a00dbb68a0a737591cf8e9559b4689426

SHA256
4a355b2dfb4be58dc2a537dcd4729edd73ce54ae0a6330a56357a2b8b21ffe6b

SHA512
8cef8e9710b5f3b09e6c2c0af4f3f88063d4a98ec157884eb2e5ff0edc32f907a59c201e19f139b2587b3ecd474ce7e00339fcf5f2cffa78e0bb9ca2969dfa3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\iUIK.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\iggu.exe

Filesize
148KB

MD5
970e0502d21c090bd67e12e037c2d00a

SHA1
c59abd03a8480eb53a7fe27c3afad8c92bdc69ce

SHA256
480219af2db94ab5315620857b6d1c2ac2792b8d9218dbef7a5c370c2a9e1d17

SHA512
2683de43ab6545449a8c00fd966d450e177915053fc397399726542486ab3f6334e8ac39df3332bd61d0c8090aea0a51e6183d3f4474a71555fb580bd01f7dcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\kYUm.exe

Filesize
116KB

MD5
604dfd9a87a617017688888867bb6f83

SHA1
7d35429ba0797a1630b22770d671a3e5396ddfda

SHA256
5117a569beaf86c7a5f8dc3390fa577a5a019af14fa86b04442555ae4810c3f5

SHA512
325866ba83f3c1682db57698b5ed20df83e5977bc0eea6bc171398748ae9f2147d7aee2118438338a496d77c7da87350d17c0ea6d62a188af8f112377a319147

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIUsgggw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQAW.exe

Filesize
116KB

MD5
26fbadd316a1ca86bc892ad6d66b9123

SHA1
3924b5f3adeb14d17d0fb8ed35fae1cf2946874e

SHA256
c264b568ede437b609caddbc2a957e9e519435d21a82ac4bcb626639d8c96c14

SHA512
64ebcece3920d66aeb4e66afb0b2210a49f7ca1330f1c54c0c71c9df84eb6adbfddeb2e086c47b3be8a4b5db3f16f496e4b7ec488a642447653ea79bcb2867bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\oEEg.exe

Filesize
370KB

MD5
ce174d06042275eba287ccdedd4f6c72

SHA1
fc4be1d266d2e9bf13f817f895ae41e62303b0fe

SHA256
b9c61922e8d61016c95245d426c7f0b434ae08e372fdb6777898a25b86d30956

SHA512
1a96e2bbaa1e372d738fc68cc4447b8df75bfbbd8d294fc8baa398fff5e6825aedb0dc6d27ff9d7dc6634103a40a5b74069c7e14f6be6c58ce3ad135b471aa51

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUMK.exe

Filesize
139KB

MD5
ff3ebf3d80ff8ba0c3e9da3c69fb18d7

SHA1
3793c4be3881a0fe70006e472b70964cffec7b84

SHA256
9dd1ea6d5c20a5677f829e7206a1b58c21217304894e5e321e38ad939f2cb5cc

SHA512
49eb4f286e8ed9017f82f318741ed73667a274216faf89efef487c4ac9f19804e98b196d3cb061710604b1ba62c6a5a08c267059c11ee2351cdb9242a2e76361

Download Submit
C:\Users\Admin\AppData\Local\Temp\ocgY.exe

Filesize
112KB

MD5
26ded86f0f7d685d93eb5739350f7dab

SHA1
4576582c832814653bbb7857eff4d930330305b2

SHA256
0573443fde8839d793646be11487d8c1456b2427c220dce946ef1ea0a392c22e

SHA512
987ec73d7c7ec07cc89fa22b1c84726d46483d27fbb83bdc9739c0c8360a1d5921d9d4a51a722ff90f694a73774966929d6219e39a9693ba49cfe2fbee4160f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\osou.exe

Filesize
114KB

MD5
505eaed8b2582d1a9ea5884239053312

SHA1
70ea6b3e9391f876f37bef04173bb99c6d5cf22c

SHA256
baf48264f02ace981087e6e7d87ca9bcc49f0593507740b6daf185f25d7e2b03

SHA512
9f7083ad6949d4f2111a33b148cb0a1ca7355b6ae26dda1ec55e1bc3af34ee2d41bed531d303effac77b9190834dcabc0be6729fe2507cbf1bd8f37a8fa4928e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUUs.exe

Filesize
119KB

MD5
3703270efcae3c3f2e273e407ca450b4

SHA1
93fdefc056c8c16927738857e351bb904220e270

SHA256
1caafbc89bfee0041291d1e7ea127290949bdb439c8f0eeb361045733a5d72a9

SHA512
dbcf18914e78bc7b59ef16fb5d2ac32c9d49019d51deb74531fe1852d357273875853ce6179bb7f7d3d4194b073b12f0b8375835ad0ae79494b778e8b786b26a

Download Submit
C:\Users\Admin\AppData\Local\Temp\qYMc.exe

Filesize
110KB

MD5
bea48c36d1604d6feea909435fc4e411

SHA1
83b2ef3d62a328ba5db727d29b26d7e3731440b5

SHA256
32e343d566d0ee1b5b076ebfae084211b568df2334ffc4ab96fd0869e61cd59c

SHA512
1bdb1c43d78a5fcc60ec02ace2325effa76559fcaf7391a1725ef89ecd8bf8b856b46a3ae5982768c341316e657f8d9072ff895d52edae3acab69bbffc16ab5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\qYsY.exe

Filesize
699KB

MD5
f15b3334229596990ebc8d3d677d748e

SHA1
1de4a813ef7eca01e49131b781c3b37781039674

SHA256
b542d82d565dcc1071623ef841100fe8832737e24896aab5e2146a3e800f0486

SHA512
b337a84ff2c39aa560e192eb88420e75f7a44ddc1ca405e599a89230a48346032bf5dc4a57534096c29d545319685e10d4d733d03f682cfd969157bd59d13acb

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgko.exe

Filesize
934KB

MD5
c39b5217dc699f85b51c948893a3f22d

SHA1
44a01ccc7a0c48fc73d434e0625d94ad1db129ca

SHA256
8f5539dcb9153c5b262c41fa4b7c8b12b73a741a7f7ad53464fef6bcb7c0385e

SHA512
8f48100b38e85ed19f63e7e76bdc498f548a4eaab6b1e4706900083cd6589ac18f09fc0c973ae6b33a9321c4ed7d97900eac9a17813b43f4a42bed3f13b19482

Download Submit
C:\Users\Admin\AppData\Local\Temp\qkIS.exe

Filesize
720KB

MD5
25e999a8e0b39e5cfb134a968cbd2842

SHA1
ec4db8e3e3d380453d0080ebe4bcc7147411d4ca

SHA256
b9c10a2ac3ca440a6e0e409aefdec31fb714790fedec42df6dad6a14ec9b1a3e

SHA512
c34a2f6fa59c06e2c57f1275d539c796266d7697837660809302da59af5ec7c09d3c3c11fb6ebf501f29948271b32e60a7232c99a0ad16178668093ec584769d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qooa.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQAS.exe

Filesize
558KB

MD5
cf5b8c16771d7b7030738d588bb14ee6

SHA1
cfdc323452b670c436ae0d9ab1a0c84c3827475d

SHA256
3afd618665d61690d3342678bae169e5291b93d1386abd993e2fdbfd94a31be9

SHA512
8e81a984300f290a94bb815e6fe06c7305f268bab0975681104b8fad0ee6b11f0f6f02659d215c4504d857afcc9591ea44ae4834736422795fd4b65491ac4bb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssgO.exe

Filesize
684KB

MD5
94067346a3924b3ca1130995151b78ea

SHA1
ad5a23ccfe21bc786c64bf64f39aca6c28e22ebf

SHA256
6e4f76c77e5ab62b866af877b517c7a46f1a43e749c87a180f796272c930397a

SHA512
4246590cad7a99a0ed992bc49801c88cce9d953ef188dc1e0027c6286a9d600348f94d595fb3138015d5b365b57198b72b48b9553141b2f7128f096f5a6e18eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\sskU.exe

Filesize
116KB

MD5
a14b62b2df85651789fc3d73e1f9d82b

SHA1
ce4e72e895bf8249d5e9e1a27f4accc151f5dc8b

SHA256
a34c203d2a90a2d969688bf79aaedee154871fb06241bda74426296a2208fa26

SHA512
b42cfdd4255f734ecd9a0c1d733420070994d7e6686742da66040bb631ad00994802dd7f6bb99959a69e7769909167675ed8e628a56f1abb8be27acfdc56bfdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssky.exe

Filesize
110KB

MD5
7bf6e13f8917876587c49d088b5b1631

SHA1
adb6825a58552fe4c108b3655d4804701ba7971d

SHA256
3f70b7a973c88050120042af045df4babb17f7ade4fe799e5d44a63be6976754

SHA512
469aa3ca0e5a41655d14979c5463cf05a5c5b14147b68fe576b907660bf7b03c0f29f548a7e11172951175dbdde5f763fdd83c62af0cb406f464307f5cc32381

Download Submit
C:\Users\Admin\AppData\Local\Temp\uAwC.exe

Filesize
1.0MB

MD5
33bf49da4068cc066243281aef055c1a

SHA1
e8704714c40dfa895d427189463581158e17a9ca

SHA256
d79c4de53eb523d95a5658d9e301daf15f8495853d6f741dd90ba454b579bcce

SHA512
4fa9c4bbd9cd3f22b2d176e2c2759655e65ea697a036d2f5ad0c4612e361eb79ef10dbf85d2b364d18508333f196098f92c338511033e82b5f15c44fa18278ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQMg.exe

Filesize
112KB

MD5
a90d7f8e59fd18f27172ba0f0cfc34a9

SHA1
7088e6d2f6d53a5d76279c050dbcce106ed9cd7a

SHA256
6f63bb4dc9ca10ac5f797eade13615a6fbd077f7749bde627ed2b9f1f5d4810e

SHA512
7f23650745c12ae167fd80a04f9599dde32a28457b48afb926dd490cd5e12b771d588fb716993e2339bd8be9f9a35588f2038aab0c791f29d421dbf9c0b029a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAYu.exe

Filesize
270KB

MD5
9bd82bc1dcbd25d0b1a405f5df02ad27

SHA1
9ff181167ea69165d56f587b27f88eb6669e1ce8

SHA256
77a1c87aa97e5d9de5cdbc87418fb3d9f2a4a85187a81dc041c83c4602c9c611

SHA512
fba9345c7bbc6415a385a805bb395a34472e704a9398141ee4a26b08452c96c0bc07c9faee739041d40bb5b968f3de4ed6459372f11b265aab3dfd3275c3cc26

Download Submit
C:\Users\Admin\AppData\Local\Temp\wIMC.exe

Filesize
120KB

MD5
41685edcc0f0c8a64e23308ee007a63d

SHA1
f75a3e9344bbf9835bbeb9f1474bfa3ce6321b9a

SHA256
fb3c63d6e4e0fad7254d8a3453e03c153eff5cd0eb9f1e8bc49c76e7aad5b186

SHA512
2eb3c43a1c4aa6ebddaf0574c46124a8a3265ea198b3d70e7a972f87e10e281b641eaa4797ca8405d053462658def04a489fbf9ce19066e981b976acfa5d2fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\wIsW.exe

Filesize
433KB

MD5
f2c21669e6127842c4b8bea2238cfc61

SHA1
10205349a2444517fc13c2a54900c698a62cd8e8

SHA256
98de68b8b3f165258b4febd191bc46e177dc691df11dfe452a505b817e9cd992

SHA512
0125164b71ae748c92495b8c3b138ad0cbc0bd30dad71badada4608204a8f581bde45a063aaab53dc25c1b1a2b44eadecda2854b5127439634cecb0ae5582dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\wMkE.exe

Filesize
484KB

MD5
5a64309d96c092de029c3c2d209056a1

SHA1
d1744afb0e73da9bb62f2ed9e60d54faa5c720b2

SHA256
ec9d48f8ae6f130f5ec4fb7c1b176cb7179b316b9a8f93711988f7c0249be419

SHA512
84772ad53b1aa4e7e995670c99ca33649b752dd059b9de9e4112abfd4739faeaabee475190ce447c529dc10b49078bc50fd89113512df29128a64ddd64d1bff1

Download Submit
C:\Users\Admin\AppData\Local\Temp\wQcu.exe

Filesize
110KB

MD5
e97721e59e43bb274dbac80c76f3dba9

SHA1
c7fc02a02d72df3cf6935af8ef5cf1293ed1c046

SHA256
ba38c63502a61d8db5df3b2ad9888738316781f172a3db66f567eb3c01790e7d

SHA512
c9d923ff0a9b2a3957fedc637a56c5539a45583ddba98a77139ba620eb27cc0d141b82a85978d8bf8dc2e14963c363e95b8f24a968a0df5d1b18aecd774ed976

Download Submit
C:\Users\Admin\AppData\Local\Temp\wcwU.exe

Filesize
140KB

MD5
a85bc2fe096818b7763d4e7038a0bcce

SHA1
3e3ceb7c7c6cb22b549a91db67ade28c7103bb87

SHA256
c707dee0b2bac4685a50ed6f40fa9aaa404c07fe0e96ec1e3ef5cd9592824ffc

SHA512
e6515a5e21d6437ec111479cb76dca20cea26aa3c92bede181b2b670378ff0c69384de4855868c0118d1c07d0709c253af66a8491f1c84636cb6a7c55bdc5d3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\yMQC.exe

Filesize
111KB

MD5
8181055367e08d2ae1ccda9cdb27ff06

SHA1
be618a7042fde60227a731e3c345cff9133d689c

SHA256
e80e39cd29c8228e96aa2bfc9b37b401a0e8c691436f9f2d8fe36fbadebbfa6c

SHA512
f09684533bff8a345e5b6540e43412a185dee085750a7ea23ed039875f14b569d27412c24d1cdc0bd4c5323bb6d9cd7c4f3be2a185312422b564abf3786a5ddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\yMwk.ico

Filesize
4KB

MD5
7ebb1c3b3f5ee39434e36aeb4c07ee8b

SHA1
7b4e7562e3a12b37862e0d5ecf94581ec130658f

SHA256
be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742

SHA512
2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUAG.exe

Filesize
111KB

MD5
fe3a616502d16774a06018a5ba43a679

SHA1
9f73f2cd5549de3fe878acbdb6891294e2303a89

SHA256
988b568cb43c86391d4b2303e0b9a0d915c9a14e1f33eaa9e0c6b29fd9f7623b

SHA512
cfec9ab3b3de8f082c4a941d604689141e1a8ed33c57061310c14037ad4e1d75e5b02a6e1f527802949100a53e458ca72583ca280a1f47db81624d3666cacce6

Download Submit
C:\Users\Admin\AppData\Local\Temp\yYwm.exe

Filesize
109KB

MD5
cd05e3e3cc9809aa05538c583eae27d2

SHA1
694aaf9c02f2d13dafacc24f87e99cc0ddda1ecb

SHA256
292f11d937fbcfa7b0b2d8af69a8be74b8abe5466502b4e582d5aaeac4902789

SHA512
26e762f1807385e051872c40096603e5b3e6f9c0f43d3ac5991256777dbc57356bc3ebb1013b887ef2d1d4d37cfa711acb9f1e6d4d966d2b28ae63b0b3794f14

Download Submit
C:\Users\Admin\AppData\Local\Temp\ygsK.exe

Filesize
110KB

MD5
d60fd6e33c80081e977e810594f24c35

SHA1
0989c3dd601543ba131252ef9eed0434d0599766

SHA256
47a62abb167af905e456a501c5102fcf5bc27c2a95e9128b0e51d42aff89ee74

SHA512
4099d16261dfd7fc32a532e8e10880f28cc3f24620c2c70f4dab5e621b6e1f01366f8f8c83435645fdf6a62d597c1616470787c41723d3cfc1bb844a976f7570

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykYE.exe

Filesize
117KB

MD5
a7979696da47ecf242f17f760b60dc23

SHA1
9eb9b2f411b69ccef5c56f8d29083b5ce668f1f8

SHA256
c72cd230a7a9c40fd99e117fdf68a31a58a18e7c7b25462895cf2dba433e142b

SHA512
b3631cf044095018c0e895f1f7161bc753205eb5f12835cd7c44de324cab407f1f256e7e706cbd274aac0d2c039226d6a278c7d1d93066c97418cfbe39b54476

Download Submit
C:\Users\Admin\Music\MountUse.zip.exe

Filesize
401KB

MD5
746661ed17886bb66da5f5f263b9d128

SHA1
d9264814ae9871e5268f0c95aaafeb8ef4a4e965

SHA256
688f8276888d88eeaa5f4094ac8b2cb4cb8f6ee0e6b8b56ca518e170d7c9473f

SHA512
e8b64eb7e9a96e75208e63ab388c91d8562b7d0c6b7f87c8de4acb39bf8c4f45530e78e9807b57b27cdb418e609ab5a256dfae201dd386ca5a083ecbd0ec472f

Download Submit
C:\Users\Admin\Music\RedoStop.jpg.exe

Filesize
258KB

MD5
fa81061d1ba0034c0f32406c292cccca

SHA1
0e41a6741dc4f8fab21899d259573ad32b0fb020

SHA256
526a3cf68ca43c9c8a4464ed14532c0abac1fc950cee177cb91bef66260c7870

SHA512
3220582392c79680054c71c8826dc168d62b0e93ad3e13f33d852b9727f436702ae9908782017ec51f33d08efe9480c43aa1ebc872884fd05b7cb0143745a08b

Download Submit
C:\Users\Admin\OMQggIQw\PSAgQEIY.exe

Filesize
110KB

MD5
4ead64688e838be2fa79cc268f4a0796

SHA1
1d0b5d485b333dcf0a8a97015bc5713a069b7a9c

SHA256
3e8c56136a2ea46a2419caad54a9dff95730a0946f0b87ef34275e05b0411b6d

SHA512
1cd9dffebfbaa9c7c61c9f47685ffacf34160c1294244ec81696c8541cbf15575a225fe8d7d2ad4fdd141a5ea5896b6f178bd26f398e049760c4997290915b8f

Download Submit
C:\Users\Admin\Pictures\My Wallpaper.jpg.exe

Filesize
133KB

MD5
c684f71b23f21bfbd9b75e22052937b6

SHA1
96cfc5e1f543e53803ee3d6daa717708a898d83a

SHA256
2e6779aed7f9392045127b095128f9bcda9362087963183e672775fc769b12b6

SHA512
e91f60514f65b147d4b28e4963e0a6b7d5dce05f63a2a6063d3766018ca032c2e10f87c7a54fbc306ed2e502314b722243934e27ade11b5bea721d77b7313a39

Download Submit
memory/216-484-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/216-53-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/240-1758-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/244-962-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/324-143-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/416-1089-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/416-706-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1104-64-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1108-1040-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1108-460-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1252-425-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1372-392-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1388-565-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1504-278-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1520-401-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1520-393-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1568-861-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1584-1809-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1660-294-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1664-1434-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1664-1516-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1664-120-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1700-367-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1952-262-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2184-1796-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2184-1873-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2224-1300-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2232-319-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2244-492-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2332-343-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2340-351-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2344-451-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2364-1217-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2368-417-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2420-165-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2532-476-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2552-1659-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2552-1594-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2596-286-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2620-7-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2692-376-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2692-384-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2716-86-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2716-246-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2716-235-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2984-375-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3428-132-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3428-121-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3568-443-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3568-435-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3772-176-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3980-1593-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3992-302-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4052-20-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4052-31-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4112-187-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4188-212-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4188-223-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4228-75-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4400-1889-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4404-770-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4404-1139-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4436-154-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4448-1723-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4448-1658-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4448-270-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4460-862-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4460-885-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4484-643-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4544-42-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4576-97-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4596-211-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4596-200-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4628-327-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4652-234-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4756-15-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4816-515-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4836-188-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4836-456-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4836-468-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4836-1452-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4836-199-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4872-409-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4876-303-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4876-311-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4876-426-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4876-434-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4908-359-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5004-19-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5004-1324-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5004-0-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5004-1387-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5044-254-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5052-335-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5072-98-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5072-109-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download